From ODNI article – Cyber Attribution Using Unclassified Data (2017)

I have been thinking a lot lately about the accuracy of cyber attack attribution. Most cyber forensic analysts and threat intelligence specialists will tell you that cyber attack attribution done right is a laborious, time-consuming process that is often fraught with multiple dead ends and sometimes requires a leap of faith in the end. The complexity of reliable attribution is increased by an attacker’s ability to route attacks through compromised systems, anonymized networks, proxy servers and various jurisdictional boundaries. Despite these complexities, cyber attribution [and threat intelligence] is definitely a fruitful field of endeavor as it seems that the list of threat intelligence companies keeps growing – it definitely appears to be a competitive area with each player racing to announce how they discovered the next big hack and how they uncovered whodunit [and therefore have naming rights for the moniker of the attacker]. These companies use sophisticated forensic tools, logging tools, search tools, attack databases,and intelligent deception technology. They leverage the extensive knowledge provided by expert cyber target analysts, threat hunters, and penetration testers to ferret out attack details and explore artifacts, such as attack timelines, attacker’s “bread crumbs,” TTPs, mitigations, and clean-up requirements. They also employ legions of language analysts, cyber data analysts, and legal analysts to mine attack surface data, and to research several echelons of the dark web to identify attack targets and methods, and possibly identify the attacker(s). But are all these resources and results really enough to have a high confidence of cyber attribution given the sophistication of today’s hackers – especially nation-state hackers? Given the fact that cyber attack tools and malware are readily shared, bought and sold on the dark web [even “lost or stolen” nation state tools end up there], and that all nation states appear to have an ample supply of zero days and bots, it seems to me that the high probability of false flags makes determining “whodunit” as much guesswork as hard work. It is generally acknowledged that cyber attack attribution is difficult, to say the least, and I believe, as supported by current literature, that it is getting even harder to distinguish false flags especially when the context by which an attack is not clear.

For example, according to Dark Shadows, a threat intelligence company: “Individual attacker TTPs are also becoming harder to distinguish, with the use of ‘off the shelf malware’ and other tools becoming more widespread, and more difficult to attribute to distinct threat actors and groups. The technical threshold between cybercriminal groups and nation state actors is also getting closer. The initial actors behind another supply chain attack affecting software provider Accellion, which involved the chaining of 4 zero-day vulnerabilities, was thought to have been conducted by FIN11, a cybercriminal group with ties into the Clop ransomware variant. The identification, exploitation, and chaining of 3 distinct bugs is no mean feat, and from my perspective I don’t think I’d seen a cybercriminal group conduct an attack using such sophistication and initiative before.”

Digital Shadows goes on to say: “Russian attackers have even been observed hijacking infrastructure used by Iranian state sponsored groups.” In June 2019, U.S. cybersecurity firm Symantec published their findings that as early as November 2017 the APT Turla (Russia) compromised the command and control infrastructure owned by APT34 (Islamic Republic). Afterwards, Turla employed this APT34 command and control infrastructure to drop their own malware on victim systems that had already been infected with APT34 malware. This was likely to piggyback from their cyber espionage campaign and to attack government and industry organizations, all while masquerading as attackers from the Islamic Republic. This highlights the complexity in providing a confident attribution to individual attacks, given attackers clearly place precedence on covering their tracks.

So what is context? Context represents the socio-economic, political, technological, and military events of the day that may motivate and enable an attacker. Generally, when context is applied to a specific region of the world, the accuracy of a particular attribution may increase, but it doesn’t have to given the global reach of the Internet. For example, it is equally probable for an attack to be directed at the United States as towards NATO countries during the Ukraine war. However, it is probably more likely that a cyber attack against Ukraine can be attributed to Russia than another country for the same period of time during the war [context].

