COMMENT
Cyber incident attribution gets a lot of attention, for good reason. Identifying the actors behind an attack allows legal or political action to be taken against the adversary and helps cybersecurity researchers recognize and prevent future threats.
As I wrote in the first part of this series, attribution is both a technical and analytical process. Therefore, extracting the necessary data requires the collaboration of many types of information and intelligence disciplines. Attribution is becoming increasingly difficult as trading techniques improve and malicious actors find new ways to obfuscate their activity. Human intelligence often comes into play, thus making the work of government intelligence agencies such as the FBI and CIA valuable.
There are multiple factors involved in attempting to attribute an event. Here’s a general framework you can apply in your attribution efforts.
Victimology
Finding out as much as you can about the victim (for example, about yourself) through analysis can produce surprising results. To paraphrase Sun Tzu, “know your enemy and you will win a hundred battles; know yourself and you will win a thousand.” What you produce or produce, what services you provide, and who your company’s executives are will all have a direct impact on your adversary’s motivations. Who wants what you have? Does a nation state meet collection requirements? Someone wants to reproduce yours intellectual property?
Tools
Categorize the adversary tools you find during your investigation and analyze each group. What did the opponent use? Are they open source? Are they open source but custom? Maybe they were written by the actors? Are they prevalent or common? Unfortunately, the tools used in a breach are often temporary or lost due to time and anti-forensic techniques (such as malware exploiting a vulnerability). Different tools can maintain persistence, escalate privileges, and move laterally across a network. Tools are harder to detect the longer the adversary stays in your network.
Time
Looking and acting like everyone else in your environment is crucial to an opponent’s longevity. They tend to use what they have available on the company network (“live off the land“) or harmless tools that do not arouse suspicion, making them more difficult to detect. An adversary backed by a strong military-industrial complex or a sophisticated intelligence apparatus has the time, resources and patience to linger in your network. On the contrary , time is money for cybercriminals and ransomware gangs, so their dwell time could be significantly shorter.
Infrastructure
Investigate the type of infrastructure used by attackers, particularly elements related to command and control functions (C2). Was it rented infrastructure, virtual private server (VPS), virtual private network (VPN), compromised space, or botnets? Did they use Tor or another anonymous network? Has C2 been coded in the malware? How does C2 work? Unique infrastructures are easier to identify, while common tools make attribution more difficult.
Implementation
It is not enough to identify the adversary’s tools and infrastructure; reviewing how they are implemented during the attack is critical. How tactics, techniques and procedures (TTPs) are implemented can tell you if someone is trying to intentionally mislead you (for example, using false flags). If data has been exfiltrated from your network, perform detailed analysis to understand what they have taken or targeted.
Logging the actions of internal users can help if the adversary has moved laterally and taken the form of an administrator or employee. If they did a “smash and grab,” taking everything, well, you have some work to do. If the attack was unique and there are no benchmarks to start from, this is an indicator.
However, attacks rarely work this way. Adversaries tend to follow what they know: they learn a way of doing things and try to stick with it. While the tools of the trade (e.g., hacking tools used, vulnerabilities exploited, infrastructure used) change, the art of the trade is harder to change on a large scale.
Next steps
Once you have gathered the information or evidence you need, consider: What is the fidelity of the information acquired (how accurate is it)? How exclusive is it? Is the information you know about the attack tied to a particular actor or organization?
When carrying out an evaluation, information gaps inevitably arise: missing material information or indicators that are not clearly explained by the strongest theory. If a government needs more information, it probably has the resources to fill intelligence gaps. Any other type of organization must find other ways to derive attribution for defensive purposes.
Final thoughts
Many people and organizations want to rush attribution and take action immediately. Hasty attribution does not avoid the need to conduct a thorough investigation. On the government’s part, rushing the response to a cyber event to establish a foreign policy standard or achieve a perceived national security objective is a recipe for disaster.
Attribution should be strengthened and not circumvented; otherwise, highly skilled false flag and deception operations will bring companies and countries into conflict, playing into the hands of a determined adversary. Foreign policy strategy is a chess game in which one must always anticipate the opponent’s countermoves.
Attribution often requires a whole-of-government and private-sector effort; rarely does an agency or company have all the information needed to put the pieces together. We need to embed and formalize threat intelligence and attribution into academic curricula and give it the attention it deserves. This is not something any nation or cybersecurity community can afford to get wrong.