 Well, at least the idea for it. I didn't imagine I was bringing a seven-year-old with me. And of course, mommy never says bad words in front of a seven-year-old. So when mommy says bad word, cowbell. Do the cowbell. Bullshit. There we go. She can't hear. Amazing. And always having a cowbell is better than not having a cowbell. OK. Come on, click a work. Let's do some on-offs. No, it's not working. OK. Let's do it this way. OK, who is Sam? And why is she here? And why is John here? I've also got John on the end there. As well as a small child, I bring with me a blanket depicting a dead man, which is always important, I find. I've been doing security for too long and still learning. Exit me and give me money. That's good. We're all recovering imposters. And I'm not sure the recovering's working. But there we go. If you want me to play records, that's good. Just think about your choices before you ask me. I gave birth to that. She's pretty good. I love John McAfee. I brought him back to life. I've got a website. We might share that at the end. We love Formula One. Trinity, who's the best driver? Say it a bit louder. We're big Max fans in our house. We thought that would go down well. I hate Lycorish. I know that's a bit of a Dutch thing. I hate polystyrene more. And I also help out with B-sized Newcastle. So if you're ever in the area, or in fact, thank you, Nicky, or on the internet, because we do that too, please come and join us. And I'm on the Twitters because who isn't? OK, this is what I promised you. If you read the list of why you should be in this talk, maybe you're just here for a sit down, and that's fine too. As long as no one screams or cries or throws stuff, then I'll consider it a win. Who knows? So we're going to go through some of this stuff. There will be memes, there will be ranting, there will be cowbell, cowbell, cowbell. Thank you. You do it pretty well. OK, so this is how it started. Go see the dog had said something. I can't remember what it was, but basically I said attribution is cowbell, cowbell, bullshit. Thank you. And Daniel Gordon said to me, is there a way I could convince you otherwise? And there is one answer to this always, right? The answer is cake. But here I stand, cake-less, in front of you in a lovely, lovely set of fields here in the Netherlands. And I don't have a cake. So we can consider from this attribution is indeed cowbell. Bullshit. Thank you. OK, that's not going to get annoying at all, I promise. So here we go. Attribution. Thank you for coming to my TED Talk. It's very easy, and you just blame Canada. Good? All right, we're done here. Thanks for coming. And then there's this, right? This is very easy attribution. If in doubt, blame anonymous. That works. Dead easy. Attribution's fine. You can bring the cowbell. Just bring the cowbell. Anonymous. There we go. So here's the thing, though. We want to find blame. We like blame. I asked Trinity this morning, is it OK? Imagine if you're in the playground, someone comes up behind you, and they push you really hard, and you fall over, and you cut your knee, and it's bleeding. What's more important, tending to your knee or finding out who pushed you over? And her immediate answer was, find out who pushed me over. But you're bleeding. She's like, oh, yeah. It's instilled to us at a young age that we want to blame something, someone. We want to know why who. Why has this happened to us? Why am I bleeding? When we talked about stopping the bleeding, and we might never know who pushed you over, the bleeding becomes more important, doesn't it? Yeah. So you're not wrong, but it's still cowbell. Anyway, great article here if you want to read more about this, but we do like to look for simple answers. We want to find blame. It's just built in us, even for seven-year-olds who are happy to bleed in the answer to know who pushed me. Here are some thoughts on attribution. Our lovely friend, Sun Tzu Saiba, is in agreement. So that's good. Who here likes games with dice that have more than six sides? Some of you do. I know you do. My husband does. It's fine. We don't talk about it. It's his thing. I like Formula One. He likes dice with more than six sides. And it's hard. So I run this very, very technical scientific test here that got, eventually, got 18 votes. But for reasons that are important, I had to take the screenshot at this point. I think it ended up like 44% of my 18 respondents, science, said that it was vital to their work, vital. No one explained why other than they liked to find somebody to blame. That was as close as we got to why it's important. A lot of folks responded to me on Twitter because I asked a similar question, but it is indeed Cowbell. Cowbell. Bullshit. And is it bullshit because it's hard? Or is it bullshit because actually, is it gonna really help us see what we think? But this is also true. We love a hot take. I love a hot take. It's very easy to come out here and just say something sweeping, like attribution is bullshit. Without really doing a lot of research, 18 people does not constitute research in my mind either, so let's not call that science anymore. And it's not just a cyber problem. This beautiful man here, this is a sculpture that was in the Getty Museum in Los Angeles for about 10 years. And it was attributed to Gao Gan because they found, when they were putting this, they found this statue, they found some pictures by Gao Gan that he'd done of this statue and therefore decided that he might as well have done this as well because he's got some pictures of it, so probably that'll do. But it turned out that the plinth that it was on was a bit weird. It