Determining guilt in cyberspace: difficult now, but there’s hope for the future

Summary: We see the nature of modern America in our response to cyberattacks. The government quickly points to one of the usual suspects, and Americans believe. Reminders of past government lies have no effect, nor do experts’ warnings that attribution in cyberspace ranges from difficult to impossible. For a change of pace, today cybersecurity expert James Palazzolo explains why this might not always be so. Law and order might someday come to cyberworld.   {1st of 2 posts today.}


The Complexities of Attribution in Cyber Space: An Overview

By James Palazzolo, 25 August 2015
From DarkMatters: Providing superior attack intelligence.
Posted with their gracious permission.

Seeking attribution

The challenges with attribution and Cyber Space are a study of both social and political aspects that directly relate to the overall technical architecture of the Internet as a whole.

Rid and Buchanan argue that attribution is not a matter of technology but a matter of want; meaning: attribution in Cyber Space is determined by the importance for states to want accurate high confidence attribution with regards to cyber systems. If this want is not realized than little kinetic effort will be spent on the process of attribution.

The challenges of attribution are a well-known argument from a technical studies perspective, but it still does not help to answer: what can organizations do in the short term when looking for high degrees of confidence in attribution? If high degree confidence technical attribution is possible how long will organizations (that utilize cyber systems to conduct business) have to wait until states globally accept levels of concrete identity over the Internet for all systems? From an analogous perspective the wait for an answer to the question is the ‘gorilla in the room’.

There is a good possibility that consistent high confidence attribution of cyber systems will never be achieved. From a covert operations viewpoint the lack of high confidence attribution benefits states’ Intelligence communities.

The ability to launch political campaigns with almost complete anonymity is too convenient for states to ignore (Alyia Sternstein in Defense One). It can be argued that social applications have cemented this stance as these applications are able to reach millions of individuals rapidly and typically cost the end user nothing to use.

Therefore, why would states want to engage other states in creating policy that reflects the technical gaps surrounding attribution in Cyber Space?

Additionally, there is no monetary incentive from a private industry stance to push the conversation closer towards high confidence attribution for cyber systems. With billions of dollars already invested in offensive and defensive cyber systems there is no need to reel in development costs and towards developing systems that offer high degrees of user and host attribution.

Cyber world

The slippery concept of attribution

The term attribution itself poses a further layer of complexity when dealing with cyber systems. Due to the social, technical, and political nature of interconnectedness involved in these systems makes asking the question of attribution a multidimensional question itself.

The ‘who’ portion of this attribution question may range from a single user sitting at a desk within an organization to several individual(s) scatter across the globe. Furthermore, autonomous cyber systems such as botnets further dilute the pursuit of attribution.

It is not entirely uncommon for bots to sit on infected machines but are long forgotten by their creator. Using this example as a frame of reference is it more important to know who created the autonomous system(s) or is it more important to know that it was the autonomous system(s) at the root of the event.

Eric Mejia {Colonel, USAF} contends that this can be distilled into a simple question whereby the most important attribute in the question of attribution becomes whether or not a state was responsible for a cyber-attack (p118). Although this may apply to state vs. state contention within Cyber Space it does not cover the multiplicity that actually is Cyber Space.

When considering the dilemma of attribution from a small-to-medium (SMB) and large enterprise standpoint they both share one attribute in common with regards to negative events within Cyber Space: jurisdiction (“Evidentiary Issues in International Disputes Related to State Responsibility for Cyber Operations” by Marco Roscini). Neither type of organization has jurisdictional authority to pursue an investigation beyond their own physical perimeter. Furthermore, both have to rely on law enforcement who they themselves also have a limited jurisdiction when considering the scope of Cyber Space.

The physical reality when dealing with jurisdiction and attribution almost makes attribution a moot point from a response and enforcement perspective. This reality becomes a vicious cycle of repeating affairs with no real resolution taking place.


Confidence and tools

Blending in all of these already known principals regarding Cyber Space and attribution the next greatest contributor to the attribution quagmire becomes ‘confidence’.

When developing the final output of any attribution analysis confidence becomes the indicator as to whether or not the effort is fruitful; meaning: an effort in determining attribution can provide actionable Intelligence that can then be transformed into a kinetic response (i.e. changing firewall rules, enhancing user awareness training et al).

Confidence is a blended attribute in the Intelligence lifecycle when performing an analysis of collected data and is not different when applied to Cyber Threat Intelligence (CTI). Here organizations can leverage this confidence an apply CTI data into their security programs (Shackleford and Northcutt 2015). Tools  have been in development with regards to CTI and CTI sharing for the past few years and a small number standards have evolved out of these efforts (Farnham and Leune 2013).