From Gartner blog – How to make Russian Hacker Attribution useful to Active Defense

Context can also have a technical side, entailing different clues that may reveal something about an attacker. For example, drawing from a sample of nearly 1,500 campaigns tracked by FireEye®, this paper describes the following facets of malware attacks and what they often reveal about the culprits:

Keyboard Layout. Hidden in phishing attempts is information about the attacker’s choice of keyboard, which varies by language and region.
Malware Metadata. Malware source code contains technical details that suggest the attacker’s language, location, and ties to other campaigns.
Embedded Fonts. The fonts used in phishing emails point to the origin of the attack. This is true even when the fonts are not normally used in the
attacker’s native language.
DNS Registration. Domains used in attacks pinpoint the attacker’s location. Duplicate registration information can tie multiple domains to a common culprit.
Language. Language artifacts embedded in malware often point to the attacker’s country of origin. And common language mistakes in phishing
emails can sometimes be reverse-engineered to determine the writer’s native language.
Remote Administration Tool Configuration. Popular malware-creation tools include a bevy of configuration options. These options are often unique to the attacker using the tool, allowing researchers to tie disparate attacks to a common threat actor.
Behavior. Behavioral patterns such as methods and targets give away some of the attacker’s methods and motives.

And the importance of context begs the question of why attribution is important. As per Tran in this journal article, The Law of Attribution: Rules for Attributing the Source of a Cyber-Attack, it forms the foundation for formulating an acceptable legal response – whether that be military action, hack back, economic sanctions, legal actions or diplomatic actions. The importance of attribution is also pointed out by Clark and Landau’s Harvard Journal article in “Untangling Attribution,” which states “Attribution is central to deterrence, the idea that one can dissuade attackers from acting through fear of some sort of retaliation. Retaliation requires knowing with full certainty who the attackers are.” The article goes on to say “[…] is complicated by how multi-stage attacks, which most modern cyber-attacks are, make it near-impossible to assert any reliable attribution. […]” Cyber insurance may also require attribution as policies often contain “nation-state” clauses that may deny payment. The insurance industry is a key advocate of legislation to make ransomware payments illegal to stem the rising tide of ransomware payments through cyber insurance policies.

Tran also makes another key observation in his article – “Second, because attribution frequently relies on technical evidence, and evidence is often acquired through espionage or other covert intelligence gathering, …” So are HUMINT, SIGINT, IMINT, COMINT, MASINT and other forms of espionage the way that high confidence attribution is really obtained? Does attribution really come down to having spies on the inside of the Dark Web, or at a nation state that is conducting cyber attacks, or by surveilling wide swaths of the Internet and the electromagnetic spectrum? Does attribution really rely on governmental sources and methods to decide? How significant are the government’s capabilities for cyber attribution?

In 2015, the DOD Cyber Strategy stated, “Attribution is a fundamental part of an effective cyber deterrence strategy as anonymity enables malicious cyber activity by state and non-state groups. On matters of intelligence, attribution, and warning, DOD and the intelligence community have invested significantly in all source collection, analysis, and dissemination capabilities, all of which reduce the anonymity of state and non-state actor activity in cyberspace. Intelligence and attribution capabilities help to unmask an actor’s cyber persona, identify the attack’s point of origin, and determine
tactics, techniques, and procedures. Attribution enables the Defense Department or other agencies to conduct response and denial operations against an incoming cyberattack.”

In April 2016, DARPA announced a solicitation for proposals related to enhanced attribution. The announced program aims to make currently opaque malicious cyber adversary actions and individual cyber operator attribution transparent by providing high-fidelity visibility into all aspects of malicious cyber operator actions and to increase the government’s ability to publicly reveal the actions of individual malicious cyber operators without damaging sources and methods. The program will develop techniques and tools for generating operationally and tactically relevant information about multiple concurrent independent malicious cyber campaigns, each involving several operators, and the means to share such information with any of a number of interested parties (e.g., as part of a response option). The program seeks to develop:

  • technologies to extract behavioral and physical biometrics from a range of devices and vantage points to consistently identify virtual personas and individual malicious cyber operators over time and across different endpoint devices and C2 infrastructures
  • techniques to decompose the software tools and actions of malicious cyber operators into semantically rich and compressed knowledge representations
  • scalable techniques to fuse, manage, and project such ground-truth information over time, toward developing a full historical and current picture of malicious activity
  • algorithms for developing predictive behavioral profiles within the context of cyber campaigns
  • technologies for validating and perhaps enriching this knowledge base with other sources of data, including public and commercial sources of information.

