The idea of attribution has been on my mind a lot lately – so much so that I’ll talk to the issue twice in the next couple of months, on both sides of the Atlantic (BSidesCharm and X33Fcon). To recap my position and preview my upcoming presentations: the most practical and useful form of attribution in operational network defense focuses on ‘how’ and not ‘who’. Essentially: defenders are best served by identifying a set of behaviors or actions and grouping these into overarching ‘activity groups’ as a means to organize intrusion events and relevant data.
This approach completely ignores what entity is – or may be – responsible for a given event, and focuses instead solely on how that entity acted in carrying out an intrusion. The benefits to defenders include: a laser-like focus on adversary actions (and their most-likely prerequisites and follow-on actions); avoiding potential cognitive bias in targeting and activity; and concentrating attention on methods of operation (which could be shared or emulated by multiple adversaries) to create more robust defense.
Today at TROOPERS18, I think I heard what is the most robust counter-argument to my approach in Mara Tam’s presentation. Her argument begins with a potentially provocative premise: that security companies are intellectually lazy, in going just far enough in attribution to fingerprint a country, taking the ‘marketing bump’ that comes with such a pronouncement, and going no further. The result is the mishmash of names, attribution statements, and other actions where we confuse our Bears, assign everything to ‘LAZARUS’, or just blame the Iranians when all else fails. (This last bit is my addition.)
But more importantly, Mara emphasizes the role of targeting and an organization’s potential threat environment as critical reasons why attribution – and more importantly, fine-grained, detailed attribution – is vital to crafting effective network defense. Specifically, it is important to know not only that your organization is a potential target for some entity, but it is also vital to determine what the likely intentions of such an adversary would be. The differences in terms of impact and effect of intellectual property theft, cyber-fueled ‘bank robbery’, and destructive or disruptive attacks are quite significant, and in most cases not only align to different nation-states, but different groups active within those nation-states.
Lastly, the information security environment at present, especially with respect to non-government activity, places a premium on industry pronouncements over government proclamations. One need only look at the derision that met the (original) GRIZZLY STEPPE report for an example of how sceptical network defenders are of government notices. Meanwhile statements on Fancy Bears and APT numbers are treated with reverence and often accepted with little questioning. Thus when industry does a bad or suboptimal job in attribution, the security environment suffers.
I think these are powerful arguments that require attention and merit some introspection. But – I also think Mara’s position and my own are not necessarily in conflict with each other, so much as perhaps talking past each other. Notably, I accept all of her points with one very important exception: the importance of traditional attribution as a means of orienting defense. I will not go much further into this specific item at present, other than to say a ‘tactics, techniques, and procedures’ (TTP) approach focused exclusively on adversary behaviors – with no regard for adversary identity – should, if properly executed, provide sufficient information to gauge the threat environment. It is painfully hard, if not impossible, to determine whether some entity will decide if you are a worthy target, but knowledge of your network and organization should be sufficient to determine if you are at risk for intellectual property theft, or are a likely victim for monetizing attacks. This evaluation should then prove more than sufficient for orienting defense against types of attack, even if their perpetrators are unkown or simply not factored in.
Moving away from this point of contention for now, I think Mara’s point comes down to confusion with respect to attribution and how it is performed within the information security industry. Specifically, the current operating environment supports the following conclusion: information security companies possess sufficient data to cover how an intrusion took place, but insufficient data to definitively assign who is responsible. However, marketing (and human nature) demands assignment of responsibility, so organizations take data sufficient for one type of conclusion (‘how’ something happened) to make a completely different statement (‘who’ is responsible). The result plays right into Mara’s justified criticism of the industry: organizations leverage what information they have at hand to make a newsworthy statement of responsibility, but either cannot or will not pursue this further to establish clear, meaningful attribution.
