One Article Review
| Source |  SANS Institute |
|---|---|
| Identifiant | 369903 |
| Date de publication | 2017-05-31 07:33:02 (vue: 2017-05-31 07:33:02) |
| Titre | Analysis of Competing Hypotheses, WCry and Lazarus (ACH part 2), (Wed, May 31st) |
| Texte | Introduction In my previous diary, I did a very brief introduction on what the ACH method is [1], so that now all readers, also those who had never seen it before, can have a common basic understanding of it. One more thing I have not mentioned yet is how the scores are calculated. There are three different algorithms: an Inconsistency Counting algorithm, a Weighted Inconsistency Counting algorithm, and a Normalized algorithm [2]. The Weighted Inconsistency Counting algorithm, the one used in todays examples, builds on the Inconsistency algorithm, but also factors in weights of credibility and relevance values. For each item of evidence, a consistency entry of I width:300px" /> Today, I will apply ACH to a recent quite known case: WCry attribution. There has been lots of analyses and speculations around it, lately several sources in the InfoSec community tied WCry strongly to Lazarus Group [3][4][5][6], while some others provided motivation for being skeptical about such attribution [7]. Therefore, it is a perfect case to show the use of ACH: several different hypotheses, facts, evidences and assumptions. Digital Shadows WCry ACH analysis About two weeks ago, Digital Shadows published a very well done post on ACH applied to WCry attribution [8]. Regarding possible attribution to Lazarus though, as stated on their post, At the time of writing, however, we assessed there to be insufficient evidence to corroborate this claim of attribution to this group, and alternative hypotheses should be considered. Therefore among the hypotheses considered is missing one specifically for Lazarus in place of a more generic nation state or state affiliate actor. The following are the four different hypotheses considered by Digital Shadows: A sophisticated financially-motivated cybercriminal actor - H1 An unsophisticated financially-motivated cybercriminal actor - H2 A nation state or state-affiliated actor conducting a disruptive operation - H3 A nation state or state-affiliated actor aiming to discredit the National Security Agency (NSA) width:600px" /> Given the final scores computed, they have assessed that though by no means definitive, a WannaCry campaign launched by an unsophisticated cybercriminal actor was the most plausible scenario based on the information that is currently available. Just one note on my side, from my calculation seems they have made a mistake, and H2 score should be -2.121 rather than -1.414. This does not change the final result, but brings H2 and H3 way closer. My WCry ACH Analysis Although the Digital Shadows analysis was a very good one, I felt something was missing, both on the hypotheses as well as on the evidences side. Particularly, in my opinion, I would add three more hypotheses. When thinking about NSA being the final target of this, other than A nation state or state-affiliated actor aiming to discredit the NSA, I think that it should be considered also a (generic/unattributed) TA aiming at unveiling/exposing the extent of possible NSA network of compromised machines (H5). This is something one would expect from a hacktivist maybe, although it seems to be way more sophisticated than what hacktivist have got us used to. One difference with the H4 could be on the lack of supporting media narrative. While if one wants to discredit NSA would be ready to have a supporting media narrative, if the goal was simply to unveil and show to everyone the potential extent of NSA infected machines, the infection as it was would have been sufficient, given also the abundant media coverage it got. Although this may still be seen as too close to H4 to be a different hypothesis, I still do see a case for it. |
| Notes | |
| Envoyé | Oui |
| Condensat | 121 31st 414 @pstirparo about above abundant ach ach1 ach: actor add advertisement affiliate affiliated after against agency ago aiming algorithm algorithms: all also alternative although alto among analyses analysis analysts analyzing announced apparently applied apply are arguments around assessed assumptions attack attacker attacks attempts attributing attribution attribution/ attributionhttp://icitech available bae based basic because been before behind being believe better big blogspot both brief brings brokers builds but buying calculated calculation campaign can case case: cases center ch/2017/05/wanacrypt0r change claim claims clear close closer coincidence collected com/blog com/blog/research/78431/wannacry com/connect/blogs/wannacry com/neelmehta/status/864164081116225536 com/pstirparo/utils/blob/master/ach com/shadowbrokers/@theshadowbrokers/oh come comey common commons community competing compromised computed conclusions conducting consider considered considering consistency contribute corroborate could counting coverage creative credibility credit cry currently cybercriminal data decrypting definitive diary did difference different digital digitalshadows discredit disruptive distracting does done dump dumps each edition edu edu/forums/diary/analysis+of+competing+hypotheses+ach+part+1/22460/ elements entry everyone evidence evidences examples excel expect experiment extent face factors facts failed failures fast feedback felt fewer files final finally financial financially find first focus following four from gain generic generic/unattributed given goal good got group grouphttps://www guys hacktivist had happy has have herehttps://github high historically how however html http://www https://isc https://securelist https://steemit https://twitter https://www hunting hypotheses hypotheses/ hypothesis icitech incident inconclusive inconsistency inconsistent indeed infected infection information infosec inh5 insufficient internet introduction item its just kaspersky known korea lack lately launched lazarus leak left license like link link/ links looking lordy losers: lots lucrative machines made many market may maybe means media mehta mentioned method missing mistake monetizing month more most motivated motivation much multiple narrative nation national needed neel network never noncommercial normalized north not note now nsa number offer once one operation opinion org/pdffiles/achtechnicaldescription org/theres other others paid palo part particularly pasquale paying pdf people perfect pherson place plausible please possible post potential premature previous proof proved provided published quality quite ransom ransomware ransomworm ransomwormhttps://baesystemsai rather readers ready recent references: refinement regarding regards relevance reports research research/wannacry result results rumor sans scenario score scores security see seems seen serve service several shadow shadows shadows: share sharing should show side simply since skeptical some something soon sophisticated sources specific specifically speculations start started state stated states stirparo storm strong strongly such sufficient supporting symantec systems target template than them then therefore theres thing think thinking those though three tied time timely today todays too tool two understanding united unsophisticated unveil unveiling/exposing use used values very victims views wanacrypt0r wanna wannacry wannacry: wants warning way wcry wed weeks weighted weights well what when who width:300px width:600px will winner won would writing xlsx yet your |
| Tags | Medical |
| Stories | Wannacry APT 38 |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.