No Royal Road … Notes on Dangerous Game

Conference:  BlackHat USA 2018



The presentation discusses the limitations of current models for analyzing nation-state threats and the importance of contextual analysis and caution in attribution and reporting.
  • Current models for analyzing nation-state threats, such as the hunter-game dynamic, lack context and coherence.
  • Contextual analysis is crucial in understanding nation-state threats and their behavior.
  • Attribution and reporting on nation-state campaigns is not always disinterested and caution is necessary.
  • An anecdote about the loss of innocence in the belief that antivirus companies and threat intelligence firms are neutral is provided to illustrate the point.
The loss of innocence in the belief that antivirus companies or threat intelligence firms are neutral has been a core principle of information security for a long time. However, recent reporting by Chris Bing has shown that attribution and reporting on nation-state campaigns is not always disinterested. This is a significant development in the field of cybersecurity and highlights the importance of caution in attribution and reporting.


Attribution fatigue is real. We are 20 years past Moonlight Maze, 15 years past Titan Rain, and a decade past the formation of NATO's Cooperative Cyber Defence Centre in Estonia. These recent ten years have seen the public dumping of stolen nation-state toolchains, a worm renaissance, and increasingly adventurous forays by states far beyond the limits of espionage, into active operations. Small wonder we’re tired… but what have we learned about technical and contextual analysis as nation-state threats roll into their third decade? What are we missing? Does any of this even matter?Network defenders and threat intelligence analysts tend to be sharply divided on this question of nation-state threat attribution. Reasonable network defenders may decide ‘How?’ is all that matters (observables || GTFO); reasonable threat intel analysts may feel similarly about ‘Who?’ (APT1 || GTFO). This talk addresses each of these reasonable extremes, and further advocates for the neglected value of ‘Why?’ in surfacing adversary requirements, targeting, and constraints. We will look at how nation-states have used malware as a form of geopolitical signalling, the myth of vendor neutrality in the nation-state threat ecosystem, and opportunistic distortion of technical analysis. Words and PE headers are hard, nation-states are weird, but more perfect nation-state threat analysis is possible within – and beyond – the binary.