Let me describe a situation, and see if you can guess what I’m referring to:
A high-profile hack occurred, including data disclosure, and has been attributed to a foreign government. The original source for that attribution was a leak to the press, followed by statements from the executive branch. Later, the intelligence community released a report that’s woefully thin on details, and have yet to provide a classified briefing to the congressional oversight committee with full information. No joint statement from the select committee has been released.
I’m sure you immediately thought of the recent hack of the Democratic National Committee, but it easily could also reference the Sony hack last year. In both cases we have an assertion of responsibility to a nation state, with no substantive details. What’s interesting to me is how some in the security community responded to those two assertions. One was widely dismissed, pointing out the difficulty of attribution, while the other – by the same security experts – was generally accepted. Let me come back to that.
First, let’s look at the broader problem of attribution.
Primarily it involves indicators of compromise (things left from the hack) and human sources of information (things from people). Hacker toolkits and techniques are designed to minimize the IOC’s as much as possible. Everything from wiping logs, to hopping multiple compromised servers and using proxies to disguise the originating machine are bread and butter to the sophisticated adversary.
In some cases, malware code is left behind, which can provide a vital clue, but that only goes so far. This week, there’s been a number of breathless news stories that Russian malware has been found on a computer at an American utility. To paraphrase the greatest movie of all time, “I’m Shocked, Shocked! that there is malware from Russia going on here. (Insert a scene of a junior hacker running up and saying ‘hello sir, here’s the attack tool kit we bought off the dark web’).”
Seriously, a substantial percentage of the malware in circulation today relies on toolkits built by Russian hackers – they’re very good at it. But the source code is almost all available for sale, so the original author (and remember, Russian hacker doesn’t mean Russian government) is rarely the one perpetuating the attack. More to the point, it’s no surprise to anyone in the security profession that there’s Russian, North Korean, or Chinese on any particular machine in America – any more than it’s a surprise for Iran, Russia, China, or North Korea to find that there’s American, British, or Israeli malware on their systems. Everybody hacks. But unless the hacker makes a mistake, successful prosecution and reliable attribution from IOC’s alone is very challenging.
That’s where the people side of the investigation comes in. Most hacking involves money, and following financial trails is something law enforcement is very good at. The majority of the remainder involves intellectual property theft, which can also be traced – often when knockoff products appear, though by then it’s too late to do anything about. Pure activism hacking is the hardest, but in all three cases people talk, either in exchange for protection from prosecution, venting on a forum, or social media bragging rights, and law enforcement finds out. Lastly, for some attacks there’s both signals and human intelligence that can be brought to bear, but much of that will never be revealed (and rightly so) as it would compromise sources and methods.
So we’re back full circle. For the hacks I referenced above, we must remember there are geo and domestic political motivations to attribute those to a particular nation state. I treat any such assertion (from either party) as suspect, particularly when it’s ‘leaked’ to the press. My own experience with folks in the intelligence community is that the ones who really know, don’t talk, and the ones who don’t know, well, they talk too much.
Wikileaks claims that they didn’t get the information from the Russian government, rather that it was delivered in a Washington park by an insider. Given the complete lack of details in the report issued this week, the timing of the attribution, the refusal to brief the select committee, and the petulance of the outgoing administration, I’m skeptical of the asserted story. I don’t dismiss it, but I am skeptical. I’m also skeptical of the Sony Hack attribution, and still skeptical of much of Snowden’s story as well. We have assertions and very limited real information on all three – we pretty much know “what” happened, but the who and why remain unclear.
It’s very human to take what facts we do have and try to make a coherent story out of them. That’s my job actually – to recognize the pattern and story in what my clients are saying, and then capture and articulate it back as a security architecture and strategy. Of course, I have far more information to work with than we’ve been given on these attacks, and can go back and ask questions to make sure I fully understand the situation.
But that’s where the analogy breaks down. I work for a company that sells security software and services. Both my own integrity and our company values, require that I work in the best interest of my client. That’s why part of my job is to integrate with competing solutions and services. Of course, when our products and services meet the requirements and provide good value, I’ll recommend what I sell – that’s my job, and no one expects me to do anything different.
Attribution is different. As professionals, we must set a common yardstick and apply it equally and fairly to regardless of target, source, or impact. Rarely will we know with certainty. Ethically we must disclose the speculative nature, alternate explanations and probabilities involved.
For the DNC and Sony attacks, because there are nation state issues, we’re never going to have all the facts, and will have to rely on a trusted third-party who does. You can stop laughing now, because you’re right – that doesn’t exist; I don’t trust either administration on this one. The best that we could do is a joint statement by both the majority and minority leaders of the house select committee on intelligence, after a full classified briefing by the entire intelligence community, that provides attribution and some level of IOC’s. Until then, I remain skeptical.