Hello, welcome to the Tuesday, May 30th, 2017 edition of the Sands Internet Storm Center's Stormcast.

My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

Attributing attacks to particular actors is a difficult and often controversial task.

Often politics, for example, affects attribution to assign blame to a convenient

target or to attributed attack to an adversary powerful enough to explain the inevitability

of the breach. Nobody really ever wants to admit that they got hacked by a not very sophisticated attacker.

Pascal wrote a nice diary on Monday that introduces a more objective method to compare

different hypotheses when it comes to attribution.

This method known as analysis of competing hypotheses does recognize that definite attribution

is often impossible and it focuses really more on ruling out entities that are not responsible.

In my opinion, one of the main advantages of using this model is to make sure that you're not

getting locked in to an attribution decision by one particular

interesting and convincing piece of evidence, maybe a piece of code, maybe a string or a comment

in the code that you have seen before. But then again, you know, sometimes code is copied from one

actor to another. So to probably assign a blame,

you really have to avoid this. And this model forces you to look at all available evidence

and to properly assign weights to evidence based on how reliable the evidence is and the relevance

for each fact known about the attack.

And well, to make things a little bit more specific,

Pascal promised a second part to this particular diary

for later in the week,

and I believe he's planning to actually apply

...