Dynamic Threat Actor Profiling: Presenting New Research at the VirusBulletin Conference in Montreal

“Draw Me Like One of your French APTs…”

This week I’ll be presenting on several topics at the VirusBulletin Conference in Montreal, including one on the language we use in profiling threat actors (Draw Me Like One of Your French APTs: Expanding Our Descriptive Palette for Cyber Threat Actors, Wednesday Oct 3, 2pm EST).

Threat research often implies a quick turnaround and a need to compete — to present your best research before anyone else beats you to the scoop. The VirusBulletin Conference has become a venue for the exact opposite. It allows threat researchers to take pause and think about problems in threat research at a greater depth and to coalesce those findings into a long-form publication.

For the past few years, I’ve taken advantage of that opportunity to dive deep into abstract concepts in threat intelligence ethics and complex attack dynamics like ‘false flags’ and ‘fourth-party collection’. This year’s submission is an opportunity to take a step back and discuss the shortcomings of threat intelligence methodology around profiling cyber threat actors.

The resulting paper (download it here) is extensive and covers:

  • A formal approach to understanding what we can and cannot know solely from cyber indicators.
  • Suggesting a better analogue for threat actor profiling by resorting to criminal behavioural profiling instead of the more common military approaches.
  • And applying that co-opted approach to known examples of excellent public threat research in order to further elucidate previously undiscussed aspects of the threat actors involved.

For those looking for a quick ‘TLDR’, the key takeaways are the following:

  1. Conclusive attribution cannot be arrived at by means of cyber (or ‘fifth-domain’) indicators alone.
  2. Threat intelligence is better suited to provide testable dynamic profiles that provide value for defenders past the point of initial publication.
  3. There are still important insights to be drawn from even the most well-documented operations. Retroactive study with better visibility and a different approach will continue to reward researchers.

Finally, if there’s a point I hope to drive home, it is that threat intelligence is meant to empower defenders to direct their resources (however limited) to defend against an adversary that won’t simply go away. To best accomplish that mission, researchers should embrace research methods and output that will continue to adapt at the speed of our object of study. Threat actors won’t go away simply because they’ve been ‘doxed’ or an extensive report has been published. They will change (often rapidly and drastically) to avoid our visibility and continue to challenge defenders. I hope we can mimic the dynamism and perseverance of our adversaries to continue to Give Good the Advantage.

Juan Andres Guerrero-Saade
Staff Threat Researcher, Chronicle