Attribution What’s It Good For?
Video of BsidesLV: HERE
It seems not a day goes by without some new Panda or Kitten or other supercilious named actor come from the FireEye’s, Mandiant’s and the Crowdstrikes of the world. This morning a new “campaign” was announced by Symantec and backstopped by FireEye (saffron rose) and Crowdstrike (flying kitten) ..This one though has malware being named “Mysayad” because they “think” the writing and the changes show a tie in back to the flying saffron rose kitten. After reading the alert from Symantec and doing a little digging myself my head nearly exploded once again. Why? Well, because the attribution was weak and contained a lot of supposition.
I have railed about his before and in fact I did a presentation on the whole issue at BsidesLV a while back.. (see above links) My issue is why bother with the attribution anyway? Are these companies actually helping their clients with these details or not? Are they in fact digging into the whole picture of the actor and what they are looking for with the client who may be the target? Not so much that I have seen. You get a report with all the sexy sexy buzzwords and lingo and that’s it. No real help in dealing with the clients issues and it makes me have a headache.
So here ya go.. My presentation and my ideas on how it should all work. Take this and think about what you are getting as a client of these companies. Those of you working at the companies I am railing against should also perhaps think a moment or two on just what is the efficacy of what you are all doing. Are you in fact a new arm of law enforcement? I only ask because the only ones really interested in this data and can make it actionable are LE or the IC so who are you really selling to here?
Just my beef…