Trained to track, identify and combat bad cyber actors, researchers like Timothy Gallo, a solutions architect for FireEye, use a combination of intelligence gathering and threat analysis to understand the types of individuals and groups that attack and harass companies and governments.
Adversaries and the tools to fight them have changed immensely in just the last ten years and researchers and hunters need to continuously update their thinking and methods to stay competitive with hackers, Gallo said, speaking with the event's moderator Anthony Nash, of security firm Anomali.
"Five years ago, we were positing that ransomware was going to be an enterprise problem," he said, elaborating on how that prediction had become an unfortunate reality for many cities, states and companies. "As a hunter now, instead of just being able to focus on having a great reverse engineering team you do have to be able to have so much more visibility into what's happening."
"I think that whether it's an attribution or anything else, you have to look at it with fresh eyes, not be biased, and follow the evidence and let it build out the bigger picture," said Jon DiMaggio, senior threat intelligence analyst at Symantec, regarding the process involved in tracking and analyzing hacking groups.
Those groups include ones like Advanced Persistent Threat actor 41 (APT 41), a Chinese group that is said to be responsible for carrying out state-sponsored espionage operations as well as cybercrime for financial purposes. Both FireEye and Symantec have spent time researching APT 41. The group will target companies — particularly in the video game industry — for extortionary purposes, while also conducting spying operations for the state.
In many cases, however, attribution of where an attack is coming from is not as obvious as in the case of APT 41. There are a number of types of evidence important in the attribution process — a lot of which is technical in nature: digital forensics that try to place exactly how, where and when a system was breached.
However, a lot of good evidence also comes from analysis of larger socioeconomic and political situations in the geographic region from which the attack emanates, said Gallo. Understanding these differences in orientation — like whether a hack came from a state-sponsored group trying to cause political disturbance or an organized crime syndicate attempting to extort large sums of money — is crucial to knowing how to combat those threats.
Sometimes attribution doesn't actually matter that much though, another panelist pointed out.
"I'm less interested in who [the attacker is] and more interested in the what and the how [the attack occurred]," said Chris Cochran, threat intelligence and operations lead for Netflix. "What are the gaps that we need to close from a security posture perspective to prevent this from happening again?"
At the end of the day, tracking adversaries can only be accomplished with a competent team of professionals, panelists agreed. In recent years, some have spoken about the need to further automate intelligence gathering and threat analysis, but the speakers agreed that a human role was irreplaceable to adequately protect systems.
“People have been trying to automate intelligence forever,” said Nash. “All of us have spent time at agencies that said, 'You’re not going to have jobs,' and lo and behold, there’s still a lot of intelligence analysts out there.”
DiMaggio agreed: “As a threat hunter, you have to have that human ability to understand the information," he said. "We can all get an appliance that flashes red and tells us something is bad, but what does that really mean? You need a human being to make something actionable, something you can really use.”