Source: Broad Agency Announcement on Enhanced Attribution, DARPA-BAA-16-34, April 22, 2016

So it seems likely that governmental agencies have some significant capabilities to provide high confidence attribution. However, in 2016 the ODNI Chief General Clapper lowered confidence expectations when he testified – “However, improving offensive tradecraft, the use of proxies, and the creation of cover organizations will hinder timely, high-confidence attribution of responsibility for state-sponsored cyber operations.” Is this just a downplay of the capabilities for tradecraft purposes? Or is this statement really reflective of the ongoing yin and yang of attribution regarding cyber operations? What is also interesting is that the DoD Cyber Strategy updated in 2018 did not mention attribution but instead focused on “defending forward.” This concept includes offensive and defensive operations that are conducted outside DoD networks and below the threshold of armed conflict. I suppose that high confidence attribution would be essential to “defend forward” if DoD is to stay within international legal boundaries for cyber warfare. As spelled out by Challenges of Cyber Attribution by S. Freeman, “Suitable retaliation for a cyberattack is based on the premise that the perpetrator of a cyberattack can be identified, and that this identification will take place in a timely manner. Without the proper attribution (i.e., high confidence and timely assessments), accountability within the international space cannot be guaranteed.”

Attribution has become a heated partisan topic especially over the last few years, such as the controversies surrounding the DNC hack. For example, cybersecurity expert Bruce Schneier lamented in a blog back in 2017 – “…what constitutes sufficient evidence to attribute an attack in cyberspace? The answer is both complicated and inherently tied up in political considerations.” How might the current political state affect attribution?

This point seems to be backed up by Rid and Buchanan in “Attributing Cyber Attacks” which “argues that attribution is what [nation] states make of it. To show how, we introduce the Q Model: designed to explain, guide, and improve the making of attribution. Matching an offender to an offence is an exercise in minimising uncertainty on three levels: tactically, attribution is an art as well as a science; operationally, attribution is a nuanced process not a black-and-white problem; and strategically, attribution is a function of what is at stake politically.” Rid and Buchanan go on to say that “Actual attribution of cyber events is already more nuanced, more common, and more political than the literature has acknowledged so far….”

Rid and Buchanan further detail “The quality of attribution is likely to rise as the number of fruitful intelligence sources increases. Moreover, the significance of a wider aperture rises with the levels of the attribution process: opening the aperture on a specific incident on a purely technical level is possible, but only within narrow constraints. Digital forensic evidence generated by an intrusion is by definition limited in the context it provides. Exploit code rarely reveals motivation. On an operational and especially on a strategic level, other sources of intelligence may illuminate the wider picture, for instance intercepted telephone conversations or emails among those who ordered or organised an operation. The significance of all-source intelligence and of a wider aperture is one of the strongest reasons why states with highly capable intelligence agencies are better equipped to master the attribution process than even highly capable private entities.”

This seems to make a lot of sense to me but also is a bit alarming as well – can we really trust the intel agencies to tell the truth? Can we trust our government when the act of making an attribution has political implications? or when [and I would guess this is sometimes the case] they deliberately mislead about an attribution to protect sources and methods and political agendas? This conflict of interests seems to be pointed out by Dark Shadows in a recent blog – “If an impactful cyber attack was attributed to China, would it elicit the same response from the West as a similar attack conducted by a state sponsored group from Russia, or North Korea? Possibly not.”

