Summary: Identifying the attacker is the key to modern military defense, so one can launch a reprisal or counter-strike. But attributing cyberattacks is difficult because nothing in cyberspace has to look like anything familiar. How do you attribute a weapon that was created out of thin air and used by an enemy that has no physical location? Links to other chapters of this series are at the end.
Article deleted at author’s request.
(5) For More Information
See the Wikipedia entry for more information about forensic science.
See all posts about Cyber-espionage and Cyber-war.
9 thoughts on “Cyberwar: About Attribution (identifying your attacker)”
I keep hearing there is a Stuxnet 2 out there is this true?
See “Son of Stuxnet?“, Blake Hounshell, Foreign Policy 19 October 2011.
This was the big debate, among the general public. Even if only a State had the resources to build stuxnet, could regular software engineers build the mark II version? We might soon have the answer, if some Mark II variant shuts down something important. Loks of industrial sites have enemies. Animal rights groups, greens, anarchists (still powerful in Italy), etc.
I think it’s important to point out that regular software engineers could produce a Stuxnet. In many ways Stuxnet is much less sophisticated malware than Zeus or some of the transaction-intercepting commercial malware being used to hijack funds transfers, today.
What was sophisticated about Stuxnet and was significant evidence that the authors had uncommon information was that Stuxnet appeared to be designed with knowledge of the specific gas-centrifuge cascades that were being used at Natanz. While any experienced system programmer can eventually turn out pretty workable malware (and a good systems programmer can quickly turn out pretty impressive stuff indeed) most programmers don’t have a specific type of centrifuge to test against, nor do they know how many centrifuge programmable logic controllers to attempt to manipulate in a given centrifuge cascade.
Let me try an analogy: if someone breaks into your house by throwing a brick through the window, that’s one thing. If someone breaks into your house, bypasses your security system, and immediately goes directy to your wall-safe that’s hidden behind your fireplace – then they had inside knowledge. In the case of Stuxnet it’s the attackers’ understanding of the target’s layout that’s the interesting fact, not the actual code of the malware. Whoever did it knew a lot about that one target, and that knowledge was not anything close to common.
It may be a precursor, it may be a successor, or it may be a different line of evolution entirely. The latter I would assess as least likely.
It may be a red herring designed to point away from its real source.
There’s a decent chance that futher analysis will turn up more. For example, people who collect network data are now (no doubt) rummaging frantically through archives to see if they have collected copies of the malware, so they can match the collection date to a time-line. This is a ‘basic’ forensic process and will proceed along multiple avenues of investigation; we simply don’t know enough yet at this time to speculate. We can be sure, however, that now that the pitbulls have their fangs sunk into this thing, more will be revealed over time.
Fascinating. It sounds very very complex.
I vaguely remember reading the Clifford Stoll book.
Marcus Ranum remarks: I, for one, am thoroughly sick of hearing the US’ senior law enforcement agency — which, presumably understands how standards of evidence work and that you don’t go making accusations unless you can back them up — making empty accusations about other nations’ activities.
This appears to be the entire purpose of the ginned-up phony cyberwar scare. As with the bogus and thoroughly incredible Iran assassination plot, the current cyberwar scare appears to serve as a pretext for yet more military action in yet another third-world hellhole, resulting in yet another endless unwinnable war which will eventually be declared a ‘magnificent American victory’ when the U.S. military retreats in ignominy in antoher 10 or 15 years after having accomplished nothing of geopolitcal significance.
And the essential reason for constant American military interventions in third-world hellholes is, of course, that American society and the U.S. economy has now become so thoroughly militarized by an all-embracing military-police-terror-surveillance complex that the 1950s policy of Miltary Keynesianism has morphed into Garrison State America, in which war has become the health of the state. So many U.S. jobs (more than 3 million directly, and many more than indirectly by means of military contractors) and so much of the U.S. budget (1.2 trillion dollars per year, roughly 9% of American GDP) is tied up with the military that the Pentagon E-ring must now embark on constant military interventions around the world…lest the America populace and our putative rulers begin to suspect that our gigantic military and its attendant anti-terror-surveillance-police network is no longer necessary (especially after the Cold War).
Many Americans seem to operate under the foolishly mistaken notion that foreign policy and budget priorities are made by congress and the White House and the State Department. Not so. In 2011, foreign policy is made by nameless colonels in the Pentagon E-Ring, and the annual U.S. budget is set by competing politics within the Pentagon. After 9/11, only such pittance of budgetary scraps as remain after the U.S. military’s internal competing factions have finished fighting over budget priorities can be spent on U.S. social services or American infrastructure.
America’s decision to bomb Libya seems baffling, until we recognize that the U.S. Air Force currently faces a threat to its budget in the form of a massive shift from human-piloted aircraft (expensive) to unpiloted armed UAVs (cheap). So the USAF must demonstrate that it still has a vital role to play, and therefore we see a spate of American aerial bombardments by piloted planes around the world. Likewise, the U.S. Navy now faces the total obsolescence of its aircraft carriers courtesy of supersonic Skhvaal-class torpedoes and pop-up radar-stealthed missiles. So we can expect large deployments of U.S. carrier groups in the near future in order to demonstrate the allegedly strategic crucial importance of U.S. naval carrier strike groups, and the consequent supposed need for continued navy budgets to support such white elephants.
The current cyberwar scare undoubtedly represents the public face of some deep budgetary struggle hidden within the Pentagon E-ring. Perhaps the increasingly computerized USAF drone forces are battling the increasingly networked U.S. army for money for more computers, and the cyberway scare is a riposte by the army intended to discredit the Air Force; or perhaps the Marine Corps, faced with suggestions that it has become entirely obsolete, must now demonstrate their alleged utility by offering to track down the supposed author of these deadly pieces of malware and bring him to justice, the better to analyze its interal code.
The current convulsions involving proposed cuts to Social Security and Medicare and the kabuki theater of the so-called “supercommittee” certainly represent the public face of the colossal budget struggles within the Pentagon. Each faction of the U.S. military fights with the others to demand the various basic American social services and infrastructure components (highway repair, social security payments, aid to dependent children, and so on) gets cut in order to assure limitless increase of the U.S. military budget. The cyberwar scare undoubtedly gives us an example of the same kinds of internal Pentagon struggles on a smaller scale.
In general, I agree with what you said. The only quibble I’d make is that, from the perspective of the security ‘cyberwar’ industry, struggles like Air Force -vs- Marines for budget are less significant than the struggles within the intelligence community. There has been considerable maneuvering to see which agency/branch will get to carry the cyberwar football. The key players are DoJ (in the form of FBI) DoD (in the form of NSA) CIA and the anti-fear bureaucracy (in the form of DHS). None of them, of course, will actually do anything once they claim control – they’ll contract it all out to the beltway bandits that are standing by. End result is the same – the public coffers keep getting dumped into the bottom line of the big corporate allies of The Pentagon.
“Refugees are individuals or groups of people in grave danger because their home government is either unwilling or unable to protect them.”
Pingback: A Breakdown and Analysis of the December, 2014 Sony Hack – RBS