[Dailydave] "When you shoot at the king, you best not miss." (Allen)

Kristian Erik Hermansen kristian.hermansen at gmail.com
Mon Jun 20 11:43:51 EDT 2016

Disgruntled / former nation state actors seem like the riskiest entity,
regardless of who actually did it. But recall that DNC data was actually
hacked by Bernie inside staffers last year anyway so we know there were
multiple malicious actors over time. If non-technical staffers can "hack"
DNC data that easily, it is likely there were other significant remote
flaws that anyone else could penetrate, even by bored teenagers.


"The internal warfare exploded after the DNC cut off Sanders from the
database and said the Vermont senator's presidential campaign exploited a
software error to improperly access confidential voter information
collected by Hillary Clinton's team." -- December, 2015
On Jun 20, 2016 7:06 AM, "the grugq" <thegrugq at gmail.com> wrote:

I love the scepticism, this is an excellent attitude to have with cyber
claims of attribution! So lets apply some analytic processes to the
problem, I’m sure they can help illuminate the situation.

What I’d love to see, from anyone, is an actual ACH matrix with some
options and the available data we have mapped out. Lets see what
hypothetical threat actors match against the available data. What are the
alternatives here? I’ve heard:

TA-1. a kid, or kids, in it for the lulz
TA-2. a false flag op by another FIS
TA-3. a FIS badly attributed by CrowdStrike
TA-4. the Russian intelligence services
TA-5. a Russian intelligence sub contractor for cyber ops gone rogue

Any others I’ve missed? There are a lot of variants of TA-1, so I’m
including all non-FIS autonomous threat actors (but please, if there is a
variant that merits special consideration, lets add them as a separate

There are three distinct operations that need to be covered by the actor.
Lets map those out:

Op-1. the DNC breach and exfil
    a. at least two threat actors on the network
    b. used tools, techniques and procedures associated with Russian APTs
    c. focused on political data exfil, not monetisation
       - no ransomware, exploitation of PII, banking/CC fraud, etc.
          * I’d bet the DNC would pay a _lot_ to a ransomware operator

Op-2. the "covert action" against the Democratic campaign
    a. analysis of “thousands” of documents
       - requires access to the take from Op-1
    b. requires some political savvy wrt document selection
       - political savvy requirement goes up if the documents were altered
    c. at least minimal planning wrt the release channel and the timing
       - wikileaks? the intercept? MSM? the pirate bay? dedicated website?
       - after Trump nomination, but before the election (obviously)
           * on the network for months, yet no docs leaked before WaPo

Op-3. the guccifer2 claim of responsibility
    a. the supporting evidence
       - requires access to the take from Op-1
       - requires analytic and political skills from Op-2.a & Op-2.b
    b. subtle notes of Russian (too subtle for media to notice, but not for
       - maybe deliberately inserted (threat actor is proficient in Russian)
       - or, “mistakes were made” (threat actor happens to be Russian
    c. deployed w/in < 24hrs of the WaPo story
       - complete absence of evidence of g2 before the WaPo article
    d. why guccifer2? another eastern european hacker’s name
       - other threat actor’s have used unique names for claims of
responsibility (e.g. the Sony hack, hackers seeking fame, etc)

With the data that we have available to us, what are some potential actors,
or series of events w/ different actors, who would have the capability, the
intent and the opportunity to execute the above three operations?

Can someone show that Op-2 didn’t actually exist? Maybe no documents were
passed to wikileaks, and the selection of evidence for Op-3.a was basically
random? Would there be another way of providing evidence other than stolen

I am very honestly interested in hearing what suggestions people have.

As Mara pointed out, Op-2 would be an extremely risky move by Russia
particularly at a politically sensitive time. That might be a motivation
for some entity who wants to damage (a subset of) Russian interests by
implicating them (see: TA-2, TA-5). Conversely, aiding Trump is inline with
(a subset of) Russian interests (see: TA-4, TA-5), although it is also
inline with other possible threat actors, e.g. 4chan’s alt-right community
(see: TA-1). There are a lot of possibilities here!

Lets apply some analytic rigour to our speculation and see what we can come
up with.

* Can we use the available data to eliminate any of the threat actors?
* What additional data would help eliminate any, and can we get it?

Intelligence analysts frequently have to work with a patchwork of data of
various levels of reliability. Which is precisely why these analytic
processes were developed. Now is the perfect time to use them to help sift
through what we know.

This is very exciting! Intelligence and cyber, making history, right before
our eyes!


ps. Maybe someone wants to start a Google Docs spreadsheet we can build an
ACH matrix on? Probably columns for threat actors, and rows for operations
and evidence would be most manageable.

> On 17 Jun 2016, at 23:39, Jeffrey Carr <greylogic.carr at gmail.com> wrote:
> I agree entirely, Allen. The market incentives are huge for a company to
discover and report an attack attributed to a nation state, the bar for
evidence is negligible, and there's really no way to disprove a claim. Even
when someone involved in the attack pops up and says I did it, here's
proof, and you're an idiot, that becomes a "disinformation operation" and
again, there's no way to disprove that.
> Jeff
> ----------------------------------------------------------------------
> Message: 1
> Date: Thu, 16 Jun 2016 21:28:42 -0400
> From: Allen <multimode1876 at gmail.com>
> To: Adam Shostack <adam at shostack.org>
> Cc: "dailydave at lists.immunityinc.com"
>         <dailydave at lists.immunityinc.com>
> Subject: Re: [Dailydave] "When you shoot at the king, you best not
>         miss."
> Message-ID:
>         <
CADwYKiY5RYJ5s61QXLf+Hc7ZrgD1LCNbCcXt5qUsN8hv6c8kRA at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
> | It's entirely possible that this is a disinformation campaign, or that
> attribution is hard, and Crowdstrike made a mistake
> |
> I'm inclined to believe that while attribution may be hard there are
> entirely too many market incentives to brand any given attack with one of
> the nation state animal totems.
> The fact that attribution is frequently derived from prior intelligence
> blended with the fact that all of the source data is confidential only
> lends itself to confirmation bias. A small attribution mistake by one
> vendor can really snowball.
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> ------------------------------
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunityinc.com
> https://lists.immunityinc.com/mailman/listinfo/dailydave
> End of Dailydave Digest, Vol 55, Issue 12
> *****************************************
> --
> Jeffrey Carr (jeffreycarr.com)
> CEO, Taia Global, Inc. (taiaglobal.com)
> Founder, Suits and Spooks (suitsandspooks.com)
> Author, "Inside Cyber Warfare: Mapping the Cyber Underworld" (O'Reilly
Media, 2009, 2011)
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunityinc.com
> https://lists.immunityinc.com/mailman/listinfo/dailydave

Dailydave mailing list
Dailydave at lists.immunityinc.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20160620/0d71c615/attachment.html>

More information about the Dailydave mailing list