Recent incidents commonly thought to be linked to state sponsored activities have given rise to much discussion over the reliability of technical analysis as a source for adversary attribution - specifically in regards to what is commonly termed as the Advanced Persistent Threat (or APT). We now live in a world where the reverse engineering of a malicious binary, or analysis of a compromised host may very well play into a world-changing decision, such as whether a country should declare war on another - or indeed, whether it is no longer viable for a large, multinational corporation to continue doing business in a given part of the globe.
This talk will discuss in depth the merits and demerits of technical analysis; demonstrating ways in which various techniques including static binary analysis and memory forensics may be utilized to build a granular profile of the adversary, and where the same techniques may fall short. The presentation will discuss detailed characterization matrix that can be leveraged to assess and even automate assessment of multiple aspects of the adversary (such as motive, technical skill, technological research resources) that may all play into the way in which we respond to an incident, or reposition ourselves to handle a specific threat over in long term.