I’m not an expert in attribution neither in cyber war but in the light of the recent Sony hack and its “attribution” to North Korea, I did a little of research. The below article is a summary of what I found and a few thoughts as well.
The “Laws of War”or the importance of attribution
Attribution of attacks has always been a key element of war. In order for a state to be able to use self-defence measures, it has to attribute an attack directly and conclusively to another state or agent(s) under that state’s direct control. There are many examples where attackers used different technic to pretend to be someone else or mis-lead the attacked state to believe something. In this context, most of the attribution is done using HUMINT – Human Intelligence which make it (slightly) more reliable.
Cyber attacks are no exceptions. However it is much more complicated to do a direct and conclusive attribution following a cyber attack.
The internet has not been designed with “attribution” as its core concept. There are many way to hide your identity, location, to change your behaviours so they match someone else, use (or pretend to use) someone else infrastructure, etc. All those elements make it very difficult to perform attribution in the cyber space.
The problem of attribution of cyber attacks is essentially the problem of deception vs intelligence. Attackers control all the information.
— the grugq (@thegrugq) December 26, 2014
It is also important to note that the parameters used to do attribution are all…in the hands of the attacker! The attacker can “decide” to make attribution easier…or not. This mainly depend on the skills, resources and time available to the attacker. Probably that a script kiddies will leave far too many evidences behind and will be identified quickly. Also more skilled attackers do mistakes, Mandiant mentioned it in the APT1 report as it helped them to identify some of the actors.
[…] poor operational security choices, facilitating our research and allowing us to track their activities[…].
Mandiant APT1 report
On the other hand Stuxnet was quite hard to attribute, until the New York Times attribute it directly to the US.
The technical elements of cyber attribution
In 2010 Richard Bejtlich wrote a post about attribution and 20 characteristics attribution. This post gives a framework that help characterise an attack. Obviously an attribution can not be based only on a single element. As for war, cyber war can not be judge on a single element. Those elements have to be put together, compare together, compare against a large number of attacks in order to make sense and to be valuable. My point being that doing attribution in an isolated manner would definitely be a risky business. Most probably government or major security firm are the best positioned to do it due to their ability to use a similar framework across a significant number of attacks.
Progress in forensics technic might lead people to believe that attribution can actually be solved. Like Jeffrey Carr, I do believe that it is much more difficult and complicated than that. Jeffrey did publish a great paper recently about the topic and in particular about 4 key challenges.
As I said above, it is difficult to trust technical evidence in the cyber world. To support that point, you can refer to the Tallinn Manual. There is a few interesting rules:
- Rule 7: The mere fact that a cyber operation has been launched or otherwise originates from governmental cyber infrastructure is not sufficient evidence for attributing the operation to that State but is an indication that the State in question is associated with the operation.
- Rule 8: The fact that a cyber operation has been routed via the cyber infrastructure located in a State is not sufficient evidence for attributing the operation to that State.
This lead to the question of responsibility. If an attack can not be trace to its source with accuracy, there might be a way to identify who is responsible for it.
Responsibility of cyber attack
Back in 2012 (already) Jason Healy from the Atlantic Council wrote a great paper: Beyond Attribution: Seeking National Responsibility for Cyber Attacks. In this paper Jason Healy provide a list of 10 different responsibility a state can have in a cyber attack. This list is very insightful and can actually be use to shed some light on the FBI statement about the Sony Hack. Richard Betjlich post something about it recently.
- Attribution is no easy task and it can not be done based on isolated technical evidence
- The progress of forensic techniques and other technology don’t solve the issue of attribution
- Do remember that attacker control all the information
- Attribution is required for a state to defend itself
- It might be more “accurate” to speak about the responsibility of an attack rather than trying to identify a particular group or individual
- A cyber attack can be done by (more or less) anybody, no need to be a “super” hacker to do it