At  least once a week a security researcher or vendor around the world issues a press release/blog trumpeting a new advanced persistent attack (APT), often attributing the incident to a nation-state.
These reports make great headlines — North Korea behind Sony attack! —  and sometimes are useful. But a Kaspersky Labs official has warned threat researchers they need to become more professional in their attributions. In short, security researchers have become intelligence brokers, so need to be wary of being used by smarter malware creators.
Juan Andrés Guerrero-Saade made the argument in a recently-released paper, which he talked about last week at the Virus Bulletin conference in Prague.
An example of his concern, Guerrero-Saade told SecurityWeek in an interview, is that threat actors can plant false evidence to throw investigators off track, like including code with strings in Russian and Romanian.
Guerrero-Saade believes the race to issue malware discoveries has become part of vendors’ marketing campaigns, and there is truth to that. Sometimes the purpose of issuing a report is to show a vendor, or individual security researcher, is a leader. That doesn’t negate the significance of the find. But Guerrero-Saade’s point is attribution has to be more carefully analyzed. In fact one point he makes is that PR and marketing departments should be pulled out of the loop when it comes time to decide what should be in a report and when it should be released.
“Our industry has yet to gain insights into the complicated playing fi eld of geopolitical intrigue it has set foot into,” he writes, “and as such has fallen into an identity crisis.”
In short, he accuses some security researchers of concluding ‘who else but a nation-state would want this information, ‘ when the potential buyers of stolen government data could include political opposition, private consulting and political analysts, government contractors, adversarial nation-states, as well as corporations, utilities, financial speculators and others.
So threat intelligence, he argues, has to be as carefully constructed and written as the intelligence reports from spy agencies. It’s an inexact science, Geurreo-Saade says, that like the work of IT security researchers involves gathering lots of data. But the reports of intelligence agencies include “strategic filtering.” A bit of that process in threat intelligence suppliers will benefit CISOs, he suggests.
A good CISO, of course, cares less about where a threat has come from than for actionable intelligence. But more ruthless scrutiny before threat reports are issued will help improve their usefulness.