Attribution fatigue is real. We are 20 years past Moonlight Maze, 15 years past Titan Rain, and a decade past the formation of NATO's Cooperative Cyber Defence Centre in Estonia. These recent ten years have seen the public dumping of stolen nation-state toolchains, a worm renaissance, and increasingly adventurous forays by states far beyond the limits of espionage, into active operations. Small wonder we're tired… but what have we learned about technical and contextual analysis as nation-state threats roll into their third decade? What are we missing? Does any of this even matter?
Network defenders and threat intelligence analysts tend to be sharply divided on this question of nation-state threat attribution. Reasonable network defenders may decide 'How?' is all that matters (observables || GTFO); reasonable threat intel analysts may feel similarly about 'Who?' (APT1 || GTFO). This talk addresses each of these reasonable extremes, and further advocates for the neglected value of 'Why?' in surfacing adversary requirements, targeting, and constraints. We will look at how nation-states have used malware as a form of geopolitical signalling, the myth of vendor neutrality in the nation-state threat ecosystem, and opportunistic distortion of technical analysis.
Words and PE headers are hard, nation-states are weird, but more perfect nation-state threat analysis is possible within – and beyond – the binary.
Mara Tam is a Washington DC-based ICT security policy expert. Mara regularly serves as a private sector advisor to executive agencies on information security issues, focusing on the technical and strategic implications of regulatory and policy activity. Prior to her current roles, she was the Director of Government Affairs for HackerOne. Mara's background includes advanced degrees in cultural identity studies and modern history, as well as work in international security, counterinsurgency, and arms control. Her speaking and keynote credits include DEF CON, ShmooCon, TROOPERS, BSidesLV, BSidesPDX, The Atlantic Council, the Federal Communications Bar Association, CyCon US, and an alphabet soup of think tanks. She is a proud BlackHoodie RE alumna and trainer, contributor to FIRST Org's VRDX and Malware Analysis SIGs, and Senior Advisor / Staff Nerd with River Loop Security.