Attribution is Hard to Do – But Necessary to Evaluate Risk

Rick Howard


Executive Summary

Attributing a cyber threat with 100 percent certainty may be an unsolvable problem. But that is OK. Leaders make decisions on a lot less than 100 percent certainty all of the time. The key is to understand that nuance, and be fine with the implications.

In the case of Sony, the big implication is that the probability that a nation state has Sony Pictures in their cyber sites went from being not likely before the most recent attack to quite high after. Their risk equation just changed. In fact, the risk equation for the entire entertainment industry may have changed. Leaders in the entertainment industry will re-allocate corporate resources to mitigate that risk and the only way they can justify that reallocation is to attribute the threat. They need their own threat intelligence teams to help them make that assessment and even though the final assessment may be less than perfect, attributing the attack is essential for leaders to know how likely it is that a threat will materialize, and how impactful to the organization it will be if it does.

Introduction

Just before the holidays, President Obama said that he knew for sure that the North Korean government was responsible for the Sony hack. After the holidays, he added a bunch of sanctions against North Korea to the list of already-in-place sanctions in an effort to punish the North Korean government. Think about what happened there: the President of the United States just proclaimed to the world that he was so sure about the attribution question that he authorized official government sanctions against a country. Whoa! I think the world just moved.

Attribution is Hard

Here is the problem. Attributing a cyber event is hard. Even if you are 99 percent sure that you know whom the culprit is, you still do not know for sure. Cybersecurity professionals track these things by watching for sets of Indicators of Compromise down the Kill Chain for all adversaries. It turns out that for cyber adversaries to be successful in accomplishing their goals — stealing credit card information, stealing intellectual property, causing destruction, etc. — they have to accomplish six basic tasks:

  1. Recon the victim to find weaknesses
  2. Build a weapon that takes advantage of those found weaknesses
  3. Deliver the weapon to the victim
  4. Install the weapon on one of the victim’s endpoints
  5. Establish Command and Control back out to the Internet from victim zero in order to deliver more instructions later
  6. Do what they came there to do in the first place, whether that’s steal data or something else

Adversaries may not have to accomplish all six tasks to be successful. But if I was designing an attack campaign, this is how I would break the problem down. Most adversaries have their own unique method to get through every link but no matter which adversary is in question, they all must work their way through some piece of that Kill Chain to be successful. Collectively, everything they do down the Kill Chain to get to their goal is their attack campaign.

White Hat intelligence teams watch for those activities within their networks. It is akin to infantry soldiers observing key terrain in the real world because they know the enemy must come through that terrain to attack them. When the cyber adversaries attempt to come through each link in the Kill Chain, they leave an electronic footprint — a tell-tale sign that they have been there. Cyber Intelligence Teams, like Palo Alto Networks Unit 42 and others, collect these Indicators of Compromise for as many adversaries as they can find. In other words, for each adversary, we associate a set of Indicators of Compromise to their attack campaign and then we assign some cool code name to the set so that we can remember it. In 2014, Unit 42 used names like Silver Spaniel, WireLurker, and CoolReaper to track three campaigns.

Let’s say that attackers breached the Palo Alto Networks infrastructure and the President of the United States went on national TV and accused the country of Narnia for launching the attacks. Unit 42 tracks Narnia’s Computer Network Attack (CNA) Team and has collected 100 Indicators of Compromise in their attack campaign. In his fictional national address, the President says that FBI leaders saw enough of the Indicators of Compromise inside our network to convince them that Narnia’s government was behind the breach.  And therein lies the problem.

Indicators of Compromise sets are not DNA samples. There is a reason that we call them indicators and not facts. Even if we saw all 100 Indicators of Compromise inside our network, it would not be a slam-dunk that we knew who it was. Even if we see all 100 Indicators of Compromise in our network, there are still four possibilities for assigning attribution to this breach.

  1. The Narnian government sanctioned the attackers. (Highly likely)
  2. The attackers are a rogue element from the Narnian Attack Team not officially sanctioned by the Narnian government. (Not likely but possible)
  3. The attackers want us to think that the Narnian Government sanctioned the attack. (Not as likely but still possible)
  4. The attackers are not affiliated with Narnia at all. (Not very likely but possible)

This is an intelligence estimate. Good intelligence at its best is only about 60 percent certain and leaders make decisions about world-shaping events all of the time with a lot less certainty. For example, if you believe that the movie “Zero Dark Thirty” (Minute: 1:40) is even close to the truth about what transpired during the Osama Bin Laden raid, President Obama sent the team into Pakistan to assassinate Bin Laden on a 60 percent certainty that he was there. Leaders make decisions with less than perfect intelligence all the time.  But my point is that understanding your adversary is worth the effort, even if your intelligence is not perfect.

Attribution is Necessary to Evaluate Risk

In the Sony case, attribution is particularly relevant. If I am drawing the Risk Matrix for Sony Pictures before the most recent attack, I am quite certain that I would not have assessed the risk of the North Korean government attacking the Sony infrastructure because the studio made a silly movie about the country’s leaders as something that was very probable. Before the attack, the chances of something like that happening would have been possible but not likely. Consequently, the amount of resources I would have allocated to that particular risk would have been negligible. In every job I have ever had, the amount of resources I had at my disposal to protect against potential risks runs out long before I get to the risks that are possible but not likely.

But after the attack against Sony, the situation changes greatly. I would have to completely re-draw the risk matrix. Not only is a nation state attack possible, it appears to have happened. Because the attackers were successful, the probability that another nation state, or the same one for that matter, might do something similar in the future rises significantly. It might rise to the most important threat that the organization faces. The point is that even though attribution is hard and less than perfect, it is necessary. Leaders cannot assess whether they are directing the appropriate amount of resources to mitigate a risk if they do not understand what the risk is. Attribution is a key component to that risk assessment equation.

Conclusion

In the real-world Sony Pictures case and in my fictional Palo Alto Networks case, reaching 100 percent certainty of knowing who the adversary is may be an unsolvable problem. But that is OK. Leaders make decisions on a lot less certainty all of the time. The key is understanding that nuance and being fine with the implications.

In the Sony Pictures case, the big implication today is that the probability that a nation state has Sony Pictures in their cyber sites went from being not likely to quite high. Their risk equation just changed. In fact, the risk equation for the entire entertainment industry may have changed. Leaders in the entertainment industry will re-allocate corporate resources to mitigate that risk and the only way they have to justify that reallocation is to attribute the threat. They need their own threat intelligence teams to help them make that assessment and even though the final assessment may be less than perfect, attributing the attack is essential for leaders to know how likely it is that a threat will materialize and how impactful to the organization that will be if it does.

 

Got something to say?

Get updates: Unit 42

Sign up to receive the latest news, cyber threat intelligence and research from Unit42


SUBSCRIBE TO RSS