Cb Connect 2018 | Power of You | Register Now


When It Comes to Attack Attribution, the Physical and Cyber Worlds Differ Greatly

Nation State Attack Attribution Cyber Crime
Rick McElroy
December 28, 2016 / Rick McElroy

My wife is a dental hygienist and a self admitted “non-techy.” She grabbed me the other day and said: “Did you see they were talking about hacking and Russia on CNN?” She had questions…lots of them. It struck me that attribution in the real world is easy for most people to understand but in the cyber world it becomes much harder. Often, the results aren’t seen and, many times, there is no tape to “rewind.” This leads to questions about methods, accuracy and, ultimately, trust.

In the real world, attribution occurs on a regular basis. Let’s take the example of a crew of criminals that knocks over banks. This is a good crew. They have been pulling jobs for 10 years now. They know each other and know the routines and response time of responders. They are patient. They wait. They watch until the time is right and then they walk in the bank and rob it. This is a “job” to them. They are pros and they are good.

They enter the bank and exit with money. There are witnesses. There is almost always a video (or multiple videos) of the event. The criminals stick to their known routine. They know exactly how long it will take the police to respond. They know the alarms and how they are triggered. They execute their plan methodically and perfectly. They get away with the money.

Investigators show up and build a timeline. They interview witnesses. They pull the tape. They gather evidence. The good crews may be able to minimize the evidence, but there is almost always evidence. If you talk to any detective or FBI agent they will tell you the criminals make mistakes all the time.

In the physical world, we are very good at attribution. We can catch and prosecute criminals. So why can’t we “attribute” when it comes to nation-state hacking?

The order of events above are very similar to the tactics, techniques, and procedures used by nation-state actors. They differ in that they are motivated differently than typical cyber criminals and hackers. These are not the hackers of Hollywood. These are intelligence agents equiped with 0-days instead of guns. Instead of intercepting mail, they intercept data. Some of the tactics remain the same. Reconnaissance is the biggest one.

The more data hackers can gather, the more they know about the target and the easier the job becomes. Because nation-state attackers are professionals motivated to gather intelligence and/or participate in disinformation and destabilization campaigns, we cannot assign the same motivations to these groups as we do with “regular” cyber criminals. They are playing a bigger game than robbing the bank. They are playing chess while “regular” cyber criminals are playing checkers.

These operations contribute to larger Psychological operations (PSYOPs)  instead of, say, hacking for profit.

Psychological operations (PSYOP) are planned operations to convey selected information and indicators to audiences to influence their emotions, motives, and objective reasoning, and ultimately the behavior of governments, organizations, groups, and individuals.”

In a perfect world, you would already be recording the events on the system with Cb Response or Cb Defense prior to attackers hitting your systems. This was the case with some high-profile nation-state attacks. EDR tools were deployed and attackers’ tactics, techniques and procedures were recorded. This data was then fused with other data such as previous hacks, human intelligence, signals intelligence and, in some cases, confidential informants.

Of course, some of the sources of this data must remain secret. You can’t just hop onto Fox News and say: “Here’s the human eyewitness to the crime.” With cyber crimes visibility and forensics data become the eyewitnesses. And, much like in the real world, bad guys use the same MO all the time. They work in the same ways. They reuse code and leave evidence. All of this is gathered and fused. This data is then sent to various agencies to be confirmed. Once there is a consensus, reports are released.

Yes, cyber attribution requires trust. It requires us to trust the folks who worked the breach and the agents and people involved in the investigation. Ultimately, this requires trust in our leaders.

If we accept cyber-investigation data for criminal prosecution then we must also accept the same methods when it comes to nation-state attribution. Yes, it’s dangerous to attribute things incorrectly but that’s why multiple groups and agencies weigh in before a conclusion is drawn. We have to trust in the findings and start hardening ourselves against these types of attack rather than arguing about the results.

Everyone needs to be better educated on the methods used to attribute attacks so we can quickly and decisively react in the future. This isn’t going away and we better start to act to restore trust in our system.

We are on the clock. We’ve got two (and four) years to make progress on this. Let’s stop arguing and start securing.

TAGS: attribution / Carbon Black / nation-state attack