Intel agencies also have close associations with many if not all of the leading threat intelligence companies with former senior intel members at the highest leadership levels of these companies. Sharing of threat data already occurs between intel / DoD agencies with their contractors and threat intelligence companies as part of DIBNet or DCISE. Given these facts, it could be possible that somewhat “diluted” attribution data is also shared between government agencies and threat intelligence companies to provide protection for governmental sources and methods. This is alarming to me as well since the government could influence any cyber attribution via proxy.

Some analysts have called for an independent, global group to lead all cyber attribution activity. For example, Rand Corporation spells out the need for an international consortium in a research report – Stateless Attribution, Toward International Accountability in Cyberspace whose mission consists of investigating and publicly attributing major cyber attacks to produce “standardized and transparent attribution that may overcome concerns about credibility.” Blackberry cyber threat researchers seem to concur with a similar stance of public sharing in a recent cyber investigation that built on top of findings by Mandiant: “With the resources of a nation-state level threat group, it’s possible to create a truly staggering level of diversity in their infrastructure,” the researchers said, adding “by piecing together the malicious activities of the threat actor via public sharing of information, it’s possible to uncover the tracks that the cybercriminals involved worked so hard to hide.”

I believe that sharing of threat information, as advocated by Blackberry and many others, is working to help identify and detect cyber attacks, and in some ways to prevent them. However, attribution is a different animal as it goes beyond typical TTP sharing to “whodunit” and who controls “whodunit?” For example, as pointed out by Lee in his blog – “The Problems with Seeking and Avoiding True Attribution to Cyber Attacks,”The indicators of compromise and security recommendations that the tactical level personnel should use are independent of attribution. The security recommendations and fixes are based off of the observed threat to the systems and vulnerabilities not the attribution; or said another way if you have to patch a vulnerability you don’t patch it differently if the exploit was Chinese or Russian based.” Also, as pointed out by Clara Assumpção in the article – The Problem of Cyber Attribution Between States, “Due to false flag operations and spoofing techniques, the chances of achieving perfect technical attribution are low.” She goes on to say, “Regardless of how sure they are over the quality of their claim, public international attributions are political actions and a state’s prerogative.” Should private companies be making public attribution assertions [of questionable validity] when they could result in increasing tensions between nation-states? Seems to me that this could be a problem unless the government “tacitly agrees” with the attribution assertion. And could attribution by private companies also lead to vigilante hack back? This could be very problematic for a nation-state which is accountable for its population under international law when it comes to cyber attacks, as pointed out recently by NSA.

Note: Clara Assumpção’s article provides a very interesting treatise on the legal aspects of cyber attribution and are well worth a look. 

There is another problem when it comes to attribution by private companies – competition. The reports of attribution are valuable marketing tools that elevate the authoring firms in the public eye, and the incentives motivating these firms to produce such reports quickly and ahead of their competitors may degrade the quality of their research and analysis. There is also a lack of accountability as many companies are not transparent on their findings that lead to their attibution conclusions. This lack of accountability could also lead to misinformation as well. Bottomline, as the ODNI points out in a 2017 report entitled PHASE II – CYBER ATTRIBUTION USING UNCLASSIFIED DATA, “All of that said, the most sophisticated and exhaustive approaches to attribution are often outside the means of most companies, and from the perspective of the government or its intelligence organizations, is usually classified or sensitive. The U.S. government remains compartmentalized in its approach to cybersecurity with no single source of ‘unassailable truth.’ This fact, adversely impacts our policy, geopolitical and even military responses.” So sharing of data among government agencies and with private companies may help improve attribution assessments but getting to the level of sharing that is needed would be difficult given the sensitive nature of the data involved.

One place where sharing publicly attributable events is already occurring is the Cyber Operations Tracker maintained by the Council on Foreign Relations. The Digital and Cyberspace Policy program’s cyber tracker is a database of the publicly known state-sponsored incidents that have occurred since 2005. It was last updated in 2021 so I am not sure if it is still active or not.

