Draw me like one of your French APTs – expanding our descriptive palette for digital threat actors

Wednesday 3 October 14:00 - 14:30, Green room

Juan Andres Guerrero-Saade (Chronicle)

Words are the scaffold of our thinking. They allow us to climb conceptual heights, survey the land, to map concepts, and guide our understanding through conventional and unconventional pathways while retaining a semblance of structure and order. However, when it comes to the descriptive study of digital adversaries, we've proven far less than poets. Currently, our understanding is stated in binary terms: 'is the actor sophisticated or not?'. That is to say, 'is it respectable to have been breached by this formidable adversary, or were the defenders simply incompetent?'. This dichotomy of exceptionalism may have worked when the AV industry first began to encounter notable adversaries, hesitating to describe their vague features.

As the years go by, the menagerie of adversaries has become overpopulated and our familiarity with them has grown. It's time to expand our descriptive palette to include what intentions and capabilities we can surmise as present at the other end of the keyboard, to issue more fine-grained guidance on the nature of those dastardly attackers that have breached our walls. The intention of this talk is to move beyond 'sophisticated' (the pencil), to the observance of specific tradecraft (crayons), to the study of intentions (watercolours), to what the observance of certain military concepts may tell us about the adversarial outfit in question (oil paints). This ambitious endeavour seeks to efface the oversimplified terminology of 'sophistication' in favour of a range of more nuanced descriptive language reflective of the TTPs researchers have been documenting for years.

Not only will the use of more nuanced language provide defenders with a better understanding of the forces they're actively engaging, but it should also allow us to better predict and understand the difference between a ragtag band of opportunistic crooks and a military outfit steeped in both real and abstracted conflict. When it comes to the latter, are we really satisfied by saying that they're highly capable? Or well-resourced? 'Sponsored by so-and-so’? Or may we be able to surmise that they're informed by previous military conflicts? By experience with counterinsurgency or counterterrorism? That their behaviour suggests constriction by the rule of law, restrictive legal frameworks, and overwrought societal concerns? Or are they perhaps emboldened by an existential struggle? Prone to fever-pitched decision-making? Even rewarded for unbridled creativity, easily confused for irrationality in terms of conventional warfare?

Let's move beyond finger-painting and get serious about our art.




Juan Andrés Guerrero-Saade

Juan Andrés specializes in tracking advanced threat actors and elucidating concepts of digital espionage. He was formerly Principal Security Researcher with Kaspersky Lab's GReAT team. Before joining Kaspersky, he worked as Senior Cybersecurity and National Security Advisor for the Ecuadorian government. Juan Andrés comes from a background of specialized research in philosophical logic. His latest publications include 'The Ethics and Perils of APT Research: An Unexpected Transition Into Intelligence Brokerage', 'Wave your False Flags! Deception Tactics Muddying Attribution in Targeted Attacks', and 'Walking in your enemy's shadow: when fourth-party collection becomes attribution hell'.




Related links

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.