Defence
Behind the Mask
The Challenge of Attributing Cyberattacks to Nation States
When a major cyberattack hits, the question of who is responsible quickly arises. But accurately attributing an attack to a specific nation state is exceptionally challenging, as Lucy Ingham finds out from Cybereason CISO Israel Barak, and the implications are significant
Once largely the concern of major nations and multinational corporations, cybersecurity is now a problem that impacts enterprises and countries of all sizes, and when an attack hits the effects can be devastating. Naturally there is a strong desire to determine who is responsible, with certain nations often being cited as responsible for some of the biggest incidents in recent years.
However, pointing the finger of blame is not as simple as media reports sometimes suggest, as Israel Barak, CISO at Cybereason, a company specialising in the creation of technology for detection and response, knows well. A former member of the Israeli Defense Forces where he founded and led the red team unit, he has been working in cybersecurity since the mid-90s.
Now in his role at Cybereason he sees first-hand how challenging the attribution of attacks to specific threat actors can be.
“As part of working through the data the technology collects, analyses, responds to, we very often identify advanced techniques, sometimes we're able to attribute them, sometimes not, but we're often exposed to a lot of these advanced technique trends in the industry,” he says.
Identifying an attacker: why correctly attributing a threat actor is a serious challenge
When cybersecurity experts seek to uncover the threat actor behind an attack, they typically rely on what are known as tools, techniques and practices (TTPs), which Barak characterises as “fingerprints” left on the tools an attacker uses.
“Traditionally TTPs were used to help associate a certain incident to a certain actor. You would know that certain TTPs are very indicative of certain advanced actors and that would help associate that incident to that actor,” explains Barak.
However, as hacking tools and other cybersecurity data and intelligence has become more widespread, a problem as arisen.
“One of the issues that has become very prevalent over the past five or six years is that the knowledge in TTPs on how to launch advanced attacks is actually distributed and has now reached far beyond just a small group of advanced nation state actors,” he says. “Today you can find hundreds of different actors; some of them are criminal actors, some of them are business intelligence actors, some of them are just contractors and some of them are nation state actors but many of them use very, very similar TTPs, very similar techniques, very similar tools.
“The knowledge in how to build those tools has distributed significantly, the knowledge in how to conduct an advanced operation has distributed significantly, so the number of players in the market, the number of actors in the market that can be behind that type of attack has increased exponentially. There are no usual suspects anymore, at least technically speaking.”
At the same time, threat actors now take great pains to disguise who they are and where they are acting from, seeking to mask their identity by mimicking that of an actor from another state.
“That's a built-in part of any operational plan of an advanced attack; you choose who you want to resemble. A lot of threat actors, some of them are criminals, some of them are nation states, want to resemble the NSA, for example,” he says. “Some want to resemble Chinese activities, some want to resemble Korean activities, some want to resemble Russian activities.”
Attackers do this in part because they know that if they are detected the tools and techniques they use will be investigated and used to form conclusions about their identity, but they are aided by the fact that many of the tools those acting on behalf of nation states use have been leaked in the last few years.
“You can actually learn a lot based on the leaked information, both in terms and practices, how these other guys actually work. And you can take and adopt these techniques and build them into your operational profile and tools to resemble them,” he says.
“A built-in part of any operational plan of an advanced attack is to choose who you want to resemble.”
Appearing to be someone else from another part of the world is no small task, involving a host of different practices to create a false profile of the attacker.
“What they do is they build these tools with code characteristics, certain time signatures, that are indicative of the actor they want to resemble. For example, if you want to resemble someone, let's say a nation state actor that is based in the East Coast in the United States, you would actually build all your attack tools in a lab that has operating systems with licenses that were bought in the United States,” explains Barak.
“It operates, and the people that build those tools operate, in US Eastern time regardless of where they are in the world. So everything that lab produces looks like it was built by someone that's based out of the US East Coast.
“You use terminology in your code that is indicative of an English-speaking person. You use that in the documentation, in the parameters you use terminology that's taken from movies, etc. The idea is that if someone analyses that piece of code, it would look like it was built by someone that is English-speaking and it operates out of US East Coast, regardless of where the actual lab is in the world.”
When it comes to deploying the attack tools and engage in an attack, the mimicry continues, with the use of command and control infrastructure that furthers the illusion.
“Usually investigators, as they come to investigate the attack, will have two things at their fingertips to try to investigate. Number one are the tools that were put by the hacker in the target environment. And number two is that first layer of command control network that these tools communicated with,” he explains.
“It's very easy today to buy servers or to deploy command and control infrastructure anywhere you want in the world. If you want to put the blame on someone like China, you can buy command and control servers in China. If you want to make it look like something that operates out of Korea and not it's very difficult to buy servers and control infrastructure in places like South Korea, for example. Or India. Or Africa. Or the United States for that matter. Wherever you want in the world.”
Certain uncertainty: Nation state attribution is not guaranteed
Given these sophisticated disguises, investigators have their work cut out for them when it comes to pointing the finger of blame.
