Travis Farral & Greg Otto at Black Hat: Why Attributing NotPetya is a Tricky Endeavor

<p>NotPetya ransomware spread across Europe and North America, infecting several businesses in countries such as Denmark, France, Germany, India, Russia, Spain, Ukraine, North America and the United Kingdom.</p><p>In this video, Travis Farral, Director of Security Strategy at Anomali joins Greg Otto at Black Hat USA to discuss the difficulties in attributing attacks like NotPetya along with considerations organizations should take in protecting from supply chain attacks. </p><p>They also discuss the potential issues and implications of a “cyber Geneva convention”.</p>


Hello, everyone.

Welcome to CyberScoop TV, Greg Otto, your managing editor, here.

We're coming to you from the And I'm talking with Travis Farrall, the director of security strategy for Anomali.

Travis, thanks for joining us.

Of course, man, how are you doing?

Doing well.

So, one of the bigger attacks that we've seen in the past couple of weeks is the NotPetya attack in Ukraine.

And there's been a lot of talk about the attribution, a lot of people have said in ranges of confidence that Russia is responsible for that.

I would love to hear your thoughts on why the attribution behind that is so vague.

Right, well the thing about this is, if it is a nation state act that's behind it, such as Russia, they're not going to leave smoking gun stuff that says, yes, it was completely us.

This is nation state stuff.

But in the case of Russia, Putin's a big fan of leaving his calling card on these things, where you kind of knew it was him, like when he throws the journalist out the window.

Everybody knows that it was Putin that ordered it.

But it's never a way to finger it directly back to him, you know?

It's just how he operates.

And so if he's trying to use this to send a message to Ukraine-- there's still ongoing fighting, we had nine soldiers die just this last week, actually, in the fighting there.

So considering that, you have to temper what's going on geopolitically in the area to understand how you assign attribution, who are the actors that would fit all of the details that we know about the attack, and have the means, motive, and opportunity to do that.

And some folks have come out and said that Russia is the most likely candidate for this, whether it's directly related to the Russian state or somebody that's just sympathetic to Russian interests.

So on the technical side we know that this spread through an update to accounting software that's used in Ukraine.

How can organizations around the world guard their software supply chain so they know things like this won't happen in the future?

That's a really good question.

And the good thing about-- it's awful that things like NotPetya happen-- but one of the good things that come out of these things is that we always learn something.

In this case, we learned, oh my goodness, supply chains, our suppliers of software can be infected and thereby infect our environment and our ecosystem.

So I think just having that understanding is a great place to start.

But now I think it's on businesses to start putting some sort of checks and balances in there.

You know, if you've got an update box that it's always updating, why not isolate that?

So if anything happens this is the only box that gets infected.

Having measures in place to see what's normal for that traffic as it goes out and does its update checks.

If something changes, maybe you should quarantine that until somebody can check it out.

Maybe it was just something that they changed in their software.

But it could be something malicious as well.

So these are a couple of things to think about.

Back to the geopolitical aspect of this.

Do you think that, on a global stage, we'll ever get to a point where there are norms established when it comes to cyber attacks?

There's been some conversation that there needs to be something along the lines of the digital Geneva Convention to establish cyber norms.

But then other people say that we could do that but there's no guarantees that nation states like Russia or China would ever adhere to that.

So I'd love to your thoughts on that.

The trouble is with the problems around attribution, and that you can't say for sure that this entity did it or this actor did it, or whatever, because it's the internet.

It's an IP address.

And we have ways to mask that or make attacks look like they came from someplace that's actually been compromised or something.

When you're in that world you can come up with agreements.

But being able to enforce them is really the trick.

And the US government obviously has tools to be able to measure things and have more visibility into things that are happening and who maybe was behind something.

But they now have to burn those sources and methods in order to go out and call them out on it.

So it's kind of a catch-22.

So I think it's a valid thing to think about.

But I don't really know how that's going to work, to be honest.


Appreciate your insight, Travis.

Thanks for joining us.

Yea, absolutely.

Thanks, Greg.

For all of our videos, check out our YouTube channel.

And for more on Black Hat and all things cyber security, check out

I'm Greg Otto.

Thanks for watching.