One analytical struggle in my life is whether a group executed poorly conceived tradecraft, or well executed deception. Deception is rarely discussed on the "threat intelligence" side of information security. Maybe folks are unfamiliar, or intimidated, I don't know. #threatintel
We're naive to think we cannot be deceived. Governments with seemingly infinite resources and elaborate espionage capabilities get deceived. It's a thing. I'll go further, there's plenty of regular intelligence analysts who rarely discuss deception. It probably scares them.
An entire field is dedicated to carefully misleading intelligence apparatuses. That means understanding your processes, requirements, and capabilities in order to craft essentially an illusion for you to consume. You may execute sound analysis and still be dead wrong.
We execute sound analytical processes as a matter of best practice. That's good. However, we should always at least as the question or entertain the possibility or probability that the top tier in the game can and likely do conduct deception and counterintelligence.
Good intelligence analysts operate in degrees of uncertainty, because they rarely have all the facts. That's why they generally make assessments instead of prove a case. They have to consider information they have is incomplete, incorrect, or worse, specially crafted to mislead
• • •
Missing some Tweet in this thread? You can try to
force a refresh
Systems should be built with the understanding that if a human is using them, their mistakes must be accounted for. I recently looked at evidence and said this is surely GROUP A. That didn't matter though, because of our systematic approach to analysis. Thread inbound.
Having a theory is fine. My theory at the time was not a fabrication nor bias. This was not even a set I am overly excited about. Once more information was collected and analyzed, and we expanded the aperture on why I thought it might be GROUP A, we discovered it wasn't.
Overwhelming evidence pointed me to accept an alternative. This actually made me feel great about the system we implement within our organization. No one was critical, because we executed the system and produced solid attribution. My initial theory was wrong, and that's alright.
We have the 30th round of "I was a volunteer doing dirt for the U.S. government, and as such I'm very uncomfortable that I could be held accountable for my actions by a foreign government, so instead we shouldn't apply pressure to others to avoid the same." My thoughts below.
As Jake points out, there are a lot of government sanctioned activities that can end with the individual getting punished by the target if caught. He used the example of SOF conducting renditions abroad, but doesn't really get to the "they shouldn't be arrested" part.
Yes, if you kidnap someone, that is usually illegal, and if you get caught, you hope your government will exercise other forms of power to help you out, BUT you go into that operation with the understanding that you may be getting bent over by ISI for the next five years.
While the reporter was trying to compare two groups of professionals in their respective trades, Scott gives us a reminder that no one is trying to kill you while you're scoping the extent of the intrusion.
I've have the privilege of working with top professionals in combat arms and information security. "Elite" organizations typically have a higher concentration of top performers who are committed to excellence for themselves and those they work with.
I am privileged to work along side Mandiant. I specifically sought them out during my transition. I decided I could serve them better in Advanced Practices due to my background. They are consummate professionals. As Scott pointed out, they are also aware of what they aren't.
#StateOfTheHack follow up. Thank you to everyone who tuned in, and we apologize for the technical difficulties and audio. We are going to get that figured out for future iterations. I wanted to follow up with indicators I talked about at the end to prove a point regarding #GDPR.:
My team develops sources and methods for pursuing adversaries across our customers networks, and beyond. We do not become reliant on a single source, nor do we allow the loss of a source to cripple our collection efforts. Loss of WHOIS information is not a deal breaker.
This is the domain I dropped in our #StateOfTheHack discussion today. The screenshot indicates we illuminated it on day zero of the adversary establishing it. The WHOIS information is privacy protected. However, we didn't discover the domain through registrant information.