Summary: Cybersecurity expert Emilio Iasiello discusses one of the key issues in cybersecurity — how do we determine who attacked us? Each attack brings forth rapid declarations by the government that the attacker is one of their favorite foes. Should we believe them?
The Race to Attribution Needs to Stop
By Emilio Iasiello
Posted at Dead Drop (of the LookingGlass Cyber Threat Intelligence Group)
30 March 2016. Posted with his gracious permission.
It has become almost systemic for people to immediately question, “Who did it?” when a major breach occurs in the public and/or private sectors. Understandably, the victimized have a keen interest in identifying their faceless attackers especially when they have been publicly exposed. There is also a competitive aspect, as the first person to make attribution can add credibility to his or her name. However, while providing information for public consumption is important, it’s equally as important to provide accurate information.
In the cyber security industry, a commonly heard mantra is that attribution in cyberspace is difficult. Cyber security experts and organizations, and even some government officials, have emphasized this point. If most agree that attribution is difficult and time consuming, why is there invariably a need to immediately attribute hostile activity that may end up being incorrect and misleading?
This is perplexing especially when one considers that some state actors are considered to be sophisticated and stealthy, yet once their operations are exposed, attribution appears relatively easy to assign. This contradicts the general premise of the attribution challenges that cyberspace presents and discounts the anonymization and obfuscation techniques employed by savvy actors to avoid those very identification efforts. Furthermore, reliance on technical evidence as indicators of attribution may become less important as actors may alter timestamps, use different keyboard languages, and change compile times to point blame in a different direction.
Three highly public cyber incidents have involved a rush to judgment over the identity of the perpetrators that may ultimately prove incorrect. In one incident, a state actor is strongly suspected as being the perpetrator; in another, later evidence suggested that the original suspects may not have conducted the activity; and the last, the high confidence accusation of a state government’s involvement in destructive activity is met with considerable criticism and doubt by the larger computer security industry.
Office of Personnel Management (OPM)
In June 2015, OPM announced that it had been breached and potentially exposed four million federal employee records to suspected nation state-affiliated hackers. State actors, or actors working on behalf of the state, were believed to have carried out this attack because, in addition to technical indicators and “unique” malware, the perceived stolen material was not found to be monetized on underground hacking forums.
However, according to one source, 23,000 government e-mails from different agencies were found on an underground hacking forum two days later. While it can’t be concluded that these e-mails were harvested from the OPM breach, it certainly warranted further investigation that didn’t occur. Rather, it was quickly concluded that the motivation for this attack was the compilation of information to be used for future espionage campaigns, or the creation of a database for all U.S. federal employees by the state actor in question. Little consideration was given to any other possible scenario.
A June 2015 report further intimated that state actors were behind the attack; although it cited two possible groups – both suspected state hackers – as the perpetrators, a fact that only additional time and investigation would have helped to determine. In the end, Beijing arrested the actors in question claiming that the activity was a criminal manner. Given the confluence of cyber crime and the fact that cyber espionage activities occurring more regularly, who’s to say that more espionage groups aren’t going to engage in similar moonlighting efforts?
France’s TV5 Monde
In April 2015, France’s TV5 Monde was breached, shutting down transmissions and inserting pro-jihadist messages on its social media accounts. At the time, officials from the Islamic State of Iraq and Syria (ISIS) claimed responsibility for the attack. However, after further investigation, French security investigators suspected a Russian hacking group to have been responsible (the website was hacked and replaced with a pro-“Cyber Caliphate” message). The investigation is still ongoing, indicating that even the most seemingly mundane attacks can have more complex machinations behind them. The “easy” answer may not prove easy at all.
Sony Incident
In 2014, Sony Pictures Entertainment was hacked by suspected North Korean hackers in protest of the release of a film. In addition to stealing confidential documents and intellectual property, the attackers may have also destroyed corporate data. The North Korean government was quickly implicated in the hack, a position that the U.S. government did not waiver from despite numerous criticism from cyber security experts and companies. While North Korea may have been behind that attack, the fact that there was little consideration over other alternatives is deeply disconcerting, particularly in a domain that traditionally favors attackers’ abilities to obfuscate their locations and implement deception techniques.
