, , , , , , , , ,

Often I see people (who should know better) knocking out the occasional article on something ‘cyber war’ related on the sites I frequent, such as Infosec Island. Many of them expect (or want) a game of hack and retribution, but things don’t work like that in real-life. There must be a high level of certainty that an accused party was behind a given attack, before acting of that information, otherwise the risk is of legitimising ‘offensive security’ methods that irritate random people and potentially cause a lot of damage. Offensive security will open up a Pandora’s Box.
Personally, I believe the emergence of this ‘keyboard warrior’ thing is a sign that we’re losing the capacity to innovate and be creative, but that’s just my opinion. Yes, I can break into networks, but so could anyone after a crash course with the right tools. Anyone could trawl through a handful of sites and come up with a half-decent ISPD. It’s the highly talented hackers who create the networks and platforms like WordPress I’m envious of.

But this post is about attribution – Attribution, which means identifying the origin and perpetrators of a given attack on a network, is actually difficult, partly because of the way Internet routing works, and largely because any reasonably-skilled attacker would mask their identity. An advanced threat may even impersonate another known threat, just to muddy the pond further. So attribution is definitely not about blaming some entity on the back of an IP address. Rafal Los (who I normally disagree with) has recently done an excellent piece that lays out just how complex the issues can be.

Someone attempted to get around this problem by submitting an RFC over ten years ago for a proposed ICMP Traceback method, which is the most obvious solution. However, nothing seems to have come of it, and there are no suggestions on how that could actually be implemented in practice anyway. Given the legitimate needs for anonymising proxies, it’s unlikely something like that would ever be.

So, attribution relies on what evidence is available on the local network (or even Wide Area Network) that was targeted. In exceptional circumstances, it might be possible to hack into any proxy servers that were identified, or get law enforcement to demand the logs from those servers, but that depends on whether the IP address belonged to a hosting service or home computer that was compromised, what country it’s in, who runs it etc.
The logical step from this is to deploy IDS, logging and monitoring systems on the network, ready to capture the data when it does get targeted. This suggestion forms the bulk of the Institute for Defense Analyses report titled Techniques for Cyber Attack Attribution (Wheeler and Larsen, 2007).

The Importance of Openess and Collaboration
To interpret the evidence/data gathered from a network, some kind of ‘knowledge base’ is required, and this is where open collaboration between people at all levels if the infosec community becomes important. This includes the perspectives of many people who analysed the threats in different ways, and research that’s heavily scrutinised. By the way, my blog does get the odd reader from the three letter agencies, so I’m kind of relying on people calling BS if I’m way off the mark on something for whatever reason.

Detective Work
There are several possible indicators that could help us to identify the origin of an attack. There might even be a signature of some kind, although that signature might well be replicated by someone covering their tracks. Here are the ones that immediately come to mind:
* Malware analysis
* Commercial awareness and OSINT
* Attack method
* Vectors and any third-party services facilitating the attack
* Assets being targeted
* Timeline of events before, during and after the incident
* Log analysis
* Patterns in access times + timezones
* Availability of the Remote Access Tool

As we can see, attribution becomes a game of looking for clues and piecing together evidence. Detective work, basically. Several things I’ve already posted about here come into play – OSINT, threat assessment, forensics, to name a few. The main obstacle for most organisations doing this would be the wide-ranging skill set required for such an investigation, although I have done this myself occasionally with varying levels of success. With this in mind, whenever some entity is blamed for whatever attack, we should question the thoroughness of the investigation and how that conclusion was arrived at. What documentary evidence is available? This was actually one of the problems I had when trying to find a solid example of a PRC espionage operation for that post earlier last month.
I’ll also add that timeline analysis isn’t necessarily limited to what’s happening on the network. The net could be cast much wider to include anything reliable from the outside world, including whatever threat intelligence, might be related to the incident.

The amount of information about the attacker should increase with the complexity of the attack. For example, a typical DDoS will only leave entries in server and perhaps IDS logs, and the addresses will likely be those of other machines the attacker compromised. Although the analyst could probably draw conclusions about the size of the botnet, there’s not much to go on here. One exception was the Machbot used in the Russia/Georgia DDoS, which used malware that was only distributed between specific groups at the time.
On the other hand, a proper network intrusion should leave enough evidence to determine the methods and techniques used, and possibly some malware that could be analysed. As we can see, attribution might only be useful against the more advanced threats.

One thing I’ve previously overlooked, which Institute for Defense Analysis report suggests, is the use of honeypots. Not only are they useful as decoys, they could be useful for aggregating threat data specific to the network they’re deployed on. On a similar note, dummy files containing spyware could be placed strategically on the network or honeypot, which would later send the attacker’s identity to the target organisation.