Explore the complexities of threat activity attribution in cybersecurity through this BSidesCharm 2018 conference talk. Delve into traditional attribution methods, examining their benefits and drawbacks while highlighting common infosec failures and media misrepresentations. Learn about the Diamond Model for intrusion analysis and its application in differentiating between operational behaviors and attacker identities. Analyze real-world examples such as ALLANITE, COVELLITE, and LAZARUS to understand the nuances of attribution. Gain insights into making defense more manageable and developing a process-oriented approach to threat attribution that distinguishes the "who" from the "how" in cyber attacks.
Overview
Syllabus
Introduction
Traditional Attribution
Benefits
Drawbacks
Infosec Failures
Media Examples
What Attribution Should Do
Results of Attribution
Goals of Attribution
Operations vs. Identity
Attribution Limitation
Introducing the Diamond Model
Infrastructure - Atomic
Infrastructure - Behavioral
Capabilities - Behavioral
ALLANITE aka PALMETTO FUSION
Distinctions
ALLANITE Phishing
Targeting Differences
Diamond Model Evaluation
Implications
COVELLITE Publicity
COVELLITE Document
COVELLITE and LAZARUS
The Problem with LAZARUS
The Defender Problem
Make Defense Manageable
Process