About attribution
It should be noted that cyber attribution, while difficult, is not impossible. Based on the amount of time and effort it takes to gain fidelity into what transpired in a breach, particularly those conducted by sophisticated actors, attributing blame shouldn’t be a “quick” process. This is especially true where suspected government involvement is concerned. It would be unwise to base a course of action before concretely knowing who is behind an attack, as implications can extend far beyond the cyber realm into economic and diplomatic consequences.
The United States government quickly levied economic sanctions against North Korea for its perceived implication in the Sony hack, but has treaded much more judiciously in assigning the same culpability to China, even though it indicted five members of the People’s Liberation Army for hacking. Potential consequences against states should be evaluated on a case-by-case basis, regardless of convincing attribution evidence.
There is little advantage to be gained by hurrying to call out particular governments or their agents as the orchestrators of hostile cyber activity, particularly since such a claim is subject to change as more information comes to light and is analyzed. One cyber security company received much criticism for a report in which it intimated that a nation state was behind a slew of attacks, a claim that it later had to back away from later.
While attribution is important in assigning responsibility for an attack, it may detract from the most important next step for a breached organization – mitigating the damage caused, patching up security “holes,” and ensuring that business operations continue promptly and securely. There will be time later to determine who was behind the attack, or at least, as good as can be expected given the tools and information on hand.
————————————————–
About the Author
Emilio Iasiello has more than 12 years’ experience as a strategic cyber intelligence analyst, supporting US government civilian and military intelligence organizations, as well as a private sector companies. He has delivered cyber threat presentations to domestic and international audiences and has published extensively in peer-reviewed journals.
See his other articles on the Dark Matters website. He now posts at Dead Drop of the LookingGlass Cyber Threat Intelligence Group.
For More Information
If you liked this post, like us on Facebook and follow us on Twitter. See all posts about Cyber-espionage and Cyber-war, about attribution, and especially these…
- About Attribution (identifying your attacker) by Marcus Ranum.
- Identifying the guilty: tying nation states to cyber espionage, by Emilio Iasiello.
- How do we identify our attackers in cyberspace? by Marcus Ranum.
- The horror of cyberspace: we can’t easily identify our attackers. by Marcus Ranum.
- Determining guilt in cyberspace: difficult now, but there’s hope for the future — By James Palazzolo.
- The Complexities of Attribution in Cyber Space: An Overview.
We were tangentially involved in the original (i.e. cal. state) data breach notification act. We had been brought in to help wordsmith the cal. state electronic signature act and several of the participants were heavily involved in privacy issues. They had done detailed public privacy surveys and found the #1 issue was fraudulent financial transactions as the result of data breaches … where little or nothing was being done. An issue is that normally entities take security measures in self-protection and the institutions weren’t at risk from the breaches, it was their customers. It was hoped that the publicity from the breaches would motivate corrective action.
Long ago and far away, there was intellectual property theft at silicon valley company and the company was suing for billions of dollars in damages. The judge ruled that the company had to demonstrate that it took security measures proportional to the claimed value (sort of like swimming pool liability if not properly fenced). The problem with most of the breaches is it the value to the institution or the value to the public at risk.
Note that since then there have been numerous federal (preemption) bills (none yet passed) about evenly divided between those similar to the cal. legislation and those that effectively eliminate requirement for notification
lhw,
Thanks for the comment. It’s always useful to hear from people on the front lines of an issue!
In the case of current credt card transaction paradigm, the value of the data is the profit from the transaction, which can be a couple dollars (and the value to transaction processor can be a couple centers). However, the value to the crooks is the credit limit for the account (a couple hundred to several thousand dollars for each account).
As a result, the crooks may be able to outspend attacking than the institutions can afford to spend defending (secruity proportional to risk).
Disclaimer: In the mid-90s the X9A10 financial transaction standard working group was given the requirement to preserve the integrity of the financial industry for *ALL* retail payments. We didn’t do anything to prevent breaches, what we did was slightly tweak the existing paradigm, eliminating the value of the data to the crooks (and risk to consumers), eliminating the motivation for those breaches.
ihwo,
I don’t understand the economics of credit card theft. Hundreds of millions of credit card numbers and accompanying ID’s have been stolen in the US during the past decade, plus the small scale theft from point-of-service (cashiers, waiters, etc).
If even a $100 was taken from each, the US financial system would have crashed by now.