“Investigators basically will have to base their attribution conclusions based on tools and communication profiles that were built specifically by the threat actors to thwart and point the blame at someone else, where they're actually seeing what the attacker wants them to see. They built the attack in the exact same way that they want the investigators to think,” says Barak.
“So these factors are things that essentially make a technical attribution something that is extremely difficult and would mostly lead investigators in the wrong direction.”
As a result, it is near impossible in many cases to say with certainty that an attack came from a specific threat actor.
“The reality is that with advanced threat actors it's very rare that there would be a technical way to point the finger of blame at the right threat actor,” says Barak.
“The reality is that it's very rare that there would be a technical way to point the finger of blame at the right threat actor.”
Instead of relying purely on technological methods, investigators then have to use other tools to determine who is responsible.
“Usually the means that help with accurate attribution, especially when you're in that nation state space, are completely not technological. They're fully based on intelligence infrastructure, intelligence sources that can provide you with insight into what the other side's goals were and who the actor was,” he says.
“For example, if a nation state actor has sources within a foreign government that can shed light on a particular operation that that foreign government launched, or command control infrastructure that they're using, or specific new tools, techniques and practices that they've developed, and timeframes and intent, then that can help the victim draw conclusions on whether or not that foreign government was involved in a particular incident.
“So these more accurate attribution processes have nothing to do with technical analysis of the incident, they have everything to do with having the right intelligence sources in the right places. And most enterprises obviously do not have access to that type of resource.”
Risks in retaliation: Cybersecurity has no rules of engagement
This lack of technological certainty poses significant challenges when it comes to responding to attacks, particularly when it comes to the idea of “hacking back” in order to deter threat actors from engaging in future attacks.
“This actually increases the likelihood that someone, I wouldn't want to call it a bystander, but someone that's not directly involved in an incident but was just used as a cover for an incident, is actually going to get hit with something like a hack back that an enterprise would be involved in,” says Barak.
However, when it comes to nation-level responses to cyberattacks, this is only one small part of an increasingly thorny challenge. After all, while cyber warfare has now become a mature tool for national defence, the rules surrounding it remain immature.
“Cyber warfare has already become a standard in the tool belt of any sophisticated military organisation. It's already a standard tool, and it's been a standard tool for the past 10 or 12 years,” says Barak.
“The interesting thing is that there are no rules of engagement right now. How you respond to a cyberattack? What is the sliding scale of launching military offensives in cyberspace? Is it legitimate to try to thwart an election? How do you respond to that? Do you send F-16s? Is that the proper response?
“In the physical realm, there's a certain understanding of what the balances are in terms of what is that sliding scale. Armies or military organisations know that if they launch an operation of type one they can expect the retaliation of type two. In cyberspace, these rules haven't been written yet.”
“In the physical realm, there's a certain understanding of what the balances are. In cyberspace, these rules haven't been written yet.”
At this stage, Barak argues, governments are still in the process of working out what the rules are, how far they can go before they provoke a response and what that response will be if they do.
“What you see around us are governments experimenting with how far they can go along with launching cyberattacks and what type of retaliation they can expect and therefore how can they manage their risk,” he says.
“And I think the most dangerous thing about cyber warfare isn't the fact that it's not already standardised – it's already standardised and being used regularly – it's the fact that the rules of engagement, whether written or unwritten, have not been settled. There's no agreed-upon, even informally, understanding of what the common action and reaction would be in cyberspace.
“And I think that is a very slippery path and can lead governments to going very far with launching cyber warfare operations just based on the expectation that there's not going to be any physical retaliation.”
The value of threat intelligence to enterprises
While enterprises do not engage in the same kind of retaliatory behaviour, threat intelligence does still play a significant role at many organisations.
“Usually larger enterprises operate threat intel teams. The idea is to try to develop patterns that can help the enterprise foresee threats before they actually happen, and number two, to build patterns that can help the enterprise better protect itself after it has experienced an incident and better protect itself against the actor that launched that incident,” he says. “So the idea is to build sets of practices, threat intel-based practices, to reduce the likelihood of a risk taking place.”
As part of this, there is a focus on linking techniques to specific actors, as this can help the organisation understand what the attacker is trying to achieve.
“In these practices a major part of their activity is try to associate different techniques and practices with specific actors, so they would know what type of techniques will be used, what type of techniques to protect against, and also try to understand if there are certain motivations to the attacker and what they were after, and what is the actual business risk,” he says.
However, with so many actors at play, Barak believes that organisations should focus more on the tools rather than the attackers.
“For enterprises, because of that lack of certainty, the value of trying to attribute something is low. There's very little value to be extracted from attribution because at the end of the day it's very non-definitive and does not necessarily help the enterprise to protect itself from the next incident,” he says.
“Threat intel teams and enterprises probably need to focus more on identifying tools, techniques and practices that protect the enterprise against attacks and less on spending time and major resources on trying to associate these with someone.
“Cybersecurity teams need to align themselves with these identified tools, techniques and practices and not necessarily try to draw far-reaching conclusions on the business risk just based off of the assumption that actor X is behind an attack without enough direct evidence, but only circumstantial evidence.”
