Attribution within threat intelligence operations generally focuses on trying to find a 'who' - pick a US three-letter agency or other intelligence service - rather than the 'how' - what totality of activities makes up a specific activity group responsible for one (or more) campaigns. This talk will explore and outline the differences between these approaches, and how the former might be useful when discussing things in the press or looking at events from a law enforcement perspective, but the latter is far more useful (and significantly less controversial) for actual network defenders. Specifically, by limiting ourselves to defining a collection of behaviors or TTPs surrounding a specific event or campaign, threat intelligence can then develop playbooks, response procedures, and evaluation of expected follow-on actions related to the documented activity group. Most importantly, activity groups - as collections of behaviors - are distinct from 'actors'. Thus, you may have multiple activity groups, associated with a set of targets and TTPs, that all happen to belong to the same hostile foreign intelligence service. But from an IR or SOC perspective, the 'geopolitical' aspect is irrelevant.
To illustrate the above and how this matters, I would provide a couple of examples - including one where aggressive attribution for the sake of press or other motives muddies the waters from a defense perspective. Specifically, I'll look into the Dragonfly2.0 report released earlier in 2017 and follow-on reporting related to it (most notably US-CERT's report) to show how multiple activity groups can be conflated and produce a confusing and unhelpful threat landscape understanding for network defenders.
Following this discussion, attendees will have a more robust understanding of threat intelligence operations, the different types of attribution based upon threat intelligence work, and why an activity group-focused approach is more useful to security operations than alternatives. Attendees will be equipped to more robustly examine and, where necessary, challenge threat intelligence reporting, and learn what details are most useful in applying threat intelligence data to security operations.