wasn't really Gao Gan-y, apparently. I don't know what a Gao Gan plinth looks like, but apparently not. There was no signature. So somebody decided they should maybe look into this a little further. Did Gao Gan really do this statue? Turns out probably not. He was swanning around somewhere out in the Pacific being Gao Gan doing some art. And he met up with a guy there who'd taken a photo of this a year before he met Gao Gan. And he gave Gao Gan a picture. So we can pretty much guess, although maybe nobody's carbon-dated the picture and even that's fraught with a few errors, this probably isn't, but it sat there for 10 years. It toured loads of art galleries being this Gao Gan statue. And it's not, probably. We still don't know. So it's not just us. I'd like to take this moment now to let you all know I did not poison Louise Honey. Does anyone here know Louise Honey? No, good, she's not dead for the record. I didn't poison her. Cover your ears for this. And we didn't poison anyone, I promise you. So this is another attribution issue. This is personal. At school, I was pulled out of a lesson and nearly expelled for poisoning Louise Honey. Has anyone here been expelled from school for poisoning anyone? Still no. I thought we'd have one person, come on. What had happened was, there's this stuff you can get to put in your fingernails when you're a kid to stop you from biting your nails or sucking a thumb. It's called stop and grow. I don't know if you have it in the Netherlands. Taste disgusting. It goes in the mouths of children. Ergo, it is not poison. So let's just be clear on that for a second. My friend Amy decided that we should put some of this on Louise Honey's cup for a joke. So we did. Except when I was holding the bottle and she's posting it around the cup, she got my handle and loads of it fell in the drink. And then she went to the teacher and went, Sam, poison Louise Honey. So now we've got a situation where the threat intel is wrong. The attribution is wildly unfair and I did not poison Louise Honey and my mum still wouldn't leave me, even though I was going through the scientific parts of why this can't be poisoned. And that ruined my education. No, it didn't. But I didn't get expelled, but it was a little bit hectic. So for the record, this never happened. Okay, so we know I didn't poison anybody. I want you to play a game now with me. I want you to pretend you're a government. Pick a country, any country, not New Zealand, everyone likes them. Probably not Canada. We can blame them for everything. Okay, so you're a government. When does attribution work for you? Your government, you've got satellites, you've got an army probably, navy, maybe an air force, all those good things. You've got loads of agencies working for you. Attribution might be useful. Some of the agencies kind of like attribution, something they do, a lot of. There's a lot of them working at the agencies. Is anyone here actually a government? Hands up. No, see, we're not governments. Attribution is bullshit. I did learn the Dutch word for attribution, by the way. I think it's attribut-see. There's the Dutch word for cowbell. Bullshit is the same word as it is in English. So that was no help to me. I couldn't disguise my terrible words. That's why we've got a cowbell. Do you? No, I've got nothing. So here's the thing, even governments or agencies, they can take years to attribute. This is a horrible story. This guy is now a convicted Nazi for working in concentration camps. 76 years it took for this guy to be sent to prison. And they're a government. It takes a long time. So this may be a slightly less terrifying story, but still, a friend of mine, when we were chatting through this talk, said to me the other day attribution is not a headline. So now it's a headline. But here we go. Anthem. They were famously hacked in 2015. It took about four years for the US government to decide to indict two Chinese researchers, professional hackers, call them what you like, cyber criminals, bad guys, whatever, whatever. So bad usage of the word hackers there. But still, four years to indict them. And still, they don't know why. Other than the obvious, money and stuff. Which is why anybody hacks anything, right? Money and stuff. But it took a long time. But here we go. I think this is very true of attribution. The best attribution still is disputed. It can be flawed. It can be the Gauguin situation. And even when you're sharing it, why is it you want to blame somebody? What is it you get back from that? I love the fact the music's really loud over there as well. That's super cool. Should we just go over there? We'll get through this. How long we got? It's fine. And then you can go over there and get drunk. We'll stay here and get drunk. Do you like? Okay, let's talk about threat intel. So threat intelligence can be useful. And I know threat intelligence is not attribution. One can lead to the other, yada, yada, yada. But standing with good threat intelligence, that's a good thing. There can be bad threat intelligence. But if you're trying to educate people, the government, your bosses, your boss's bosses, people who will run at you with a news article and say, oh my God, this bad thing's happened. What are we doing about it? Helping them understand better about your risk of an AVT group coming in to actually hack you, whether or not a nation state will come for you, how frequently that might happen. They're either gonna fall into the camp with a super paranoid and blaming Canada slash the Chinese for everything, or they're like, we're only a small organization. Who's gonna bother with us? And neither of those