Security Market Segment LS
Friday, 02 April 2021 07:10

Attribution not the most difficult part of sec research: Bitdefender VP Featured

Daniel Clayton: "Good researchers do the analysis to separate the noise from the facts." Daniel Clayton: "Good researchers do the analysis to separate the noise from the facts." Supplied

Most people in the infosec industry are adamant that attribution is the most difficult part of the process, but Romanian security firm Bitdefender's Daniel Clayton is an exception. The vice-president of global services and support said this was not really the case.

"Researchers shy away from attribution because it often impossible to be 100% certain," he told iTWire during a detailed interview.

"However, an intelligence comment by its very nature is a probability statement. When you speak to researchers, they are generally very confident about attribution, but when you read research papers and articles, they tend to be less concise."

Over 30 years, Clayton has been responsible for building and delivering global operations for the National Security Agency, the Government Communications Headquarters, Rackspace and Bitdefender.

He is responsible for Bitdefender’s global operations in support of customers, including the strategy, service delivery and oversight of Services and Support Operations, including the Security Operations Centre, Customer Success Operations and associated engineering functions.

He has an MS in Leadership and Management and a BA in Intelligence Management from City and Guilds (Royal Charter) in London, as well as a BA in Russian from the University of Westminster. He was interviewed by email.

iTWire: What is your definition of an APT (advanced persistent threat)?

Daniel Clayton: This is an increasingly loaded question today. In the past the definition of ‘an APT’ centered around the description of certain types of attack. Namely that they were very difficult to detect and that the attacker retained access to the network for an extended period. The implication being that these types of attacks required high levels of sophistication, requiring, in turn, significant resources which could only be brought to bear by nation states.

So advanced persistent threats and nation states became largely synonymous. In practice this is no longer true, stealthy attacks with significant longevity are routinely carried out by non-nation state actors. Today, it makes sense to separate the two.

In a paper he wrote some years ago, the well-known security researcher J.A. Guerrero Saade said: "The terms ‘APT’, ‘targeted attack’, ‘nation-state sponsored’, and even ‘cyber espionage’ are inaccurate and misrepresent the object of study, which is to say an espionage operation partially carried out with the use of malware." Do you agree with this? If not, why?

As a general statement in 2021, I don’t agree. Our understanding of the terms has evolved over time and researchers today are less likely to throw these terms around than they were five years ago.

In the past higher levels of sophistication led researchers to default to the phrases mentioned, the inference being that if any one of them was true, all of them were true. "It’s sophisticated, so I must be persistent. It’s persistent, so I must be a nation-state, it’s a nation-state, so it must be espionage.: Serious intelligence professionals don’t make this mistake today.

All attacks that are attributed to so-called APTs are always said to originate from four countries that also, coincidentally, happen to be the enemies of the US – China, Russia, North Korea and Iran. A journalist tends to get a bit sceptical about this. Your comment?

All our realities are rooted in our perspectives. China, Russia, North Korea and Iran are all considered "threats" by the US (the West) in any context, not just cyber, that they have the resources to be advanced and persistent on the cyber battlefield is axiomatic.

This same conversation is probably being had in Asia, or Russia between a journalist and a cyber intelligence professional with an equally well justified, but entirely different four nations listed in the question above.

These days, it looks like a security firm always needs some kind of collaboration with an intelligence agency in order to provide information that will catch the attention of the media - which seems to be the whole idea of the game. What is your comment about this?

If an agency like the FBI or Interpol gets involved, the media tends to pay close attention because it usually means a severe threat with wide implications is in progress… so take heed to protect yourself or organisation (much like a weather alert that a storm is imminent). It helps add immediate credibility to new threats and research. If an intelligence agency cares…so should you.

National intelligence agencies have controls around things like source-reliability and have collection capabilities that civilian organisations cannot rival. So, if a national agency is paying attention, we can assume the work to validate has (to some degree at least) been done.

A CIA-sponsored "think-tank", Recorded Future, has now set up a media outlet known as The Record for disseminating technology news. Does this not increase the possibility of misinformation being spread?

Not really, researchers have been dealing with open-source reporting and "disinformation" for a long time, serious intelligence professionals pay attention to sources and source reliability.

Good researchers do the analysis to separate the noise from the facts. What is true is that not everyone will do that work before spreading the information. But that has always been the case.

You mentioned that one topic you would outline was how APTs choose their targets. Go ahead.

It depends what we’re talking about when we talk about the APT. If we’re talking about nation states, targets are driven by national level intelligence requirements, which are a set of questions that the government has deemed critical to decision-making.

