I had the pleasure to engage some really smart people on the subject of threat attribution and naming conventions via Twitter recently. I think the linked thread is useful as an example not only of some of the issues the cyber security community still has around terminology and definitions, but also a really great example of how to disagree in a civil and constructive way on a topic that usually spirals quickly into unpleasant discussion.

But one of the more interesting items that came out of this discussion that deserves greater attention and exploration is the idea of permanence when it comes to however one defines threat actors or activity groups, and how different means of defining these entities yields different conceptions of longevity.

In terms of timing in information security, we are familiar with certain common metrics: dwell time and time to remediation are frequently discussed, and relate (as one would expect) to security operations. But within the threat intelligence space, metrics – especially around timing – are far murkier and seldom seen. For individual indicators, there may be an aging metric based on last seen or observed time, but what of entire entities and groups? How do we, as threat intelligence professionals, gauge the idea of “freshness” for our adversaries, and when (if ever) do we “age these off” based on observed activity?

In this question, a lot depends on your means for defining just what constitutes a group or entity. For example, if approaching items from a clear nation-state and adversary entity perspective, then in some sense groups are “forever”: the NSA, GRU, and MSS will all exist (for the most part) while their respective countries last. When considering non-national actors such as criminal groups, a combination of publicly-available information (on arrests of perpetrators) and technical information (continued use of toolkits) can be useful to “age off” adversaries – unless tools are simply repurposed for new campaigns, in which case multiple criminal adversaries suddenly morph into a monolithic, but illegitimate, single criminal actor.

Conversely, an activity-centric approach commits itself by necessity to aging off groups as soon as the activity – as originally defined – disappears. From the perspective of groups I have named, such as DYMALLOY and ALLANITE, the group effectively “goes away” once the underlying behaviors are no longer relevant. The activities in question may be part of some greater, long-lasting controlling entity (an FSB or CIA or 3PLA), but the recorded and tracked item is solely focused on what is observed and occurs from a security perspective. On the one hand, this brings a certain level of certainty to matters but demands that analysts maintain this posture for group assignment and attribution by “sunsetting” entities once the defining behaviors no longer hold.

Continuing this approach, an activity group-centric methodology allows for unparalleled levels of flexibility in grouping and categorizing observed behaviors and impacts solely based on observed (and thus provable) elements, but only if analysts commit themselves to “moving on” from such groups once they grow stale. As such, an activity group may only have a shelf-life of weeks or months while more traditional attribution approaches will strive for near impermanence.

At first blush this may seem a severe drawback for a behavior-based approach for grouping, given the potential for rapidly shifting groups of adversaries (as defined by their behaviors) at any one moment. And from the mindset we, as analysts, have been brought up in, this definitely appears counter-intuitive and disadvantageous.

Yet from the perspective of cyber threat intelligence, we as analysts must first realize what our visibility and data limitations are within this field, especially if working for private sector entities that lack the visibility and telemetry (think robust, nation-state signals intelligence collection systems) that make true “who”-based attribution possible. For this, an example is perhaps best to illustrate what I’m moving toward.

LAZARUS is a far-reaching group active, depending on your perspective, from either the late 00’s or at least 2013 to the present. The entity is tied to the Democratic People’s Republic of Korea (aka DPRK aka North Korea), and is held responsible for operations ranging from traditional intelligence operations to destructive attacks against major media companies to electronic bank robbery. Based on how this term is used, one would expect a long-running similarity across all of these campaigns that tie them all together on some level. Yet from a technical perspective, LAZARUS-linked activity over time has shifted and evolved so that “LAZARUS” in 2018 appears dramatically different from “LAZARUS” in 2013 – different infrastructure, different tools, and even different objectives.

From a “who”-centric approach to threat attribution, this continuation of activity over time matches the need to continue tracking a “North Korean cyber element”. The problem with this viewpoint though is that while we have established a semi-permanent label or signifier for DPRK-linked activity, the items we assign to this are vastly different from one another over time. From a defender’s perspective, “LAZARUS’ takes on the image of an all-encompassing, broadly-based group covering multiple target industry “verticals” and significantly different methods of operation. From a limited resource, constrained ability perspective, analysts are faced with a difficult choice, and for only one potential adversary: defend against ALL those techniques, or attempt to determine which campaigns and technical items relate to what is of most interest to the defending organization?

