Artwork

Innehåll tillhandahållet av Nisos, Inc.. Allt poddinnehåll inklusive avsnitt, grafik och podcastbeskrivningar laddas upp och tillhandahålls direkt av Nisos, Inc. eller deras podcastplattformspartner. Om du tror att någon använder ditt upphovsrättsskyddade verk utan din tillåtelse kan du följa processen som beskrivs här https://sv.player.fm/legal.
Player FM - Podcast-app
Gå offline med appen Player FM !

Identifying When Attribution of Threat Actors Matters and How to Track the Outcomes with Senior Information Security Leader Charles Garzoni

36:51
 
Dela
 

Manage episode 351440786 series 3331602
Innehåll tillhandahållet av Nisos, Inc.. Allt poddinnehåll inklusive avsnitt, grafik och podcastbeskrivningar laddas upp och tillhandahålls direkt av Nisos, Inc. eller deras podcastplattformspartner. Om du tror att någon använder ditt upphovsrättsskyddade verk utan din tillåtelse kan du följa processen som beskrivs här https://sv.player.fm/legal.

In Episode 87 of TheCyber5, we are joined by senior information security leader Charles Garzoni.

Here are five topics we discuss in this episode:

  1. Defining When Attribution is Relevant and Necessary

Many corporations are not overly concerned with attribution against cyber adversaries, they just want to get back to business operations. However, if someone robbed your house, you would want to know if it was a random drive-by, or if it was your neighbor because that will inform your defenses much more appropriately.

  1. Defending Against Nation States Versus Crime Groups

The ability to attribute between crime groups and nation states has large implications on a defense posture. First, organizations need to conduct a victimology assessment against themselves to determine what actors would want to steal from them. Second, an organization should list out priority threat actors targeting your sector and intellectual property. Third, they should look for customized detections and prioritized alerts as the resulting output.

  1. The Human Element of Attribution

Engaging directly with threat actors (a different kind of human intelligence-HUMINT) is critical in understanding the human element of attribution, such as their motivation, TTPs, and intent. For ransomware actors, understanding their past actions will inform future recovery and negotiation efforts, for example. Organizations cannot do this without having attribution. For nation states, geopolitical context is critical to understanding security incidents, not to mention the “how” and “why” they are moving in your network.

  1. Public Disclosures of Nation State Adversaries Are Effective

Public disclosures and indictments are effective disruption efforts, depending on the nation state. For example, demarche and indictment efforts against China put them on their heels and have a debilitating effect because of how they want to be seen in the world. However, Russian state operators look at disclosures as a badge of honor. Disclosures by private sector companies also can have just as much impact if the goal is to have disruption.

  1. False Flag Operations

While it’s easy to say you are someone else, it’s challenging to look like someone else. Adversaries think masking their infrastructure to look like another adversary makes attribution challenging. Fortunately for analysts, it’s very hard to mimic TTPs exactly like an adversary, thus making attribution easier for defenders. Adversaries would need to study how the TTP implementation works, and they typically don’t do that. For example, when North Korea attacked Sony in 2015, their actions mimicked the same attack against a South Korean bank a year earlier in 2014 that made attribution straightforward. While they tried to improve and encrypt their command and control in 2015, the session logs between the two attacks looked almost identical.

  continue reading

91 episoder

Artwork
iconDela
 
Manage episode 351440786 series 3331602
Innehåll tillhandahållet av Nisos, Inc.. Allt poddinnehåll inklusive avsnitt, grafik och podcastbeskrivningar laddas upp och tillhandahålls direkt av Nisos, Inc. eller deras podcastplattformspartner. Om du tror att någon använder ditt upphovsrättsskyddade verk utan din tillåtelse kan du följa processen som beskrivs här https://sv.player.fm/legal.

In Episode 87 of TheCyber5, we are joined by senior information security leader Charles Garzoni.

Here are five topics we discuss in this episode:

  1. Defining When Attribution is Relevant and Necessary

Many corporations are not overly concerned with attribution against cyber adversaries, they just want to get back to business operations. However, if someone robbed your house, you would want to know if it was a random drive-by, or if it was your neighbor because that will inform your defenses much more appropriately.

  1. Defending Against Nation States Versus Crime Groups

The ability to attribute between crime groups and nation states has large implications on a defense posture. First, organizations need to conduct a victimology assessment against themselves to determine what actors would want to steal from them. Second, an organization should list out priority threat actors targeting your sector and intellectual property. Third, they should look for customized detections and prioritized alerts as the resulting output.

  1. The Human Element of Attribution

Engaging directly with threat actors (a different kind of human intelligence-HUMINT) is critical in understanding the human element of attribution, such as their motivation, TTPs, and intent. For ransomware actors, understanding their past actions will inform future recovery and negotiation efforts, for example. Organizations cannot do this without having attribution. For nation states, geopolitical context is critical to understanding security incidents, not to mention the “how” and “why” they are moving in your network.

  1. Public Disclosures of Nation State Adversaries Are Effective

Public disclosures and indictments are effective disruption efforts, depending on the nation state. For example, demarche and indictment efforts against China put them on their heels and have a debilitating effect because of how they want to be seen in the world. However, Russian state operators look at disclosures as a badge of honor. Disclosures by private sector companies also can have just as much impact if the goal is to have disruption.

  1. False Flag Operations

While it’s easy to say you are someone else, it’s challenging to look like someone else. Adversaries think masking their infrastructure to look like another adversary makes attribution challenging. Fortunately for analysts, it’s very hard to mimic TTPs exactly like an adversary, thus making attribution easier for defenders. Adversaries would need to study how the TTP implementation works, and they typically don’t do that. For example, when North Korea attacked Sony in 2015, their actions mimicked the same attack against a South Korean bank a year earlier in 2014 that made attribution straightforward. While they tried to improve and encrypt their command and control in 2015, the session logs between the two attacks looked almost identical.

  continue reading

91 episoder

Alla avsnitt

×
 
Loading …

Välkommen till Player FM

Player FM scannar webben för högkvalitativa podcasts för dig att njuta av nu direkt. Den är den bästa podcast-appen och den fungerar med Android, Iphone och webben. Bli medlem för att synka prenumerationer mellan enheter.

 

Snabbguide