are necessarily right. You need to dig a little bit more deeper. You need to look at your threat profile. You need to understand a lot more about your verticals, there's a lot of reading that goes on. But educating them in terms that they understand, that's the easy bit, right? About what your risk is, how easily can you be attacked and what do you have that's of interest to someone who's gonna attack you? That's a really good start. Top tip, don't decide that you wanna do a CTI program when you're in the middle of an incident. I found that works really badly. So let's not do that. But we need the usual stuff. It's like anything we build in cybersecurity. Running off to the end goal without kind of thinking through this stuff is not good. We need those things. We need to have the business level requirements. We need to have decent reports, feedback loops. We need to be able to tell stories with threat intel. Not I have got seven of these things and eight of those. Communicating out your threat intel program has to be something that works for your organization, not a bunch of beans that you counted and graph goes up, graph goes down. APCs. What do you already know? Hopefully you do know something. What are your risks? Where are your risks? What happened the last time you got pwned and the time before that and the time before that? Who loves an RCA? Sam loves RCA's. I actually do. It's like watching a really slow car crash again and again and everyone blaming each other. Good RCA's though, don't have to be like that. Root cause analysis can be fun, TM. You all right, Trinity? Good. Trinity's never lived through an RCA. Oh, the innocent. What could go wrong? What did we learn last time? What don't we know? That's always quite a good place to look at as well. If you wanna get to attribution, if you really do wanna do it, throwing a load of stuff into a tip is not going to get you there. A lovely story, whilst doing some more scientific research on the internet from someone who decided that they'd found the Chinese and the North Koreans working together, they just got this brand new tip, put some information into it and they're like, oh my God, we found, look, this is amazing. This is collaborations going on here. And it turns out they'd left some contact information in one of the headers from a different issue from North Korea, put the two things together, sent a report up to their bosses and said like, hey, aren't we clever, look what we found. About four hours later when these two things aren't actually related to each other, there's a lot of human error that we can do here. Tips are good. You need a bit of feed them. You also need to make sure that you know what you're doing with the data you've got. And there is good intel and bad intel out there. I met Marcus in Vegas and bought him a drink. So this is a true story. He remembers WannaCry. He doesn't wanna admit to one thing. Yeah, it was still there. So WannaCry, Marcus did his cool stuff. He read this to the domain to see what would happen and became kind of an anti-hero, superhero, just through being curious, then got in a load of trouble for other things. But registered this. And there was another sinkhole as well as part of WannaCry. And because bad things from the bad malware is bad in K, ISPs started blocking this domain. Great plan, except this was a sinkhole. If the malware could connect up to this domain, it would not run WannaCry. If your ISP has now blocked this savior, you've now got WannaCry. So whilst he saved a bunch of people, there were also a bunch of ISPs that tried to reverse that because they saw intel and decided malware URL is bad. Malware URL is not always bad. Often is, sometimes isn't. Bad threat intel makes me wanna cry. She's still good. That music does sound really good, not gonna lie. Okay, attribution is distraction and disturbance or a total cowbell disaster. So this is back to our blame. This is back to Trinity being pushed over wanting to know why, and we want to blame things. We wanna blame somebody because here's what happens, right? We all know this. Bad thing happens in the organization. Attacker comes in, malware outbreak. Can't answer a question. Security team's fault. It's always our fault. Our fault more of the time than it's not. It's not the fact that nobody's invested in our program. We haven't had the budget that we need. We haven't got the tooling that we want. We're struggling to hire people, all the stuff that we would like to moan about. It's our fault when stuff goes wrong. So what do we need? We need to be able to attribute so we can say it was the Chinese. That's helpful. What could we have done? But flippancy aside, it's more than that. If you can get your threat intelligence program right and be able to educate the people above you and around you and the people that hold the purse strings, this becomes less of an issue. We don't necessarily need someone to blame. We're able to tell stories and explain what we're doing a lot better than rather than going, oh my God, it's happened again. Who do we blame? The cowbell? Chinese. Right, thank you. This is true. I used to work in incident response. If you look at my LinkedIn now, I also work in marketing now. There's a reason for that. You can go, Mark, this is obvious. Incident response. Product marketing, because you're fed up of incident response. Product management. Product marketing, because you get fed up of your career and career plans. And then you end up doing marketing and also helping people understand things that can go wrong. This is my boss, Steve, who also works in the security strategy team. This, unless