In this sense, permanent institutions get conflated with shifting campaigns, operations, and subordinate groups. There is, almost without a doubt, a DPRK cyber capability and likely directed in a “top-down” approach – but even this rigorously managed and controlled entity likely features multiple teams, shifting missions depending on national priorities, and evolutions in tools over time. While it may make sense from a human intelligence and strategic planning perspective to group all of this as “North Korea” and let it continue in perpetuity, from an operational defense perspective such continuity only adds confusion to the overall picture of adversary behaviors and trends.

Based on the above discussion, having impermanent, shifting collections of activity begins to appear advantageous, at least to front-line network defenders. Quite simply, this allows for flexibility in determining relevant details for various entities while remaining agile in incorporating different collections of behavior into specific operational “thrusts” rather than simply aggregating all observables into a single, artificial entity.

{In this case, I was surprised but also excited to learn – as part of the same Twitter thread referenced previously – that another major cyber intelligence organization, FireEye, essentially adopts this practice in deed if not in rhetoric. As explained in the Twitter thread, FireEye’s intelligence service uses a “TMP” nomenclature to categorize activity “as it happens” and only after some time are these rolled in to a more theoretical and high-level “APT” groupings. In this approach, FireEye recognizes the difficulties of permanent attribution and only “rolls up” activity after some non-public barrier is crossed to assign to some long-standing, static entity. The end-point goes against my argument, but the actions leading up to it and which are most likely relevant to day-to-day defensive operations seem to support it based on the available description.)

A word of warning though: in adopting a behavior-based approach to activity grouping, analysts must be careful not to attempt to have their cake and eat it too. Identifying a group, naming it, and publicly broadcasting it can be a powerful, emotionally fulfilling moment for an analyst – but if based purely on identified behaviors and adopting the activity group-focused approach, such a group can (and should) be cast aside as soon as evidence indicates this is warranted. Unfortunately, analysts (and the companies they work for) have a vested marketing- and mind share-based interest in keeping such entities alive to foster a sense of continued relevance and significance toward the named items. When approaching threat intelligence from a behavior-based perspective, such emotional attachment is not only nonproductive, but also completely contradictory and harmful to continued threat intelligence work.

The problem is: consumers (and the wider public) are simply not used to this approach, so adopting a shifting, impermanent approach to activity tracking just comes off as counterintuitive. From my own perspective, I’ve worked hard and exerted significant effort saying that an activity such as DYMALLOY may no longer exist, replaced (most likely) by ALLANITE, while both could very well be beholden to the same master – yet operationally appear quite different to defenders. Some may approach this as so much “so what”, but when diving into the details such distinctions matter as they differentiate different types and methods of intrusion. Thus adopting a behavior-centric approach equires education and patience since it moves against long-standing habits and norms in how we assign and attribute threats within the space of cyber security.

Which, incidentally, is why this post exists. When considering the impermanence of names and attribution, adopting assignment based on “long-standing” entities has its advantages in terms of forming a coherent and easily-digested narrative – but at the cost of flexibility and fine-grained detail when differentiating campaigns, operations, and methods of intrusion. But if we as a community are to appreciate (or understand) something different, such a move will involve going against long-held instinct and intuition toward a construct where threat groups may simply “go away” when the underlying activity is no longer present.

 


1 Comment

Brian A. Thompson · 07/06/2018 at 22:08

Great post. I don’t know if it’s the poor sleep, waiting for the coffee to kick in this morning or the layers to this post (medium-high confidence that it’s all three) but I think I’ll need to re-read and ruminate a bit on this one. You definitely hit the target on the two mentalities towards threat actor/group that organizations (namely IC/GOV) have. It is VASTLY easier on non-technical audiences and decision makers to digest such bucketization if you will (not sure if that is a real word but it should be) of malicious activity than to keep changing things up for them with an ever expanding and/or changing cast of characters.

Comments are closed.