COMMENT
Part one of a two-part article.
In cybersecurity, attribution refers to identifying an adversary (not just the person) likely responsible for malicious activity. It typically results from the collection of many types of information, including tactical or comprehensive intelligence, evidence from forensic examinations, and data from technical or human sources. It is the conclusion of an intensive, potentially multi-year investigation and analysis. Investigators must apply rigorous technical and analytical rigor alongside cross-sectional science, as behavioral analysis tends to win out.
Attribution and the public disclosure of the attribution They are not the same thing. Attribution is the identification of a potential adversary organization, affiliation, and actor. The decision to make this attribution public – through charges, sanctions, embargoes, or other foreign policy actions – is a desired outcome and an instrument of national power.
An example is Mandiant APT1 report in 2013, which attributed the attack to the Chinese government, followed by the Department of Justice (DoJ) indictments against the perpetrators of APT1 and the U.S. State Department’s foreign policy maneuvers against the Chinese government. These public revelations have been very effective in helping the world realize the dangers of cyber espionage by the Chinese Communist Party. Attribution of those assets had been underway for years. Accusations and political maneuvering – public disclosure – were instruments of national power.
Test standards
When attributing a cyber incident to a threat actor, several standards of proof mechanisms are in play. One element of attribution, and particularly when deciding how to act based on analysis results, is understanding the importance of confidence levels and probability statements.
Intelligence standards
In the intelligence community, Intelligence Community Directive 203 (ICD203) provides a standard process for assigning confidence levels and incorporating probability statements into judgments. The ICD 203 probability statements are:
-
Almost no chance (remote)
-
Very unlikely (highly unlikely)
-
More or less even chances (more or less even chances)
-
Very likely (highly likely)
-
Almost certainly (almost certainly)
Confidence levels in ICD 203 are expressed as Low, Medium (moderate), and High. To avoid confusion, probability statements and confidence levels should not be combined in the same sentence. There is much discussion about using these statements to estimate the probability of an event happening, rather than attributing responsibility for an event that has already occurred (i.e. attribution).
Judicial rules
Another factor is that intelligence assessments do not use the same standard of proof as rules of evidence in judicial trials. Therefore, the workflows leading to indictment are different. In judicial terms, there are three standards:
-
Preponderance of the evidence
-
Clear and convincing proof
-
Beyond a reasonable doubt
The type of justice system (civil or criminal) determines the level of evidence needed to support your case. The FBI, being both an intelligence agency and a law enforcement agency, may have to use intelligence standards, the judicial system, or both. If a national security case results in an indictment, the DoJ must convert intelligence judgments into judicial standards of proof (no easy task).
Technical standards
There are also technical indicators related to attribution. Indicators must be constantly assessed and assessed for relevance (curated) as they have a half-life; otherwise you will spend most of your time chasing false positives. Even worse, if not implemented correctly, indicators can produce a falsely negative mindset (“no indicators found, we must be OK”). As a result, an indicator without context is often useless, since an indicator in one environment may not be found in another.
A good formula is: 1) a survey produces artifacts, 2) artifacts produce indicators, 3) the context consists of indicators accompanied by reports, 4) the totality of indicators can highlight tactics, techniques and procedures (TTPs), and 5) Multiple TTPs show threat patterns over time (campaigns). Whenever possible, information about attacks should be shared quickly.
Why attribution matters
Recently, a friend asked me why attribution is important. Well, if your house was randomly broken into, that’s one thing, but if your neighbor did it, it’s completely different! How I protect my home or network will change depending on who broke in.
Organizations that don’t care who is responsible for a cyber incident and just want to get back online are more likely to become frequent victims. Any mature organization with sophisticated processes, a survival instinct and that cares about its employees will take the extra step to create shared situational awareness, especially if the adversary returns repeatedly. A company can better defend itself against future attacks if it knows 1) why it was attacked, 2) the likelihood that the attacker will return, 3) the attacker’s goals, and 4) the attacker’s TTPs. Knowing who perpetrated an attack can also help remove uncertainty and help you understand why it happened.
In the second part of this article, coming this week, I will discuss the key methods involved in attributing an event to a threat actor.