The threat intelligence industry suffers from the flow of inaccurate information. This symptom is because of irresponsible announcements and different perceptions of each vendor. In this presentation, I would like to share how we can quickly go to the wrong decisions and what attitude we need to prevent these failures.
威胁情报行业饱受不准确信息流的困扰。这种症状是由于不负责任的公告和每个供应商的不同看法。在这个演讲中,我想分享一下我们如何快速走向错误的决定,以及我们需要什么态度来防止这些失败。
One of the most important aspects of threat intelligence is the attribution of threat actors—identifying the entity behind an attack, their motivations, or the ultimate sponsor of the attack. Attribution is one of the most complicated aspects of cybersecurity, and it is easy to make mistakes because the underlying architecture of the internet offers numerous ways for attackers to hide their tracks. Threat actors can use false flags to deceive the security community about their identity, and natural human bias can lead researchers in the wrong direction. In this presentation, I will discuss three of the biggest lessons I’ve learned with regards to attribution—and how researchers can avoid making the same errors.
威胁情报最重要的方面之一是威胁行为体的归因 - 确定攻击背后的实体、他们的动机或攻击的最终发起者。归因是网络安全最复杂的方面之一,而且很容易出错,因为互联网的基本架构为攻击者提供了许多隐藏其踪迹的方法。威胁行为体可以使用假旗(false flags)来欺骗安全界对其身份的了解,而人类的自然偏见也会将研究人员引向错误的方向。在这个演讲中,我将讨论我在归因方面学到的三个最大的教训,以及研究人员如何避免犯同样的错误。
The first mistake is related to perception bias. The Olympic Destroyer was a cyber-sabotage attack that happened during the PyeongChang Winter Olympic in 2018. Many security vendors published information about the substance of the attack alongside unclear speculation about who was ultimately behind it. During the early stage of my Olympic Destroyer research, I strongly believed a North Korea-linked threat actor was behind the attack. Looking back, I’m overwhelmed by my confirmation bias at that time. The relationship between North Korea and South Korea was relatively stable during the Olympics, but North Korea sometimes attacked South Korea regardless. Therefore, I assumed the attack was associated with a North Korean threat actor that wanted to sow chaos during the Olympic season. However, my colleague discovered a fascinating rich header false flag designed to disguise the fact that this attack was carried out by an unrelated threat actor. Also, I confirmed that the threat actor behind this attack utilized a totally different modus operandi than the presumed North Korean threat actor after an in-depth, onsite investigation. I had allowed my perception bias to hinder my attribution efforts.
第一个错误与认知偏见有关。Olympic Destroyer是发生在2018年平昌冬奥会期间的一次网络破坏攻击。许多安全厂商在发布有关该攻击的实质信息的同时,还对谁是最终的幕后黑手进行了不明确的猜测。在我对“Olympic Destroyer”进行研究的早期阶段,我强烈认为与朝鲜有关的威胁行为体是这次攻击的幕后黑手。回想起来,我对当时的确认偏见感到不知所措。在奥运会期间,朝鲜和韩国的关系相对稳定,但朝鲜有时会不顾一切地攻击韩国。因此,我认为这次袭击与一个想要在奥运会期间制造混乱的朝鲜威胁行为体有关。然而,我的同事发现了一个迷人的rich header false flag,旨在掩盖这一攻击是由一个不相关的威胁行为体实施的事实。此外,经过深入的现场调查,我确认这次攻击背后的威胁行为体采用了与假定的朝鲜威胁行为体完全不同的操作方式。我让我的认知偏见阻碍了我的归因工作。
The second mistake occurred as a result of an over-reliance on third-party functions.
Researchers are often inclined to rely on too many third-party tools, and occasionally this blind faith causes mistakes. One day, I discovered that one Korean-speaking threat actor utilized a 0-day exploit embedded in a Word document. Based on the metadata of the malicious document, I used Virustotal to find additional documents with similar metadata. All of them had the same language code page, which made me even more biased. From then, I started going in the wrong direction. I totally believed that those documents were created by the same threat actor. However, I later discovered that the documents were created by two different actors with very similar characteristics. Both of them are Korean-speaking actors, who, historically, attack the same target. Eventually, I uncovered the difference between the two and was able to reach the right conclusion—but this required going beyond what my tools told me was the correct answer.