you are a government, and to be honest, at that point, you should have figured out some of this who it might be beforehand. You need to know what's happening, when it's happening, and where it's happening to be able to do something about it. Who did it and why they did it can come afterwards if it matters at all. Okay, quick hands up. Who's been in the middle of an investigation and someone comes running up to you to tell you what they think the problem was? Yes. I love it. It's my favorite working thing. When someone comes running over and goes, yeah, but it was China. Just go away. It's like, you're not helping me here. I'm glad you have an opinion. Thanks for playing. Please go and take it somewhere else, out of the building. Hands up if it's happening to you more than once. Yeah, still. Stop telling me it's China. I don't care. At this moment, I'm not government. And here's where things get really interesting. Cyber insurance companies now are saying they won't pay out if they think it was a state, a nation state attack because that is an act of war, my friends. So chances are, you can do your lovely attribution, you can come out to the press and say, oh, we've got it. It was China slash Russia slash North Korea, probably Canada. And now your cyber insurance won't pay out. Amazing. So, because of that, should we not try to attribute? What if they find that anyway? What if they send somebody in? This is where insurance is horrible and insurance people are the worst, people on the planet. If anything, let's blame insurance people. All right. But ranting aside, all of us only have so much time in the day. None of us have 357 million people working in our security teams. What is the best use of our time? Is it running to the end and trying to attribute? Or is it finding out what the hell's going on, solving that, figuring out why that happens and improving things so that maybe next time it might be better? For me, that works better. If you want to go attribute in your spare time, I totally do that if you want, right? Cool stuff. Sometimes you can end up down a rabbit hole where you might be prodded in the wrong places. Again, does it matter? Are there better things you could be doing than attribution? I would say yes. And remember, I still don't have a cake. So when that cake turns up one day, I might change my mind. It's okay. So hopefully you've decided that attribution is amazing and Sam's full of cowbell. And you want to go and progress this. Thank you. She's tired. We're all tired. It's been a long day. Okay, so maybe today is, maybe you're seven years old and you're here with a cowbell and a iPad and don't care anymore. You want to do some threat intel. Okay, so you watch one YouTube video and then that's it. You are certified, my friends. It's dead easy. Obviously, Sam's will give you anything you like for money. Any Sam's instructors in the room. I can't see your hands. No good. Okay, Sam's are pretty cool. I don't hate Sam's at all. If your company will pay for it, you've got loads of money, whatever, whatever. Sam's is frickin' awesome. They'll do stuff for free as well. I like free. It is a good thing. Tons and tons and tons of resources here. Ones I just want to call out. Manzian, I've got a bunch of awesome free courses. Now given they're a business, I like free. They're really, really good. Sometimes some of these organizations will give you a membership for free if you catch them right. It might be whatever it is, Black Friday or Makeup of the Day, Gold Tuesday, Banana Thursday, a reason for having free stuff. Just keep an eye out. There are times when you'll get free options for some of these memberships. All your work might pay for it as well, so that's kind of cool. Cyberthreat Alliance's got some good stuff. There's a couple of blogs here that I really like. So if you want to check out Katie's Five Cents, that's really easy to remember than Scott Roberts's CTI reading list, A-9-3-C-C-D-D-7-4-6-9-C. I'll make the slides available though. Those are on the live stream. Hopefully you can see that. So we're pretty much at the end. The music is playing. The night is getting darker. Cowbell. No, she doesn't care anymore. Trinity's given up. You there? Nice one. She's going to bed soon. So am I. Okay, so some closing thoughts on this Cowbell-esque situation. You've stopped now. Do it again. Thanks. Okay, I still think that attribution is often Cowbell. Thank you, bullshit. Unless you're a government, we all like to be a government. You might be Europol. Been in play, but let's pretend to be Europol. That's a whole different talk. And none of us are a cyber insurance company, I hope. At least we wouldn't admit to it. Threat intelligence is not buying a tip, chucking stuff in it and expecting it to work. Museums can be wrong. That breaks my heart to say this, but they can be wrong too. Literally nobody poisons Louise Honey. Nobody. Choice is an illusion. The cake is a Cowbell lie. Oops, there we go. All right, we've got to the end. Thank you for playing. I'm around tomorrow and the next day with my child, who I might throw away at some point. Love to chat to you folks. Well, thank you for sitting through this. It's really dark and I can't see if there's like two people left in here. You might have all gone. And I wouldn't know. So that's good. Stay in touch. Please bring me a cake. If anyone's got cake on them now, that's good. I like cake. Look at me. But yeah, there's the LinkedIn's and the stuff from the Twitters. And Trinity, you've been an amazing Cowbeller. Ranvapools, Trinity. That's awesome. Big Ranvapools for Sam as well. Thank you so much. Thank you.