How those intelligence requirements are answered depends largely on where the information is available and governments will use multiple techniques to collect. Signals intelligence (SIGINT), the collection of electronic transmissions and human intelligence (HUMINT), the collection of information from human sources are the most common, especially in the content of espionage.

Nowadays, the availability of data makes cyber a very effective collection capability and the interconnected nature of government and the commercial sector, through contracts, partnerships and supply chains provides the APT with many targets that may be a weak link, that provides an entry point to a target network.

Again, you mentioned that you would like to offer some clues on the top ways that APTs gain a foothold in an environment. Once again, go ahead.

As technology stacks and security teams get better at identifying anomalous activity, bad actors are becoming better and better and "living off the land", meaning they are learning how to use the tools that are already on the network and already part of the network's baseline.

Endpoint technology focuses on a system of behavioural scoring which requires a threshold of activity on a single resource to be met. We’re now seeing attackers break down their activities across multiple resources in order to stay below the activity threshold that a technology platform may need in order to detect.

The combination of OCTUPUS and KOADIC (KOCTUPUS) in the recent Pysa attack is a good example of an attacker intentionally using two resources to execute in order to avoid meeting the threshold for detection on a single resource.

What are the steps organisations can take to detect and recover from most common attacks?

There is a lot of information out there on steps that companies can take to detect and recover from common attacks. In summary, I would say the following:

  • Understand your own threat landscape and build relevant capabilities that protect you from those threats.
  • Be proactive. Over-reliance on technology has punched many companies in the face over the last few years. Assume compromise, understand what compromise may look like in any given circumstance and go look for it. If you don’t have detection and response capabilities, work with a security partner who does.
  • Do the basics well. Modern security programs are complex, but we can reduce the noise by doing the basics effectively. Ensure your tools are up to date with the most recent IOCs, IOAs and signatures. Understand your own network, develop a detailed view of what normal looks like and develop capabilities that enable you to spot anomalous quickly.
  • In terms of recovery, my advice is focus on rapid detection and response. The further to the left of the kill-chain we interdict the attacker, the easier and cheaper it is to recover and the more you are able to avoid business impact.

Would you agree that attribution is the most difficult part of infosec research?

Not really. Researchers shy away from attribution because it often impossible to be 100% certain. However, an intelligence comment by its very nature is a probability statement. When you speak to researchers, they are generally very confident about attribution, but when you read research papers and articles, they tend to be less concise.

If so, how do many companies attribute attacks to this nation or that with pinpoint accuracy, while at the same time saying the attacks were sophisticated and carried out by people with unlimited resources?

Again, [it is a] probability statement rather than pinpoint accuracy. Often you can see patterns in the execution of the attack, or the code that has been written, perhaps the target is a common one for a particular nation state. If the researcher can see a combination of these factors it will increase their confidence in attribution.

Of course the simple things are all obfuscated today and some nation states will copy the modus operandi of another, or reuse an evolved version of a previous attack, all of this sows seeds of doubt and will generally avoid public attribution.

Why is it that security firms fight shy of mentioning attacks carried out by the NSA? We hear plenty about other countries, but on the USA, everyone is tight-lipped?

Foreign researchers are much more likely to point fingers at the NSA, or any other government entity than a US-based company or researcher. Remember, many serious researchers and intelligence professionals learned their trades in those government organisations. That internal knowledge and relationships that are often maintained, play a part in the tendency to focus more on external threats.

Subscribe to ITWIRE UPDATE Newsletter here


The much awaited iTWire Shop is now open to our readers.

Visit the iTWire Shop, a leading destination for stylish accessories, gear & gadgets, lifestyle products and everyday portable office essentials, drones, zoom lenses for smartphones, software and online training.

PLUS Big Brands include: Apple, Lenovo, LG, Samsung, Sennheiser and many more.

Products available for any country.

We hope you enjoy and find value in the much anticipated iTWire Shop.



iTWire TV offers a unique value to the Tech Sector by providing a range of video interviews, news, views and reviews, and also provides the opportunity for vendors to promote your company and your marketing messages.

We work with you to develop the message and conduct the interview or product review in a safe and collaborative way. Unlike other Tech YouTube channels, we create a story around your message and post that on the homepage of ITWire, linking to your message.

In addition, your interview post message can be displayed in up to 7 different post displays on our the site to drive traffic and readers to your video content and downloads. This can be a significant Lead Generation opportunity for your business.

We also provide 3 videos in one recording/sitting if you require so that you have a series of videos to promote to your customers. Your sales team can add your emails to sales collateral and to the footer of their sales and marketing emails.

See the latest in Tech News, Views, Interviews, Reviews, Product Promos and Events. Plus funny videos from our readers and customers.


Sam Varghese

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News