BEGIN:VCALENDAR VERSION:2.0 PRODID:Data::ICal 0.24 BEGIN:VEVENT DESCRIPTION: 'Title: Attribution and Bias: My terrible mistakes in threat \n intelligence attribution\n When: Friday\, Aug 12\, 11:00 - 11:30 PD T\n Where: Virtual - BlueTeam Village - Talks\n\n SpeakerBio:Seongsu P ark\n Seongsu Park is a passionate researcher on malware researching\,\ n threat intelligence\, and incident response with over a decade of\n experience in cybersecurity. He has extensive experience in malware\n re searching\, evolving attack vectors researching\, and threat\n intellige nce with a heavy focus on response to nation-state adversary\n attacks. He's mostly tracking high-skilled Korean-speaking threat\n actors. Now h e is working in the Kaspersky Global Research and\n Analysis Team(GreAT) as a Lead security researcher and focuses on\n analyzing and tracking s ecurity threats in the APAC region.\n\n Description:\n One of the most important aspects of threat intelligence is the\n attribution of threat actors—identifying the entity behind an\n attack\, their motivations\ , or the ultimate sponsor of the attack.\n Attribution is one of the mos t complicated aspects of cybersecurity\,\n and it is easy to make mistak es because the underlying architecture of\n the internet offers numerous ways for attackers to hide their tracks.\n Threat actors can use false flags to deceive the security community\n about their identity\, and nat ural human bias can lead researchers in\n the wrong direction. In this p resentation\, I will discuss three of the\n biggest lessons I’ve learn ed with regards to attribution—and how\n researchers can avoid making the same errors.\n\n The first mistake is related to perception bias. Th e Olympic Destroyer\n was a cyber-sabotage attack that happened during t he PyeongChang\n Winter Olympic in 2018. Many security vendors published information\n about the substance of the attack alongside unclear specu lation about\n who was ultimately behind it. During the early stage of m y Olympic\n Destroyer research\, I strongly believed a North Korea-linke d threat\n actor was behind the attack. Looking back\, I’m overwhelmed by my\n confirmation bias at that time. The relationship between North Korea\n and South Korea was relatively stable during the Olympics\, but North\n Korea sometimes attacked South Korea regardless. Therefore\, I a ssumed\n the attack was associated with a North Korean threat actor that wanted\n to sow chaos during the Olympic season. However\, my colleague \n discovered a fascinating rich header false flag designed to disguise\ n the fact that this attack was carried out by an unrelated threat\n a ctor. Also\, I confirmed that the threat actor behind this attack\n util ized a totally different modus operandi than the presumed North\n Korean threat actor after an in-depth\, onsite investigation. I had\n allowed my perception bias to hinder my attribution efforts.\n\n The second mist ake occurred as a result of an over-reliance on\n third-party functions. Researchers are often inclined to rely on too\n many third-party tools\ , and occasionally this blind faith causes\n mistakes. One day\, I disco vered that one Korean-speaking threat actor\n utilized a 0-day exploit e mbedded in a Word document. Based on the\n metadata of the malicious doc ument\, I used Virustotal to find\n additional documents with similar me tadata. All of them had the same\n language code page\, which made me ev en more biased. From then\, I\n started going in the wrong direction. I totally believed that those\n documents were created by the same threat actor. However\, I later\n discovered that the documents were created by two different actors\n with very similar characteristics. Both of them are Korean-speaking\n actors\, who\, historically\, attack the same targ et. Eventually\, I\n uncovered the difference between the two and was ab le to reach the\n right conclusion—but this required going beyond what my tools told\n me was the correct answer.\n\n The last mistake occur red as a result of impatience. When I\n investigated one cryptocurrency exchange incident\, I noticed that the\n cryptocurrency trading applicat ion was compromised and had been\n delivered with a malicious file. With out any doubt\, I concluded that\n the supply chain of this company was compromised\, and contacted them\n via email to notify them of this inci dent. But\, as soon as I contacted\n them\, their websites went offline and the application disappeared from\n the website. After a closer exami nation of their infrastructure\, I\n recognized that everything was fake \, including the company website\,\n application\, and 24/7 support team . Later\, we named this attack\n Operation AppleJeus\, which a US-CERT a lso mentioned when they indicted\n three North Korean hackers. In my has te to conclude my research\, I\n failed to notice an operation aspect of the operation.\n\n Threat Intelligence is a high-profile industry with numerous stories\n that have major geopolitical ramifications. Not only is attribution\n one of the hardest aspects of this field—it’s the o ne that carries\n the most significant consequences if not done correctl y.\n Unfortunately\, human intuition and bias interfere with proper\n attribution\, leading to mistakes. By sharing my own struggles with\n at tribution\, it is my hope other researchers in the security community\n can carry out their own investigations with greater accuracy.\n\n The th reat intelligence industry suffers from the flow of inaccurate\n informa tion. This symptom is because of irresponsible announcements\n and diffe rent perceptions of each vendor. In this presentation\, I\n would like t o share how we can quickly go to the wrong decisions and\n what attitude we need to prevent these failures.\n\n '\n\n DTEND:20220812T183000Z DTSTART:20220812T180000Z LOCATION:BTV - Virtual - BlueTeam Village - Talks SUMMARY:Attribution and Bias: My terrible mistakes in threat intelligence a ttribution END:VEVENT END:VCALENDAR