The_Art_of_Attribution-Identifying_and_Pursuing_your_Cyber_Adversaries.pdf (2 MB)

CrowdStrike's RSA Conference deck frames cyber defense as an adversary-attribution problem rather than only a malware problem. It lists multiple named actor clusters by country and sector focus, including North Korea's Silent Chollima targeting government, military, and financial organizations. For Silent Chollima, the deck describes an operational window from May 2011 onward, objectives including propaganda, disinformation, and disruption, and targets such as financial institutions, media/news organizations, and social-network platforms. The presentation highlights attribution signals such as resource language, time zones, build times, C2 check-in times, strings, mutex names, domain registration, IP ownership, code style, and broader tradecraft, but it does not provide hashes, IPs, domains, or URLs as actionable IOCs.