MONTREAL--The community of researchers who track and analyze APT groups has become an industry unto itself in the last few years, as sophisticated attack teams continue to proliferate and the need to defend against their activities grows by the day. But while the tactics of those groups change and evolve constantly, the research into their activities is often static and can be outdated by the time it becomes public.
That problem is a result of the time and resources researchers must devote to analyzing the operations of APT groups, many of which are highly resourced and trained teams. These groups often are affiliated with intelligence services or military branches and have the time, tools, and training to hide their operations for months or years at a time. It’s a difficult task for researchers to develop a profile of a group based on a single operation, let alone one that encompasses multiple operations across several countries and over the course of many years.
“Part of the problem is that we draw a lot of analogies from the military. A lot of threat analysts come from the defense community or the intelligence community and they learn a lot of doctrine. They learn a static adversary and what the doctrine of that adversary is,” Juan Andres Guerrero-Saade of Chronicle said during a talk at the Virus Bulletin conference here Wednesday.
“That tends not to imply rational incentives and that’s why sometimes people are befuddled by the actions of some of the lower-end actors.”
If defenders are to swing the advantage back in their favor, creating dynamic, adaptable profiles is key, Guerrero-Saade said. An experienced threat analyst with years of experience tracking APT groups, Guerrero-Saade said there are plenty of obstacles to the creation of dynamic adversarial profiles, not the least of which is the fascination with attribution. Focusing on who did what to whom rather than how it was done and with what tools can lead an investigation down a deep rabbit hole.
“If the object of our study by definition changes, then our research output must be adaptable."
“We can have a conversation about attribution derailing research when we think we know who is responsible. It’s not up to the profiler to say, that’s the murderer. It might work on TV but not in a threat intel investigation. The idea is to draw up a hypothesis to narrow the nominal pool,” he said.
“Operational behavior and tooling reflects adversarial configuration and imperatives. We want to create a dynamic profile that’s testable and the aim is to understand the adversarial configuration. The aim isn’t to say this is the FSB or the NSA. It’s much more important to approximate the configuration to understand how they work.”
The main reason dynamic profiling is so vital, he said, is that threat actors change constantly. Groups grow and contract, individual operators leave, infrastructure and tools are compromised and new ones are developed all the time. Creating a picture of a group at one specific point in time isn’t nearly as useful as developing an ongoing, adaptable profile of an APT team’s tools, tactics, and tendencies. Some groups develop their tools internally and manage their own attack infrastructure, while others buy commercial-grade malware and outsource the management of their infrastructure.
“If the object of our study by definition changes, then our research output must be adaptable,” Guerrero-Saade said. “It needs to be competently continued by others.”