Technical Tuesday – 19 April 2011 – Stuxnet Redux: Malware Attribution & Lessons Learned by Tom Parker of Securicon
Recent incidents commonly thought to be linked to state sponsored activities have given rise to much discussion over the reliability of technical analysis as a source for adversary attribution – specifically in regards to what is commonly termed as the Advanced Persistent Threat (or APT). We now live in a world where the reverse engineering of a malicious binary, or analysis of a compromised host may very well play into a world-changing decision, such as whether a country should declare war on another – or indeed, whether it is no longer viable for a large, multinational corporation to continue doing business in a given part of the globe.
Of perhaps most note – stuxnet has dominated much of the information security media since it’s public acknowledgment in June 2010. Multiple schools of thought have emerged, casting speculation over the identities of those responsible for the authorship and operalization of what some suggest is the most advanced piece of malware observed in the public domain. Nation state? Organized crime? Disgruntled vendor employee? This talk will take a close look at what we really know about this mysterious culmination of bits, closely analyzing some of the popular hypothesis, and identify others which have perhaps not drawn as much momentum.
As a basis for our analysis, we will discuss in depth the merits and demerits of technical analysis; demonstrating ways in which various techniques including static binary analysis and memory forensics may be utilized to build a granular profile of the adversary, and where the same techniques may fall short. The presentation will discuss detailed characterization matrix that can be leveraged to assess and even automate assessment of multiple aspects of the adversary (such as motive, technical skill, technological research resources) that may all play into the way in which we respond to an incident, or reposition ourselves to handle a specific threat over in long term.
Finally, we will review what lessons we can learn from stuxnet – to further attribution related research efforts, and ways in which we might adjust our security posture when it comes to protecting our nations most critical assets.
Presented by: Tom Parker of Securicon
Tom Parker is the Director of Security Consulting Services at Securicon. Tom is a recognized throughout the security industry for his research in multiple areas including adversary profiling and software vulnerability research & analysis. Tom has published over four books on the topic of information security including Cyber Adversary Characterization -Auditing the Hacker Mind and a contributor to the popular Stealing the Network Series. Tom is a frequent speaker at conferences including a past speaker at Blackhat. Tom often lends his time to guest lecturing at Universities, involvement in community research initiatives, and is often called to provide his expert opinion to mass media organizations, including BBC News, CNN, and online/print outlets such as The Register, Reuters News, Wired and Business Week.