Attribution Is Not Just Malware Analysis
In a recent Tweet I recommended reading Joe Stewart's insightful analysis of malware involved in Google v China. Joe's work is stellar as always, but I am reading more and more commentary that shows many people don't have the right frame of reference to understand this problem.
In brief, too many people are focusing on the malware alone. This is probably due to the fact that the people making these comments have little to no experience with the broader problems caused by advanced persistent threat. It's enough for them to look at the malware and then move to the next sample, or devise their next exploit, and so on. Those of us responsible for defending an enterprise can't just look at the problem from a malware, or even a technical, perspective.
I was reminded of this imperative when I read Waziristan: The Last Frontier in a recent Economist magazine.
[I]t is tempting to think Waziristan has hardly changed since those colonial days... Mostly, [the Pakistani Frontier Corps] discuss their belief that India is behind the current troubles on the frontier. Lieutenant-Colonel Tabraiz Abbas, just in from fighting the Mehsud militants, describes finding Indian-made arms on the battlefield. Substitute “Russian” for “Indian” and you have the standard British Great-Game gripe. As late as 1930, a senior British official, in dispatches stored in India’s national archives, reported that a clutch of Russian guns had been found in Waziristan: “Of these 36 are stamped with the ‘Hammer and Sickle’ emblem of the Soviet government, while one is an English rifle bearing the Czarist crest.”
Imagine if policy decisions were made on "rifle analysis" alone. Think of the havoc that an interloper could introduce by scattering weapons from other armies where a target of psychological operations would find them.
In summary, malware analysis is definitely an important part of attribution, but it's not the only part. Malware analysis is also not the only relevant aspect of Google v China. If you address the malware you won't solve the problem. The same goes for any vulnerabilities discovered during this event.
For some related thoughts on profiling an adversary using indicators and not just malware, see Mike Cloppert's post Security Intelligence: Attacking the Kill Chain.
In brief, too many people are focusing on the malware alone. This is probably due to the fact that the people making these comments have little to no experience with the broader problems caused by advanced persistent threat. It's enough for them to look at the malware and then move to the next sample, or devise their next exploit, and so on. Those of us responsible for defending an enterprise can't just look at the problem from a malware, or even a technical, perspective.
I was reminded of this imperative when I read Waziristan: The Last Frontier in a recent Economist magazine.
[I]t is tempting to think Waziristan has hardly changed since those colonial days... Mostly, [the Pakistani Frontier Corps] discuss their belief that India is behind the current troubles on the frontier. Lieutenant-Colonel Tabraiz Abbas, just in from fighting the Mehsud militants, describes finding Indian-made arms on the battlefield. Substitute “Russian” for “Indian” and you have the standard British Great-Game gripe. As late as 1930, a senior British official, in dispatches stored in India’s national archives, reported that a clutch of Russian guns had been found in Waziristan: “Of these 36 are stamped with the ‘Hammer and Sickle’ emblem of the Soviet government, while one is an English rifle bearing the Czarist crest.”
Imagine if policy decisions were made on "rifle analysis" alone. Think of the havoc that an interloper could introduce by scattering weapons from other armies where a target of psychological operations would find them.
In summary, malware analysis is definitely an important part of attribution, but it's not the only part. Malware analysis is also not the only relevant aspect of Google v China. If you address the malware you won't solve the problem. The same goes for any vulnerabilities discovered during this event.
For some related thoughts on profiling an adversary using indicators and not just malware, see Mike Cloppert's post Security Intelligence: Attacking the Kill Chain.
Comments
http://extraexploit.blogspot.com
I find it interesting that you choose to not really explain what it means to "not have the right frame of reference" but then go on to attack the experience of the people who fall under this undefined category:
"the people making these comments have little to no experience with the broader problems caused by advanced persistent threat"
The people making what comments?
I think what you're saying is that the malicious software, the digital DNA as the NY Times put it, that Joe talks about (the modules copied from a Chinese author) is but one piece of the puzzle to be matched with determining who benefits from the attack, its characteristics, and so forth to get a good view of what happened with Google.
There's a larger, likely compelling post here somewhere, but it needs to be fully explained.
Those representing the enterprise who choose to focus on the technical aspects of this attack are not only likely not wrong, but are focusing on those aspects of this they have some influence over or can grasp, since geopolitical relations with foreign governments are somewhat out of their sphere of influence.
And yet, in many instances, that's all that folks focus on.
http://www.theregister.co.uk/2010/01/26/aurora_attack_origins/