Review - Attribution of Advanced Persistent Threats
Book review and Q&A with the Dr. Timo Steffens
Attribution of Advanced Persistent Threats: How to Identify the Actors Behind Cyber-Espionage
Introduction
Let me briefly introduce myself. I have been working in the digital forensics and cybersecurity field for a long time. During that time I have investigated Advanced Persistent Threat (APT) cases. One of the most interesting was the DigiNotar Certificate Authority Breach. I have learned so much during that time. Since then threat actor tracking and attribution have been kind of a hobby of mine besides doing (digital) forensics investigations. This personal blog will be used to write about investigations and reasoning on evidence. I will explain the anchored narratives theory in the next article, but now let’s cut to the chase.
This book caught my attention already a while ago when it still was written in German (my German is not that good). I was happy to see that the book was published in English, immediately ordered it and finished it last weekend.
After reading the book I had some questions and observations. I reached out to Dr. Timo Steffens (who left an e-mail somewhere) immediately responded. Thanks Timo! His response to my questions will be covered in the Q&A section of this article.
What is the book about?
The book covers a framework, dubbed MICTIC (Malware, Infrastructure, Control Server, Telemetry, Intelligence, Cui Bono), which can be used to attribute nation-state actors based on inputs gathered during these actor investigations. This framework can be used by analysts to assess the strength of the attribution. The attribution process is one of abductive reasoning, where it tries to find the best fitting explanation for the observations that have been gathered during these investigations. First, the author explains relevant clues often led behind by malware authors. He also describes situations that have been observed where these nation-state actors are adding these false flags intentionally in the malware to misdirect malware analysts. False flags and the analysis of that is really well explained in a separate chapter with real cases. The goal of the framework is to obtain relevant clues during the investigation to build a holistic picture about the adversary, but also to understand what the relevant evidence is that supports that theory. In every chapter valuable observations are shared and yes also nation-state actors make mistakes. The author also covers a chapter with geopolitical analysis which is an essential piece to understand world political dynamics. Especially now.
What did I like about the book?
The book is not technical, it is well written and many relevant cyber actors are described with many case details. All the known actors, Chinese, Russian, North Korea, Iranian and Western actors are covered in-depth, but also actors from Pakistan and India for example. What I really enjoyed is that there were so many cases that I knew about but also several that were new to me. How did I miss those:) The chapter about “Telemetry- Data from security products” gives insight in how much data the big security vendors are collecting from the endpoint which also resulted in identifying some nation-state actors. The author has also a name for it, called ‘telemetrybution’. Another chapter dives into false flag operations by the adversary. In this chapter the author applies Heuers’ “Analysis of Competing Hypothesis” which produces a solid favor of a certain actor.
Which parts I did not really like?
In the chapter about the “Methods of Intelligence Agencies” the author claims that attribution statements by government agencies generate more attention and are seen as more reliable is not really substantiated other than governments have more legal and offensive options. In many of these attribution claims by government agencies, the evidence for that claim is not shared with the community. The geopolitical chapter could have gone more in-depth on relevant geo-strategies from certain countries and how to detect disputes between nations.
Buy or don’t buy
A definite BUY. If you want to understand what is happening among all the nations attacking each other, this book provides you a great deal of insight. Also if you do not have a background in Cybersecurity. The author really produced a well-documented body of knowledge and a promising framework that we can use to assess claims, but also attribute actors.
Q&A with Dr. Timo Steffens
Q1: Can you give a bit of a background of yourself and how you ended up in the APT business?
I worked in a CERT as incident handler and then started to track actors also irrespective of actual incidents. Q2: In your book you describe the MICTIC framework for attributing Why do we need a MICTIC framework?
MICTIC is a specialization of the Diamond model. So in general the same reasons apply as for why the Diamond model is useful: It guides the analysis process to make sure that you cover all aspects of cyber-activity. However, the Diamond model can benefit from some more elaboration. E.g. if we look at the "infrastructure" aspect, it is certainly a difference in what actor skills are necessary and in what types of evidence that you can find when you compare the purchasing of infrastructure vs. the setting up of the C&C scripts on the server.
So MICTIC differentiates between those, just as an example. I find this also useful for looking at possible false flags. My hypothesis is that it is more difficult to coordinate consistent false flags over different aspects (than in the same aspect). If the server-purchasing guy leaves false flags pointing to country X, he has to coordinate with the guy who installs an OS on the server using the language of country X. Etc.
Finally, and I find this the most interesting part, it provides a rough framework for possible separation of work and coordination between groups or subteams. In the "group set-up" chapter I use MICTIC to systematically list the different types of teams/groups: Some groups may purchase/outsource malware development, some may use a "quartermaster" for the infrastructure-purchasing, others might cover all MICTIC aspects themselves in a monolithic team, etc.
