Tuesday, December 30, 2014

Five Reasons Attribution Matters

Attribution is the hottest word in digital security. The term refers to identifying responsibility for an incident. What does it matter, though? Here are five reasons, derived from the five levels of strategic thought. I've covered those before, namely in The Limits of Tool- and Tactics-Centric Thinking.

Note that the reasons I outline here are not the same as performing attribution based on these characteristics. Rather, I'm explaining how attribution can assist responsible actors, from defenders through policymakers.

1. Starting from the bottom, at the Tools level, attribution matters because identifying an adversary may tell defenders what software they can expect to encounter during an intrusion or campaign. It's helpful to know if the adversary uses simple tools that traditional defenses can counter, or if they can write custom code and exploits to evade most any programmatic countermeasures.

Vendors and software engineers tend to focus on this level because they may need to code different defenses based on attacker tools.

2. The benefits of attribution are similar at the Tactics level. Tactics describes how an adversary acts within an engagement or "battle." It describes how the foe might use tools or techniques to accomplish a goal within an individual encounter.

For example, some intruders may abandon a system as soon as they detect the presence of an administrator or the pushback of a security team. Others might react differently by proliferating elsewhere, or fighting for control of a compromised asset.

Security and incident response teams tend to focus on this level because they have direct contact with the adversary on a daily basis. They must make defensive choices and prioritize security personnel attention in order to win engagements.

3. The level of Operations or Campaigns describes activities over long periods of time, from days to months, and perhaps years, over a wider theater of operations, from a department or network segment to an entire organization's environment.

Defenders who can perform attribution will better know their foe's longer-term patterns of behavior. Does the adversary prefer to conduct operations around holidays, or certain hours of the day or days of the week? Do they pause between tactical engagements, and for how long? Do they vary intrusion methods? Attribution helps defenders answer these and related questions, perhaps avoiding intrusion fatigue.

CISOs should focus on this level and some advanced IR teams incorporate this tier into their work. This is also the level where outside law enforcement and intelligence teams organize their thinking, using terms like "intrusion sets." All of these groups are trying to cope with long-term engagement with the adversary, and must balance hiring, organization, training, and other factors over budget and business cycles.

4. At the level of Strategy, attribution matters to an organization's management and leadership, as well as policymakers. These individuals must decide if they should adjust how they conduct business, based on who is attacking and damaging them. Although they might direct technical responses, they are more likely to utilize other business methods to deal with problems. For example, strategic decisions could involve legal maneuvering, acquiring or invoking insurance, starting or stopping business lines, public relations, hiring and firing, partnerships and alliances, lobbying, and other moves.

Strategy is different from planning, because strategy is a dynamic discipline derived from recognizing the interplay with intelligent, adaptive foes. One cannot think strategically without recognizing and understanding the adversary.

5. Finally, the level of Policy, or "program goals" in the diagram, is the supreme goal of government officials and top organizational management, such as CEOs and their corporate boards. These individuals generally do not fixate on technical solutions. Policymakers can apply many government tools to problems, such as law enforcement, legislation, diplomacy, sanctions, and so forth. All of these require attribution. Policymakers may choose to fund programs to reduce vulnerabilities, which in some sense is an "attribution free" approach. However, addressing the threat in a comprehensive manner demands knowing the threat. Attribution is key to any policy decision where one expects other parties to act or react to one's own moves.

Remember the five levels of strategic thought and their associated parties and responsibilities when you hear anyone (especially a techie) claim "attribution doesn't matter" or "don't do attribution."

Also, check out Attributing Cyber Attacks by my KCL professor Thomas Rid, and fellow PhD student Ben Buchanan.

7 comments:

Anonymous said...

glad to see you are blogging again!

Harlan Carvey said...

Richard,

This is a very interesting article, and on the face, it is counter to other articles.

However, looking at this article from the perspective of the author (you), I don't think that's the case at all.

As a consultant, I interact with CIOs and CISOs who may not be aware of your perspective. In fact, I'm most often interacting with them because they haven't developed a strategy. Very often, the first question I'm asked is, "Who did this?" I tend to think that's the big driver behind the "threat intel" industry...breached organizations have no means for detecting the tools (lowest level) and are still focused on putting a face on the breach.

As a consultant, it's immensely difficult to pin down an adversary's strategy, due in no small part to the fact that attribution is so difficult. Consulting orgs do get some view into campaigns, but it's limited...not everyone breached by the same adversary calls the same response company.

However, your approach to attribution needs to applied from the perspective of a CISO, not from someone (like me) responding to a breach that happened weeks or months ago.

Charlie said...

Still at tactical level, that's impossible to handle properly the response if there is no way to know how persistent and resilient will be the opposite side. I have memory of cases where the modus operandi was quite similar between groups from different countries. Some of them gave up once the technical controls got strengthened. Others tried to target my team directly by socially engineering the top management of the company. Sticking to a purely technical defense would have been a disaster.

Greg Barnes @pwnjeetdo said...

Richard, as a current CISO and former USAF defender, I agree with most of what you've pointed out here. Keydet89's points about the need to recognize consultants (and defenders in general) having different goals and thought processes were important also.

Attribution has been bastardized into identification of an objectively identifiable name, rather than an expression which captures tools, tactics procedures, campaigns etc.. and you're doing your part to correct the misconceptions. I really appreciate what you've suggested here.

A couple of small points on the constructive side-

1. Policy, legislation, diplomacy and/or sanctions are clearly expressions of intent relative to a goal, but they are not necessarily expression OF the goal. They are also clearly key elements of sustainment strategies--- but they don't particularly DICTATE them. Placing them at the same level as a Program Goal or at the '5th level' is (perhaps) sub-optimal. Just something to think about..

2. You can certainly name it whatever you want (and no doubt will) but 'the five levels of strategic thought' has a Tony Robbins ringtone (if I'm honest) and more constructively, it's insufficiently specific to your topic. It's also slightly awkward having 'strategy' as a level in a model named ' the five levels of strategic thought'.

enjoyed the post-- see you around.

dre said...

We need technical intelligence that focuses in on adversary tool attribution -- not just malware and malware behaviors, but also their backends, backoffices, and home-court infrastructure. We have the NSA ANT Catalog, but we need this for every cyber offensive operation.

Then we need to find out who is financing the acquisition, construction, and/or integration of these tools. Thus, there are many layers of attribution unrealized by today's leaders and especially the media.

It is silly to make broad conclusions about attribution. Focus in on what matters, integrate your "threat" intelligence with internal intelligence (and share).

Focusing in on later-stage kill chain malware is my least favorite strategy. It is clear to me in a huge number of these well-known data breaches that all sorts of adversary tools were involved in many stages of the kill chain. Perhaps tools were skipped and a simple technique was utilized, but CAPEC or another project must identify, enumerate, and compare these techniques. Then, we need to start speaking that language.

dre said...

Apologies for another comment, but I was just reading your original book's section on I&W and curious if you have a new interpretation? Perhaps for another blog post?

Richard Bejtlich said...

Thanks for your comments everyone. Dre, I will have to look at my 2004 book again and get back to you.