Published on February 22, 2019
By Igor Baikalov, chief scientist at Securonix
Read this article on SC Magazine UK
The Internet favours anonymity by design. Despite being an obvious boon to cybercriminals and terrorists, anonymity has long been touted to be a worthy price to pay for supporting the foundations of democracy: privacy and free speech. This belief has been shattered in recent years by the propagation of fake news-fuelled Infowars and mass affordability of deep fake generators, and so we are stuck with anonymity at its worst. As a result, attribution, despite all its shortcomings, remains the only way to identify and prosecute attackers.
Today, there are a wide variety of malicious actors to choose from: nation-states, criminals, terrorists, hacktivists, script kiddies, and let’s not forget insiders. They differ in their capabilities, methods, persistence and, most of all, their goals. Knowing “Who” attacked you can indicate potential objectives, or “What” they were after; methods of infiltration, or “How” they conducted the attack; and even “Where” to find points of compromise and covert communication channels.
Any entity that wants to survive in the current threat environment, from small business to all-powerful nation-states, has to care about attack attribution for an efficient incident response. You need to know ”How” to close the gaps and strengthen your defences; “What” to attempt to recover your assets and mount effective damage control; “Where” to restore your environment to a secure operational state. And, if you can afford it, you might even want to go back to “Who” to punish the perpetrator with counteroffensive.
Challenges with attributing cyber attacks
Attribution was traditionally based on the indicators of compromise (IOCs) discovered during forensic analysis. Typical IOCs would be malware file hashes, virus signatures, domain names and IP addresses of command and control (C&C) servers. IOCs would then be matched to Tactics, Techniques and Procedures (TTPs) of known threat actors. As defences evolved, attackers learned and upped their game too: code obfuscation, polymorphic designs, fileless malware, dynamic attack infrastructure and traffic blending made static IOCs pretty much useless.
Defenders now have to rely on TTPs built on behavioural models and any leftover clues like the language indicators in the compiled code, file modification time zone, or accidental access to C&C from the IP that can be tied to the actual attacker. The situation is even more complicated by the attackers mimicking other bad actors to either deflect the blame or hide their own intelligence efforts, or deliberately mount false flag operations to hurt a competing adversary.
Other problems investigators face when trying to attribute cyberattacks are detection latency and lack of visibility. While massive DDoS attacks are hard to miss, data breaches or low-and-slow APT attacks can go undetected for months, which leaves plenty of time to dispose of assets, scramble attack infrastructure and erase any evidence of the intrusion.
Very few organizations have advanced monitoring capabilities to detect elaborate attacks in time, and even fewer have an incident response programs agile enough to catch a fleeing attacker. Low visibility is mainly due to gaps in monitoring, insufficient logging, deliberately purged logs, or too frequent log rotation - the latter exacerbated by the detection latency.
Even when the researchers find sufficient bread crumbs to lead to the likely origins of the attack, they might point to more than one entity because either the attacker borrowed some components from other actors, or there were multiple attacks by different actors overlapping on the target.
The dangers of rushing
Besides plain embarrassment, the obvious danger of misattribution is prosecuting the wrong actor for the crimes he didn’t commit, even when that actor is known for misbehaving. The other problem with rush attribution is that it might result in the disclosure of some of the evidence or attribution methods, which would give the actual attacker an opportunity to obscure his own trail. Rush attribution might also miss the actual target of the attack: website defacement might actually be a cover for creating a covert remote access channel on the web server for further exploitation, or DDoS attack overwhelming system defences might be used to conceal the data exfiltration process.
AI – A counteroffensive mechanism?
Artificial Intelligence (AI), and specifically Machine Learning, have the potential to improve the accuracy of attribution by being able to analyse significantly higher numbers of attacks indicators and discover the patterns unseen by human analysts. This ability comes at a cost of developing and collecting such indicators on a massive scale across multiple targets. Its success also depends on the success of prior attributions that are required to train the system. Considering that at the end the attribution is still not 100% reliable, even the largest and most security-conscious enterprises might find the task of implementing AI attribution technologies too challenging and not cost effective.
In addition, this would be just the first step in the process - one still must mount an effective offensive that minimises collateral damage due to imprecise attribution. The offensive response would have to be at computer speeds to be able to hit the attacking nodes before they got scrambled by dynamics addressing schemes. Therefore, the process must be automated.
While even large enterprises might not have enough visibility and resources to implement an effective offensive response, cloud platform providers do have the scale and capabilities. Consolidating cloud-wide data with application-specific data of their customers and integrating with modern AI-driven security analytics tools might just get the attribution accuracy to the point where effective offensive can be launched against high confidence targets. The public sector can aid in this process by consolidating attack indicators across major players and augmenting them with human, signal and open source intelligence for improved attribution. The most important role for the government would be to conduct the offensive response to shield private companies from legal and political repercussions and to centrally coordinate a broad range of offensive actions, from cyber to diplomatic to economic sanctions.
If you want to survive in the current threat environment attack attribution should be a top priority. Knowing who attacked you provides insight into why you were targeted and what the attackers were after, and you can then use this knowledge to improve your defences and prevent future attacks.