Attribution, and when you should care: Part 1

Attribution, and when you should care: Part 1

It’s not China. Unless it is. Or maybe it’s a 400 lb hacker in their basement. Unlikely. Who can tell who does anything on the Internet and why do we care anyway? Attribution is the practice of taking forensic artifacts of a cyber attack and matching them to known threats against targets with a profile matching your organization. If this seems overly complicated, that is intentional. There are degrees of attribution that map to very specific contexts and painting over that context with a simplistic reading accomplishes very little other than frightening decision makers into unnecessary expenditures.  Attribution is something we should care about. Not because successful attribution will cause the authorities to paradrop into hostile territory to neutralize our enemies, but because it is a way of checking the assumptions of our threat model against the real world and revise those assumptions accordingly.  (You have a threat model, right? If not, start here .) If we’re going to take a look at what cyber attack attribution is, it might be helpful to look at what it is not.

gavel

Attribution is not a smoking gun that will hold up in a court of law. Even in sensational pieces like Crowdstrike’s ‘hatribution’, they could not prove the individual had hands on the keyboard at the time of an attack, nor could they provide concrete evidence that even if he did, he was doing so at the direction of the Chinese government. Mandiant made a considerably stronger case by bolstering their technical analysis with open source intelligence, but they too lacked the key piece of tying the motivations of an individual to those of a country at large. Unless you are the NSA, attempting to establish that link is a waste of time and resources 10 of 10 times – especially if you’re dealing with a common one-off phishing wave rather than a sustained state sponsored infiltration.

Attribution is not a smoking gun that will hold up in a court of law. Even in sensational pieces like Crowdstrike’s ‘hatribution’, they could not prove the individual had hands on the keyboard at the time of an attack, nor could they provide concrete evidence that even if he did, he was doing so at the direction of the Chinese government. Mandiant made a considerably stronger case by bolstering their technical analysis with open source intelligence, but they too lacked the key piece of tying the motivations of an individual to those of a country at large. Unless you are the NSA, attempting to establish that link is a waste of time and resources 10 of 10 times – especially if you’re dealing with a common one-off phishing wave rather than a sustained state sponsored infiltration.

  • Attribution is not binary. There is no defined state at which you are ‘done’, because again, only an intelligence agency can definitively answer questions of motivation, intent, and capabilities with a simple yes or no answer. Some people take this to mean attribution is not a meaningful pursuit – this goes a little too far in the opposite direction. Taken as a check against assumptions underpinning a company’s allocation of resources, any attribution data grounded in concrete evidence is valuable.*
control-ctrl-key-feature-laptop-lego-hack

  • One forensic artifact is not an attribution make. Those of us in the security industry have at times seen extensive lists of indicators of compromise (IOCs) definitively attributed to various nation state groups at one point or another, typically by a government agency.  The idea here is to take a snapshot in time – a forensic mug shot – and spread it around so defenders can keep their eyes open for similar TTPs within the same timeframe. (Should you be wondering when this is relevant to an organization’s defense, it really isn’t. Establishing a campaign timeframe is mostly relevant to collecting strategic intelligence, which is why it’s usually the government releasing these lists to begin with.) Some organizations have interpreted these lists to mean *any* IOC listed is a hard attribution to a particular nation state, and will commence searching their logs for “attacks.” Do not do this. It is a waste of tier II SOC time, money, and presumes an immutability to Tools Tactics and Procedures (TTPs) that is frankly a little baffling. The benchmark should be what a preponderance of evidence would cause a reasonable observer to conclude – not a single IP registered in China.
anon

  1. Anonymous is not a group. Its non-existence as a group means that it cannot have interests, motivations, or capabilities. More typically Anonymous is a series of pseudo-political statements adopted as cover for ego-bolstering and small political goals of local hackers. Again, Anonymous is not a group and if you have attributed an attack to them you have attributed nothing at all.
Two businessmen with their mouths tied up typing in office

  1. The State Sponsored Thing. You might notice that the two companies I referenced for detailed attribution both focus on state sponsored actors. This is largely because state sponsored actors have a mandate to exploit targets over the longest period of time to extract maximum intelligence. As a result, the odds of a target having a rich trove of forensic data to analyze and correlate goes way, way up. So we tend to see flashy, sensational data on state actors and discount the much more frequent one off opportunistic attacks by financially motivated actors. Don’t ignore the OWASP Top Ten to focus on the zero-day attack that probably isn’t coming.

So here you have what attribution isn’t. A lot of folks will look at the above list, throw their hands up in the air, and say that attribution is impossible, a waste of time, and you shouldn’t do it. I disagree. Can threat actors proxy though a compromised box? Can they falsify their WHOIS? Of course. But even when people lie they do not do so randomly. False data consistently applied over a set time frame is just as useful to establishing motivation, intent, and capability as the real thing. And given that our intent is to match structured, real world attack data against our established threat models, it doesn’t especially matter if we have the full legal name of the actor behind the keyboard, provided that actor behaves in a consistent manner across multiple attacks.”>

Tune in next time for more on what good attribution looks like, and why you should care.

Things that are not concrete evidence: vendor claims of a forum post without providing any reference to a source, obfuscated or not.  Vendors who provide translated threat actor speech without also providing the source language.  Mentions of your organization on disreputable websites.  Publicizing vulnerabilities in infrastructure that your organization also uses.  A threat actor’s membership in a group that at one time has expressed interest in a theoretical attack on your organization.  Any single IOC that shows up in your logs without further context.

ABOUT THE AUTHOR

William Tsing

Breaking things and wrecking up the place since 2005.