Moving into one of the concerns voiced in the presentation, this incomplete level of attribution presents non-trivial problems: adversaries are in a position where they can subvert or deny claims of responsibility by hiding behind the incompleteness of cited data, or deflect assignment of culpability by citing the supposed uncertainty of network intrusion data. When policymakers attempt to frame the creation of norms and the assignment of blame around industry data, this situation presents numerous problems: the general public discourse surrounding intrusions is founded upon less than ideal data; adversaries are presented with ample opportunities to deflect responsibility; and the arduous process of trying to establish norms within the ‘cyber’ environment is harmed.
My response to this may seem flippant, but I feel it is quite serious: analysts and defenders should focus on what they know, and not attempt to make proclamations on what they don’t. This goes back to my ‘who’ versus ‘how’ discussion: generally, analysts and researchers will have ample information to make sound judgments on ‘how’ an event took place – but seldom will they have such complete information that private sector organizations can make definitive, supportable claims as to ‘who’ is responsible. The latter might be satisfied under some closer scrutiny, until one realizes that the data required – notably information centered on the victim and their identity – is likely covered by NDA or other agreements, and thus neither available nor suitable for public consumption.
Some may argue that this position is a ‘cop out’ – avoiding responsibility for something simply because it is hard. I would push back on this by saying, we – as a security community – should focus on where we are most and best able to provide value. The ‘all source’, complete information position necessary to successfully assign responsibility to a specific entity or organization simply lies outside the competency of private security companies. These entities will likely possess more or even better data than governments to determine the specifics of an intrusion event, but lack the all-source, multiple-discipline data collection to make meaningful statements – without significant inference or assumption – as to who might be responsible. The ‘church of SIGINT’ may have many failings as a final arbiter of decisions and judgment, but in this specific field of cyber attribution SIGINT still has much to offer.
This leads to one final point that really struck me from Mara’s presentation: that information security companies are driving much of the narrative with respect to cyber operations through current attribution statements, and thus have a duty to ‘do better’. In one respect, I strongly disagree that private firms have this responsibility – until realizing that many such entities have willingly put themselves in the conversation due to a misguided quest to gain mindshare by making statements such as ‘Country X is responsible for Event Y’. The solution – such as one exists – to this set of circumstances is simple and reflects what has already been written: information security companies should stick to what they know, and not attempt to make proclamations where their knowledge and data fall short. Data points such as activity time analysis (such-and-such entity was only active during ‘working hours’ for such-and-such country) or language information may make for good and provocative reports, but seldom mean much in practice: from my own experience, in my Navy days I worked when the target was active and not my own hours (my wife can attest to this and how much of a pain in the ass this is), while most of the technical world operates in some level of English so language is seldom a smoking gun.
If there’s any sort of conclusion to be reached from the discussion thus far, based on this last paragraph perhaps it is this: definitive attribution is something that the private sector should leave alone, and is not best-placed to perform. Instead, such statements can and should be the purview of governments. But to make this effective and meaningful, public-sector entities will need to work harder to gain (or regain) the trust of the private sector by ensuring items such as the original GRIZZLY STEPPE report never happen again, while also working to muster as much hard data as possible to support public conclusions. This may cause many in government circles to vomit in their mouths at the mere prospect of hinting at ‘sources and methods’ – but in a community firmly grounded on data and evidence, such a step is a prerequisite toward being taken seriously.
The private sector will never – except in isolated cases – have the ‘complete picture’ to truly perform ‘who’-focused attribution. If this form of attribution is important – and I think it is, just not for day-to-day defensive operations – then others will need to step up to fill this void. The only entity remotely capable of doing so would be other nation-states – and the only way for them to do so successfully will be to divulge sufficient information to support claims of responsibility. This may seem a sea-change in operations for those used to protecting and obfuscating as much as possible sources of information, but will be necessary if public-sector bodies ever hope to gain the trust and support of private sector entities in their proclamations. Meanwhile, private security companies should focus on what they do best: securing their customers, and not attempting to play a part in the game of nation-state attribution.