MICTIC is not perfect, of course. I used it a) to structure the chapters in the book, b) to organize the analysis process, and c) also to differentiate between roles in the attacker groups. This might be too many different uses of the model. So at certain points the model can break. But in general, for didactic purposes and for structuring the analysis process, it is helpful, I hope. Q3: I noticed that you include many elements to attribute an actor to a certain country, but you did not score them to make a final weighing of the verdict. Can you explain why and or why not?
Well observed. I wanted to avoid that readers just focus on the "how do we weight evidence as an international standard?" part. Instead, I think it is more important to get across the idea that you need to cover several if not all (MICTIC) aspects of a group in the analysis and that there are dozens of things to look for. So instead of some magic ranking or weight numbers, the book aims to understand that there are many types of evidence, and the more consistent they are, the better. I do cover the ACH, though. That is the formal place to use weights for each observation. Maybe covering it in the false flag chapter is not optimal, but in the end, that's the question: Which of the evidence is real and which might be coincidence or a false flag? That's what ACH is good for. Q4: In chapter 8 "Methods of Intelligence Agencies" you describe which capabilities governments have and you claim that attribution statements generate more attention and are regarded as more reliable. Can you explain that as governments are sometimes claiming it is Russia, but not providing any evidence for that? Let's take the recent SolarWinds case. Both Volexity and Fireeye have different naming schemes for this APT actor, namely Dark Halo and UNC2452. Crowdtrike refers to them as StellarParticle, but only Kaspersky refer to overlapping code segments with another actor called Kazuar. And now in a joint statement of US intelligence agencies: https://www.cisa.gov/news/2021/01/05/joint-statement-federal-bureau-investigation-fbi-cybersecurity-and-infrastructure, they a referring "This work indicates that an Advanced Persistent Threat (APT) actor, likely Russian in origin, is responsible for most or all of the recently discovered, ongoing cyber compromises of both government and non-governmental networks." This government claim is not substantiated with any evidence. Should this not be weighing in the attribution process? Why should this statement seen as more reliable where it also could be a political strategy and no evidence was give to support this claim? Also why is it that difficult to provide IOC's to back these claims?
Yeah, that's a big and ever-lasting topic. I do discuss several points in the "communication" chapter. Q5: What kind of tips can you provide to threat hunters to find top nation states in your clients or companies network environments? Where would you spend your limited amount of money and focus on?
I am afraid I know no secret sauce Q6: In Chapter 13 "Ethics of Attribution" You make the valid remark that most of the reports by security companies cover groups that are assessed as being likely either Chinese, Russian, Iranian or North Korean. Where analyses of cyber operations of presumably Western origin are extremely rare. Is this because these security companies are bound to Five Eyes?
I think there are several reasons. First of all, for all we know, Western APTs are harder to detect. And harder to attribute. Look at Remsec/Project Sauron. Also Regin was mostly attributed based on leaked documents, there was not much technical evidence publically. If you look at the Vault7-documents, you'll find how well the CIA avoids to leave attributable evidence in their operations. The other reason is that Western APTs apparently retool after a publication or major detection. Ten years ago, most known APT groups were Chinese. None had seen or recognized Russian APTs. Only when the first report came out, it was easier for people to unravel further stuff. So once you find some artefacts and methods to track Russian, Chinese or Iranian groups, it becomes much easier, because they don't retool that much. But after Regin and Remsec were published, the actors seemed to totally retool. So companies find it hard to track them. The next reason is of course customers. In two ways. Western governments may be customers in terms of ThreatIntel or security products at security companies. Will these security companies report on offensive stuff if they have a big anti-virus contract with that government? I don't know. Some may, some may not. Symantec published about Regin and Remsec. Kaspersky, ESET, TrendMicro, F-Secure are certainly not from Five Eyes countries. So the topic seems to be more complex than just country of origin. Also, the customers define demand. Do they explicitly ask security companies to provide reports about Western APTs? I don't know. Do they perceive Western APTs as threats at all? I don't know. Point is, there are many reasons. Q7: As a follow up on Q6: How could you obtain a more holistic perspective on the cyber operations of Western Intelligence agencies from a threat perspective? What safeguards do you need to implement in your threat intelligence gathering process in order you end up with tunnel vision? I noticed you elaborated on the Remsec actor quite a bit.
If I only knew Q8: How do you track APT actors yourself? Any tips would greatly appreciated. Monitoring for yara detections, intelligence requirements etc.
My colleague Nils published a nice blog about how to use Censys to track infrastructure. It's on the Censys blog.Edited_AN:Track APT actor infrastructure Q9: In chapter 6 you explained that geopolitical analysis is very important. I could not agree more. What is the best way to detect or monitor for geopolitical disputes?
Frankly, I am not an expert in all the sub-disciplines necessary for attribution. Just as I am no reverser, I am no great political analyst. I do have a grasp of the methods and concepts, but it's not my day-to-day work. I even learnt stuff while writing the book, and probably I already forgot too much of what I learnt :D
We just monitor a couple of sources, like intelligence journals, some big media outlets, purchase commercial ThreatIntel. I like the CaspianReport-YouTube-clips but their focus is not always on stuff that would be really relevant to our work.
Regards Timo