Reflecting on the recent media talk about hacking and Russia, my family had lots of questions.
It struck me that attribution in the real world is easy for most people to understand, but in the cyber world it becomes much harder.
Often the results aren’t seen and, many times, there is no tape to ‘rewind.’ This leads to questions about methods, accuracy and, ultimately, trust.
In the real world, attribution occurs on a regular basis. For example, a gang of criminals raid banks. An experienced team, they have been pulling jobs for 10 years. They know each other’s routines and the response time of responders. They are patient. They watch until the time is right then walk into the bank and rob it. They are pros and they are good.
The criminals stick to their known routine. They know exactly how long it will take the police to respond. They know the alarms and how they are triggered. They execute their plan methodically and perfectly. They get away with the money.
Investigators show up and build a timeline. They interview witnesses. They check the tape. They gather evidence. The good raiders may be able to minimise the evidence, but there is almost always evidence. Any detective will tell you that criminals make mistakes all the time.
In the physical world, we are very good at attribution.
We can catch and prosecute criminals. So why can’t we ‘attribute’ when it comes to nation-state hacking?
The bank robbery events are very similar to the tactics, techniques and procedures used by nation-state actors.
They differ in that they are motivated differently than typical cyber criminals and hackers. These are not Hollywood hackers. They are intelligence agents equipped with zero-days instead of guns. Instead of intercepting mail, they intercept data. Some of the tactics remain the same. Reconnaissance is the most similar.
The more data hackers can gather, the more they know about the target and the easier the job becomes. Because nation-state attackers are professionals motivated to gather intelligence and/or participate in disinformation and destabilisation campaigns, we cannot assign the same motivations to these groups as we do with ‘regular’ cyber criminals. They are playing a bigger game than robbing the bank. They are playing chess while ‘regular’ cyber criminals are playing draughts.
These operations contribute to larger psychological operations (PSYOPs) instead of, say, hacking for profit.
Psychological operations are planned operations to convey selected information and indicators to audiences to influence their emotions, motives and objective reasoning, and ultimately the behaviour of governments, organisations, groups and individuals.
In a perfect world, a target organisation would already be recording the events on its systems with a new generation endpoint security solution, prior to attackers hitting those systems. This was the case with certain recent, high-profile, nation-state attacks.
Endpoint detection and response (EDR) tools were deployed and attackers’ tactics, techniques and procedures were recorded. This data was fused with other data such as previous hacks, human intelligence, signals intelligence and, in some cases, confidential informants.
Some of the sources of this data must remain secret. We can’t just hop on to BBC News and say: “Here’s the human eyewitness to the crime.” With cyber crimes, visibility and forensics data become the eyewitnesses. Much like in the real world, bad guys use the same MO all the time. They work in the same ways. They reuse code and leave evidence. All this is gathered and fused.
The data is then sent to various agencies to be confirmed. Once there is a consensus, reports are released.
Yes, cyber attribution requires trust. It requires us to trust the folks who worked the breach and the agents and people involved in the investigation. Ultimately, this requires trust in our leaders.
If we accept cyber-investigation data for criminal prosecution then we must also accept the same methods when it comes to nation-state attribution.
Yes, it’s dangerous to attribute things incorrectly but that’s why multiple groups and agencies weigh in before a conclusion is drawn. We have to trust in the findings and start hardening ourselves against these types of attack rather than arguing about the results.
Everyone needs to be better educated on the methods used to attribute attacks so we can quickly and decisively react in the future. This isn’t going away and we better start to act to restore trust in our system.
We are on the clock. We’ve got two (and four) years to make progress on this. Let’s stop arguing and start securing.