第二个错误是由于过度依赖第三方功能造成的。
研究人员往往倾向于依赖过多的第三方工具,这种盲目的信念偶尔会导致错误。有一天,我发现一个说韩语的威胁行为体利用了嵌入在Word文档中的0-day漏洞。根据恶意文档的元数据,我使用Virustotal查找具有相似元数据的其他文档。他们都有相同的语言代码页,这让我更加偏颇。从那时起,我开始走错方向。我完全相信这些文件是由同一威胁行为体创建的。然而,我后来发现这些文件是由两个具有非常相似特征的不同行为体创建的。他们都是说韩语的行为体,从历史上看,他们攻击的是同一个目标。最终,我发现了两者之间的区别并能够得出正确的结论,但这需要超出我的工具告诉我的正确答案。
The last mistake occurred as a result of impatience. When I investigated one cryptocurrency exchange incident, I noticed that the cryptocurrency trading application was compromised and had been delivered with a malicious file. Without any doubt, I concluded that the supply chain of this company was compromised, and contacted them via email to notify them of this incident. But, as soon as I contacted them, their websites went offline and the application disappeared from the website. After a closer examination of their infrastructure, I recognized that everything was fake, including the company website, application, and 24/7 support team. Later, we named this attack Operation AppleJeus, which a US-CERT also mentioned when they indicted three North Korean hackers. In my haste to conclude my research, I failed to notice an operation aspect of the operation.
最后一个错误是由于不耐烦而发生的。当我调查一次加密货币交易事件时,我注意到加密货币交易应用程序遭到入侵,并带有恶意文件。毫无疑问,我断定这家公司的供应链受到了损害,并通过电子邮件与他们联系,通知他们这一事件。但是,我一联系他们,他们的网站就下线了,应用程序也从网站上消失了。在仔细检查了他们的基础架构后,我发现一切都是假的,包括公司网站、应用程序和24/7支持团队。后来,我们将这次攻击命名为“AppleJeus行动”,美国CERT在起诉三名朝鲜黑客时也提到了这一点。在我急于结束我的研究时,我没有注意到该行动的一个方面。
Threat Intelligence is a high-profile industry with numerous stories that have major geopolitical ramifications. Not only is attribution one of the hardest aspects of this field—it’s the one that carries the most significant consequences if not done correctly. Unfortunately, human intuition and bias interfere with proper attribution, leading to mistakes. By sharing my own struggles with attribution, it is my hope other researchers in the security community can carry out their own investigations with greater accuracy.
威胁情报是一个备受瞩目的行业,有许多具有重大地缘政治影响的故事。归因不仅是这一领域最困难的方面之一,而且如果做得不对,也会带来最严重的后果。不幸的是,人类的直觉和偏见干扰了正确的归因,导致了错误不幸的是,人类的直觉和偏见会干扰正确的归因,从而导致错误。通过分享我自己与归因的斗争,我希望安全社区的其他研究人员能够更准确地开展他们自己的调查。
关于演讲者Seongsu Park
Seongsu Park是一名对恶意软件研究、威胁情报和事件响应充满热情的研究员,在网络安全方面拥有十多年的经验。他在恶意软件研究、不断发展的攻击媒介研究和威胁情报方面拥有丰富的经验,重点关注对国家级对手攻击的响应。他主要追踪高技能的说韩语的威胁行为体。现在他在卡巴斯基全球研究与分析团队 (GreAT) 担任首席安全研究员,专注于分析和跟踪亚太地区的安全威胁。
链接:
https://dc30.blueteamvillage.org/call-for-content-2022/talk/X9YX3P/
往期精选
围观
热文
热文
原文始发于微信公众号(天御攻防实验室):Blue Team Village议题:归因和偏见:我在威胁情报归因方面的严重错误
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论