Listen to this Post
Introduction
Attributing malicious cyber activity to specific threat actors is a complex yet critical task in cybersecurity. At the recent SANS Institute CTI Summit, Sierra S. and Jono Davis from PwC presented a structured framework for comparative attribution in threat intelligence. Their methodology emphasizes evidence-based analysis, addressing biases, and bridging visibility gaps to improve accuracy in attributing cyber threats.
Learning Objectives
- Understand the key elements of threat actor attribution assessments.
- Learn how to analyze observable evidence and mitigate collection gaps.
- Apply structured methodologies to reduce biases in attribution.
You Should Know
1. Observable Evidence of Threat Activity
Command (Linux):
grep -i "suspicious_ip" /var/log/auth.log
What it does: Searches for a suspicious IP address in Linux authentication logs.
Step-by-Step Guide:
1. Open a terminal.
- Run the command to check for unauthorized login attempts.
- Correlate findings with threat intelligence feeds (e.g., AlienVault OTX).
2. Sources of Data Points
Command (Windows – PowerShell):
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4625}
What it does: Retrieves failed login events from Windows Security logs.
Step-by-Step Guide:
1. Launch PowerShell as Administrator.
- Execute the command to extract failed login attempts.
- Export results for cross-referencing with threat actor TTPs (Tactics, Techniques, Procedures).
3. Addressing Collection Gaps
Tool Configuration (SIEM – Splunk Query):
index=firewall src_ip= dest_ip= action=blocked | stats count by src_ip
What it does: Identifies blocked IPs in firewall logs to detect potential threat actors.
Step-by-Step Guide:
1. Log into Splunk.
2. Run the query to analyze blocked traffic.
- Compare results with external threat feeds to identify patterns.
4. Methodologies and Biases
API Security Check (cURL):
curl -H "Authorization: Bearer <token>" https://api.threatintel.com/v1/indicators
What it does: Fetches threat indicators from an API while testing authentication.
Step-by-Step Guide:
1. Replace `` with a valid API key.
2. Run the command to retrieve threat data.
- Validate results against internal logs to avoid confirmation bias.
5. Assumptions and Peer Review
Cloud Hardening (AWS CLI):
aws iam get-account-authorization-details --query 'UserDetailList[].UserName'
What it does: Lists all IAM users in an AWS account to audit permissions.
Step-by-Step Guide:
1. Install and configure AWS CLI.
2. Run the command to review users.
- Share findings with peers to validate assumptions about access controls.
What Undercode Say
- Key Takeaway 1: Attribution requires multi-source evidence to avoid false conclusions.
- Key Takeaway 2: Peer review and transparency in methodologies reduce biases.
Analysis:
The framework highlights the importance of structured, evidence-based attribution. By integrating tools like SIEMs, threat feeds, and peer reviews, analysts can improve accuracy. However, attribution remains probabilistic—threat actors often share TTPs, and visibility gaps persist. Future advancements in AI-driven correlation may enhance attribution, but human judgment remains irreplaceable for contextual analysis.
Prediction
As threat actors evolve, attribution frameworks will increasingly rely on automation and machine learning. However, adversarial AI (e.g., deepfake IP spoofing) may complicate efforts, necessitating stronger collaboration between public and private sectors.
IT/Security Reporter URL:
Reported By: Mthomasson Attributing – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