Could shared ontologies along with shared threat data applied within an AI capability help in this endeavor to assess attack attribution and to work through competing hypotheses of whodunit? Ontologies provide a common framework to share conceptual models. The role of the ontology would be to provide a better structure and depiction of relationships, interactions and influencing factors related to a cyber attack, campaigns, etc. Formally capturing cyber attack domain knowledge can promote sharing and exchange and for establishing the confidence level of attribution, a standard for the impact of an attack, and correlating responses to attack impacts (scope, scale, etc.), and to classify the type / identity of attacker. This type of ontology could also serve as a foundation for legal tests for responses.

Some researchers have developed AI models for assessing attribution. It is interesting to me to see if AI could make attribution assessments more accurate. One example of an AI application is the DeLP3E model. A DeLP3E model consists of two parts, which correspond to two separate models of the world. The first, called the environmental model (EM) is used to describe the background knowledge and is probabilistic in nature. The second one, called the analytical model (AM) is used to analyze competing hypotheses that can account for a given phenomenon (e.g., attribution for an attack). The EM must be consistent—this simply means that there must exist a probability distribution over the possible states of the world that satisfies all of the constraints in the model, as well as the axioms of probability theory. On the contrary, the AM will allow for contradictory information as the system must have the capability to reason about competing explanations for a given event. Any artificial intelligence tool designed for cyber-attribution must deal with information coming from different sources that invariably leads to incompleteness, overspecification, or inherently uncertain content. The presence of these varying levels of uncertainty doesn’t mean that the information is worthless – rather, these are hurdles that the knowledge engineer must learn to work with. In general, the EM contains knowledge such as evidence, intelligence reporting, or knowledge about actors, software, and systems. The AM, on the other hand, contains ideas the analyst concludes based on the information in the EM.

Such tools could serve as a resource for training policy makers on publicly attributing cyber incidents and on the application of international law to cyberspace as recently called for by the White House:

“We are providing a first-of-its kind course for policymakers worldwide on the policy and technical aspects of publicly attributing cyber incidents, which will be inaugurated this year at the George C. Marshall Center in Garmisch, Germany. We are also bolstering our efforts through the Marshall Center to provide training to foreign ministry lawyers and policymakers on the applicability of international law to state behavior in cyberspace and the non-binding peacetime norms that were negotiated in the United Nations and endorsed by the UN General Assembly.”

It is notable that this will be training not just on the technical side of determining who is responsible for a cyber intrusion, but also on making such attributions public.

But does public attribution of cyber attacks provide any real benefits beyond the marketing it provides private companies? Does it help to deter cyber attacks by publicly “naming and blaming?” According to this 2022 report – The Purposes of U.S. Government Public Cyber Attribution by jon Bateman of the Carnegie Endowment for International Peace, “Critics observe that U.S. public attribution – even combined with indictments, sanctions, cyber counterstrikes, and other actions – have failed to inflict significant costs on the exposed states. These critics note that state-sponsored cyber operations against U.S. entities have grown in number and severity over time. Thus, public attribution and related actions have obviously not achieved a large amount of macro-level deterrence.” Bateman goes on to say “In sum, the deterrent value of public attribution remains an open question.” Although attribution may not provide a significant deterrent effect, it may provide a legal stance for the offensive operations conducted under the “defend forward” strategy.

So what are your views on cyber attribution? Do you think that public attribution of cyber attacks provides significant benefits? Let me know your views and comments on this complex and controversial topic.

And thanks to my subscribers and visitors to my site for checking out! Please give us your feedback because we’d love to know some topics you’d like to hear about in the area of active cyber defenses, authenticity, PQ cryptography, risk assessment and modeling, autonomous security, digital forensics, securing OT / IIoT and IoT systems, Augmented Reality, or other emerging technology topics. Also, email if you’re interested in interviewing or advertising with us at Active Cyber™.