Also, as Cyber Defense Systems mature they include architectural requirements for sharing between like vendor systems; thus, creating large vendor distributed Intelligence networks.

However, if considering this evolution from a self-serving attribution basis does this create excess pressures on vendors to provide CTI and if so, what is the level of quality assurance is applied to this data? (Libby and Rennekamp 2012.) If questionable then the validity of attribution becomes further entrenched in the trust of the evidence presented by these systems.

Considerable investment is required to achieve enforceable treaties: decades of diplomacy and treaty negotiation, thousands of individuals working together in an international setting to develop technology and procedures, and continuous refinement of treaties and practices.

Nuclear non-proliferation treaties can serve as a positive example for managing the reduction of malicious activities on the Internet (Hunker, Hutchinson & Margulies 2008, 4-5).

Regardless of the challenges surrounding achieving high confidence attribution in Cyber Space, the fact remains: attribution is important (Hunker, Hutchinson & Margulies 2008). It will most likely be many years before a consensus is agreed upon with regards to acceptable use of the Internet and attribution on a global scale.

Like the global talks regarding nuclear non-proliferation, the groundwork for this future discussion has finally been laid.


About the Author

James Palazzolo is a Cyber Security Researcher with a focus on Cyber Intelligence. He has a degree in Information Assurance from Eastern Michigan and is currently scheduled to complete his Graduate Degree in Cyber Intelligence by the end of 2016. James has also worked in security for Healthcare and in Local Governments. See his other articles on Dark Matters website, and his bio on LinkedIn.


About Norse

Norse is the global leader in live attack intelligence. Norse delivers continuously updated and unique Internet and darknet intel that helps organizations detect and block attacks that other systems miss. Norse’s globally distributed distant early warning grid of millions of dark sensors, honeypots, crawlers, and agents deliver unique visibility into the Internet – especially the darknets, where bad actors operate.  Norse products tightly integrate with popular SIEM, IPS, and next-generation Firewall products to dramatically improve the performance, catch-rate and return-on-investment of your existing security infrastructure.

See their website for more information.

For More Information

For more about this subject see “The Attribution Problem in Cyber Attacks” by Dimitar Kostadinov at INFOSEC Institute. For DoD’s response to these problems see “Cyber chief: Efforts to deter attacks against the U.S. are not working“; their (not a surprise) is that they want a bigger offensive capacity — just like the overkill in nukes they pursued for decades. They didn’t destroy the world then, and hopefully will not do so now.

If you liked this post, like us on Facebook and follow us on Twitter. See all posts about Cyber-espionage and Cyber-war, and especially these about the difficulty of attribution…

  1. About Attribution (identifying your attacker) by Marcus Ranum.
  2. Identifying the guilty: tying nation states to cyber espionage, by Emilio Iasiello.
  3. How do we identify our attackers in cyberspace? by Marcus Ranum.
  4. The horror of cyberspace: we can’t easily identify our attackers. by Marcus Ranum.
Ghost in the Wires
Available at Amazon.
Spam Nation
Available at Amazon.

One thought on “Determining guilt in cyberspace: difficult now, but there’s hope for the future

  1. To amplify on what the author said, we know as a matter of documented fact that the NSA has backdoors into every known operating system running on every kind of current computer. This means that the NSA can effortlessly erase or alter server logs on any internet server by secretly gaining root access to those servers, and then erasing any evidence that it has done so.
    Since the fundamental link in any chain of online attribution for a cyberattack boils down to server logs, this logically means that there is no way to attribute any cyberattack with any kind of certainty. The NSA (or one of its sister agencies) could always have changed the server logs to say anything they want them to say.
    Objections that traceroute and i.p. addresses provide an additional method of attribution fail for obvious reasons. I.p. spoofing is trivial today, and can be performed by anyone with a linux distribution running on their computer. Some linux distros, like Kali Linux, are customized for these kinds of malware injections, and if you look at the packages pre-installed on Kali Linux, you’ll find hair-raising stuff like msfconsole and meterpreter, with commands like “use exploit/windows/dce” and “set PAYLOAD windows/shell/.” Use exploit means run a backdoor hack, while set PAYLOAD means inject a virus or other malware.
    We’re so far down the road from being able to attribute anything in cyberspace that the entire issue is moot. And all because the FBI and NSA insisted on installing/keeping secret all kinds of zero-day exploits in all our digital hardware.

Leave a Reply