“For enterprises, because of that lack of certainty, the value of trying to attribute something is low.”
Looking more widely, Barak argues that enterprises need to accept the reality that attackers are going to get into their system, and instead focus on preventing them getting access to key systems or sensitive data when they do.
“The assumption needs to be that there's a huge number today of actors that can employ advanced threat techniques and we need to move away from the assumption that we'd be able to prevent them from gaining access into our enterprise network,” he says. “We need to build the security paradigm based on an assumption that incident does not equal a breach.
“An incident, someone gaining access to our network, is inevitable, especially when we're talking about these actors. But that incident leading to an actual breach, damage to the organisation, is something that is avoidable.
“With the visibility, and the right technology, the network would focus on identifying these advanced operations as they progress in the network and disrupt them before they actually reach their critical stages. I think that's where our focus needs to be, as opposed to trying to focus a lot of resources, including threat intel resources, on preventing these actors from gaining access into our networks.“
The future of enterprise cybersecurity
Looking to the future, Barak sees enterprises increasingly recognising the importance of differentiating between IT security and cybersecurity.
“I think the biggest change that we'll see will be that separation in enterprises between the IT security part of the security organisation and the cybersecurity part of the security organisation,” he says.
“That understanding that the cybersecurity part of the organisation needs to be the engine that drives the security paradigm of the enterprise, the engine that actually reduces the highest risks of the enterprise.”
This approach, he argues, will allow a more effective approach to security in light of the changing cybersecurity landscape.
“To a certain extent IT security is a critical component, but it doesn't necessarily reduce the risk from these very advanced actors; the actors don't actually cause a very damaging breach,” he says.
“So to a certain extent IT security does not manage the top risks; it manages a lot of the risk, but not necessarily the top risks. And the understanding that it's the cybersecurity area that's going to have to deal with those top risks, the most dangerous and most impactful attackers.”
“I think the biggest change that we'll see will be that separation in enterprises between the IT security part of the security organisation and the cybersecurity part of the security organisation.”
With the separation of IT security and cybersecurity will, Barak argues, come a change in the nature of enterprise architecture.
“I think we'll see a dramatic change in enterprise architecture, security architecture to enable that cybersecurity part of the business, to help them see deep into the network, to help their operations centres understand and connect the dots in as real-time as possible in terms of what type of activities are ongoing, what type of attacks are currently happening in our environment,” he says.
“How can we connect the dots very quickly to understand the full extent of what's happening in our environment; and how can we ultimately very effectively respond to what is happening, to put it in common terms, to kick that adversary out of the network.”
PR nightmares: Ten of the worst corporate data breaches
LinkedIn, 2012
Hackers sold name and password info for more than 117 million accounts
Target, 2013
The personal and financial information of 110 million customers was exposed
JP Morgan, 2014
One JP Morgan Chase’s servers was compromised, resulting in fraud schemes yielding up to $100m
Home Depot, 2014
Hackers stole email and credit card data from more than 50 million customers
Sony, 2014
Emails and sensitive documents were leaked, thought to be by North Korea im retaliation for Sony’s production of a film mocking the country’s leader Kim Jong Un
Hilton Hotels, 2015
Dozens of Hilton and Starwood hotels had their payment systems compromised and hackers managed to steal customer credit card data
TalkTalk, 2015
The personal data of 156,959 customers, including names, addresses, dates of birth and phone numbers, were stolen
Tesco, 2016
Hackers made off with around $3.2m from more than 9,000 Tesco Bank accounts
Swift, 2016
Weaknesses in the Swift payment system resulted in $81m being stolen from the Bangladesh Central Bank’s account at the New York Federal Reserve
Chipotle, 2017
Phishing was used to steal the credit card information of millions of Chipotle customers, thought to be part of a wider restaurant customer scam orchestrated by an Eastern European criminal gang
LinkedIn, 2012
Hackers sold name and password info for more than 117 million accounts
Target, 2013
The personal and financial information of 110 million customers was exposed
JP Morgan, 2014
One JP Morgan Chase’s servers was compromised, resulting in fraud schemes yielding up to $100m
Home Depot, 2014
Hackers stole email and credit card data from more than 50 million customers
Sony, 2014
Emails and sensitive documents were leaked, thought to be by North Korea im retaliation for Sony’s production of a film mocking the country’s leader Kim Jong Un
Hilton Hotels, 2015
Dozens of Hilton and Starwood hotels had their payment systems compromised and hackers managed to steal customer credit card data
TalkTalk, 2015
The personal data of 156,959 customers, including names, addresses, dates of birth and phone numbers, were stolen
Tesco, 2016
Hackers made off with around $3.2m from more than 9,000 Tesco Bank accounts
Swift, 2016
Weaknesses in the Swift payment system resulted in $81m being stolen from the Bangladesh Central Bank’s account at the New York Federal Reserve
Chipotle, 2017
Phishing was used to steal the credit card information of millions of Chipotle customers, thought to be part of a wider restaurant customer scam orchestrated by an Eastern European criminal gang