Attribution: a puzzle

Paul Rascagneres (Cisco Talos) & Vitor Ventura (Cisco Talos)
live only
19:00 UTC on Day 1
WEDNESDAY 30 SEPTEMBER
When an intelligence agency, like the UK’s National Cyber Security Centre (NCSC), attributes the WellMess malware to APT29 in a report endorsed by Canada’s Communications Security Establishment (CSE), the US’s National Security Agency (NSA) and Department of Homeland Security Cybersecurity and Infrastructure Security Agency (DHS CISA), you would expect these agencies to have solid evidence to back their claims.

Intelligence agencies have additional sources of intelligence available to them that are not available to the private sector. Such intelligence is beyond the reach of private-sector researchers. Nevertheless, the private sector rises to the challenge to attempt to associate cyber attacks to threat actors using the intelligence available to them. This intelligence takes the form of open-source intelligence (OSINT), or analysis of the technical intelligence (TECHINT), possibly derived from proprietary data.

The attribution of cyber attacks is hard. It requires collecting diverse intelligence, analysing it and deciding who is responsible. Given this, it is interesting to examine the evidence available to us as a threat intelligence and security research group to support these conclusions.

In this presentation we will present our research in attributing WellMess. We will also describe additional elements linked to the attribution process such as false flags and code sharing by using additional use cases such as OlympicDestroyer and ACIDBox. We will show how attribution is challenging, and why multiple sources of intelligence are important.
Paul Rascagneres
Cisco Talos Paul Rascagneres is a security researcher within Talos, Cisco’s threat intelligence and research organization. As a researcher, he performs investigations to identify new threats and presents his findings as publications and at international security conferences throughout the world. He has been involved in security research for seven years, mainly focusing on malware analysis, malware hunting and more specially on advanced persistent threat (APT) campaigns and rootkit capabilities. He previously worked for several incident response teams within the private and public sectors.
Vitor Ventura
Cisco Talos Vitor Ventura is a Cisco Talos security researcher. As a researcher, he has investigated and published various articles on emerging threats. Most days Vitor hunts for threats, investigating them, reversing code, but also looking for the geopolitical and/or economic context. Vitor has spoken at conferences such as NorthSec, Recon Brussels, DEFCON Crypto Village and BSides Lisbon among others. Previously, he was IBM X-Force IRIS European manager and did penetration testing at IBM X-Force Red. Vitor holds multiple security-related certifications including GREM (GIAC Reverse Engineer Malware) and CISM (Certified Information Security Manager).
arrow left Back

Attribution: a puzzle

19:00 - 19:30 UTC Wed 30 Sept 2020
Paul Rascagneres (Cisco Talos) & Vitor Ventura (Cisco Talos)
When an intelligence agency, like the UK’s National Cyber Security Centre (NCSC), attributes the WellMess malware to APT29 in a report endorsed by Canada’s Communications Security Establishment (CSE), the US’s National Security Agency (NSA) and Department of Homeland Security Cybersecurity and Infrastructure Security Agency (DHS CISA), you would expect these agencies to have solid evidence to back their claims.

Intelligence agencies have additional sources of intelligence available to them that are not available to the private sector. Such intelligence is beyond the reach of private-sector researchers. Nevertheless, the private sector rises to the challenge to attempt to associate cyber attacks to threat actors using the intelligence available to them. This intelligence takes the form of open-source intelligence (OSINT), or analysis of the technical intelligence (TECHINT), possibly derived from proprietary data.

The attribution of cyber attacks is hard. It requires collecting diverse intelligence, analysing it and deciding who is responsible. Given this, it is interesting to examine the evidence available to us as a threat intelligence and security research group to support these conclusions.

In this presentation we will present our research in attributing WellMess. We will also describe additional elements linked to the attribution process such as false flags and code sharing by using additional use cases such as OlympicDestroyer and ACIDBox. We will show how attribution is challenging, and why multiple sources of intelligence are important.
Paul Rascagneres
Cisco Talos Paul Rascagneres is a security researcher within Talos, Cisco’s threat intelligence and research organization. As a researcher, he performs investigations to identify new threats and presents his findings as publications and at international security conferences throughout the world. He has been involved in security research for seven years, mainly focusing on malware analysis, malware hunting and more specially on advanced persistent threat (APT) campaigns and rootkit capabilities. He previously worked for several incident response teams within the private and public sectors.
Vitor Ventura
Cisco Talos Vitor Ventura is a Cisco Talos security researcher. As a researcher, he has investigated and published various articles on emerging threats. Most days Vitor hunts for threats, investigating them, reversing code, but also looking for the geopolitical and/or economic context. Vitor has spoken at conferences such as NorthSec, Recon Brussels, DEFCON Crypto Village and BSides Lisbon among others. Previously, he was IBM X-Force IRIS European manager and did penetration testing at IBM X-Force Red. Vitor holds multiple security-related certifications including GREM (GIAC Reverse Engineer Malware) and CISM (Certified Information Security Manager).