[ipython]

Attributions are about more than the code flow. You also need infrastructure to funnel exfiltrated data back to yourself.

As you can imagine, it’s harder to reuse someone else’s infrastructure. Easy to copy code patterns but you can’t exactly reuse domains, listening posts etc.

[rightbyte]

> Attributions are about more than the code flow. You also need infrastructure to funnel exfiltrated data back to yourself.

How is that even possible and how does it help? A computer is like a state machine where a minuscule amount of states are logged. When the state is gone the trace is gone. And you don't control the other involved computers anyway. And what good does accessing "exfiltrated data" do?

[ipython]

Take this wildly simplified example. You are the attacker. You already have access to internal systems at Microsoft.

Now you need to send the large amounts of data back to yourself, preferably without giving away your own location in the process. That’s the exfiltration phase of the cyber kill chain.

In order to do that, you’ve already established a set of listening posts and command/control sites across the internet. That’s your infrastructure. Setting that up in a pseudo anonymous way is hard, so you don’t do it often and may need to reuse it for multiple targets.

It’s that infrastructure that is hard to replicate if you’re trying to “look like” another threat actor on the Internet.

[rightbyte]

What happens after the first node is hit? You more or less need to control the network stack around it to know were it in turn sends data. If the NSA or whatever do control virtually every network stack they can access politically, every lead will end in countries which does not comply, right?

If there is any world-wide N-to-N statistical analysis of eavesdropped nodes for reentry of the data, it should trivially be able to be defeated by buffering in the nodes.

I don't get how these things can be tracked at all, unless the hackers are quite incompetent.

[ipython]

You’re overstating the technical capabilities at scale and understating just basic investigation techniques.

“Buffering” absolutely happens for a variety of reasons.

Tracking down the money or owning the operations infrastructure of the hosting companies along the way can help. Try to expand past bits on the wire- people set this stuff up at the end of the day.

[rightbyte]

What does scale have to do with it. That is like saying I don't understand, because it is Big Data in the Cloud with Edge Computing. As I see it I just need one computer in Venezuela and the trail is gone.

There is a lot of hand waiving from "security" folks. They are probably about as fraudulent as bullet forensics etc.

[ipython]

You’re doing your own hand waving. Why does a computer in Venezuela make the trail go cold? I could have an agent working for me passing me customer lists from Venezuelian colo facilities. Combine that with knowledge of known shell entities who also operate from other points of presence and I can make inferences. If I want I could then use offensive techniques to own the middle box and enhance my confidence level by observing traffic/stored data on that machine.

Look I can’t summarize how threat actor attribution works in a hacker news comment. Does that mean the people who do it are quacks? Nope. I know people who do it, who build tools to help, and they are exceptionally sharp technical minds.

And I see you have casually dismissed an entire industry because you may not understand how someone could draw conclusions from imperfect data?

Hate to say it but this happens all day every day as human existence is filled with imperfect data. Not everything can be summarized in a neat mathematical form.

Does that mean you don’t try? I choose to try my best and continually improve methods. Otherwise what’s the point? Just give up because we can’t model human behavior and geopolitics as a pure functional state machine?