The amount at risk is the credit limit on each account. The financial institutions make more money off what they charge merchants for fraud … than they loose from fraud. Breach Notification was to make public aware of what was going on … that public could switch merchants and/or financial institutions. Because of the publicity … they have somewhat been more agile about deactivating accounts and issuing new cards
(which helps cap the fraud).
Note merchants have been indoctrinated for decades that what they are charged is heavily prorated based on fraud rates (with internet having the highest surcharge). At the start of the century there were several “safe” payment products marketed to internet merchants (accounted for something like 80% of transactions) which found high acceptance, the merchants anticipating an order of magnitude cut in interchange fees. Then came the cognitive dissonance, the financial institutions telling them that there would be effectively be an additional surcharge on top of what they were already paying (instead of a 90% reduction) … and the whole thing falls apart.
Part of the issue was analysis that EU institutions get less than 10% of their bottom line from these fees … while in the US it is 40%-60% of their bottom line. It would be a big hit to these institutions if those fees were cut by 90%. The institutions makes so much off these fees that the biggest thing that they worry about is something scaring off the public from using the cards. At the financial CIP meetings
https://en.wikipedia.org/wiki/Critical_infrastructure_protection
in the white house annex, the major consideration for ISAC
https://www.fsisac.com/
was it structured so it wouldn’t be subject to FOIA. They weren’t worried about the crooks finding out the bad things, they were worried about the information being made public.
slight topic drift … the electronic signature legislation was being heavily lobbied by PKI digital certificate industry to mandate PKI digital certificates. They had been floating a $20+B business plan on wallstreet that financial industry would mandate a $100/annum/account PKI digital certificate.
lhw,
“the amount at risk is the credit limit on each account.”
I understand. But I’ve never seen hard numbers on the amount actually taken by hackers. If even 10% of card numbers stolen were used to steal $100 each, that would be tens of billions — destroying the profits of credit card companies.
So the losses are probably less, suggesting that only a tiny fraction of stolen numbers are successfully used. Why? Are bank verification systems working well?
a decade ago, a government employee gave a talk at a conference in the middle east where they said that cyber crime (large amount from data breaches) was larger than drug crime. That got picked up the news and reverberated around the world. Late that day I got email asking if I could find a public source for the number. Checking numerous law enforcement websites in the US and other places around the world, I could find drug crime numbers, but when ever there was a cybercrime reference, it turned out to require some authorization to access. Eventually I found a university paper that quoted some data from document in Lexis-Nexis.
As an aside, in the late 90s, one of the large “too big to fail” was outsourcing the Y2K remediation of its most sensitive transaction processing to the lowest bidder. Eventually they found that there were several places where it could do stealth transactions to offshore institutions. They eventually find that they had outsourced the Y2K remediation to a front for a criminal organization.
Note that the credit card associations get their transaction fees from merchants regardless of whether it is a fraudulent transaction or not. That leaves the merchants and the card issuing financial institutions. The card issuing financial institutions adjust their interchange financial transactions fees to cover losses plus a profit (past articles have claimed that financial institutions view fraud as a profit center).
lhwo,
Here is my post about the cybercrime bigger than the drug trade story, citing a 2013 “Europol Serious & Organized Threat Assessment”. I don’t recall the source of their data.
“past articles have claimed that financial institutions view fraud as a profit center.”
If so, then the hundreds of millions of credit card numbers stolen must have a tiny yield, despite the hysteria about these thefts.
Pingback: We Must Stop The Race to Attribution After Each Cyberattack - Threat Brief
One of the things that industry has done is look for patterns of fraud where reported accounts with fraud have been used at a common location in the past (likely point of breach so all information in that repository is possibly compromised). They then cut off those accounts … which has managed to limit fraud to tens of billions rather than hundreds of billions.
There are increasing cases of crooks doing sophisticated fraud transaction patterns as countermeasure to the industry pattern identification technology. Some of the most sophisticated are installing information harvesting technology during the manufacturing process … and then using the information for fraudulent transactions that minimize the pattern recognition technology from identifying the sources of the compromise.
The industry walks a interesting line between having sufficient publicity to justify the significant interchange fraud surcharge … while not overly frightening the public about using cards. There is the famous case of one of the “too big to fail” eliminating their CSO position because the CEO said that fraud was more profitably handled by the banks press office.