Tuesday, December 30, 2014

Five Reasons Attribution Matters

Attribution is the hottest word in digital security. The term refers to identifying responsibility for an incident. What does it matter, though? Here are five reasons, derived from the five levels of strategic thought. I've covered those before, namely in The Limits of Tool- and Tactics-Centric Thinking.

Note that the reasons I outline here are not the same as performing attribution based on these characteristics. Rather, I'm explaining how attribution can assist responsible actors, from defenders through policymakers.

1. Starting from the bottom, at the Tools level, attribution matters because identifying an adversary may tell defenders what software they can expect to encounter during an intrusion or campaign. It's helpful to know if the adversary uses simple tools that traditional defenses can counter, or if they can write custom code and exploits to evade most any programmatic countermeasures.

Vendors and software engineers tend to focus on this level because they may need to code different defenses based on attacker tools.

2. The benefits of attribution are similar at the Tactics level. Tactics describes how an adversary acts within an engagement or "battle." It describes how the foe might use tools or techniques to accomplish a goal within an individual encounter.

For example, some intruders may abandon a system as soon as they detect the presence of an administrator or the pushback of a security team. Others might react differently by proliferating elsewhere, or fighting for control of a compromised asset.

Security and incident response teams tend to focus on this level because they have direct contact with the adversary on a daily basis. They must make defensive choices and prioritize security personnel attention in order to win engagements.

3. The level of Operations or Campaigns describes activities over long periods of time, from days to months, and perhaps years, over a wider theater of operations, from a department or network segment to an entire organization's environment.

Defenders who can perform attribution will better know their foe's longer-term patterns of behavior. Does the adversary prefer to conduct operations around holidays, or certain hours of the day or days of the week? Do they pause between tactical engagements, and for how long? Do they vary intrusion methods? Attribution helps defenders answer these and related questions, perhaps avoiding intrusion fatigue.

CISOs should focus on this level and some advanced IR teams incorporate this tier into their work. This is also the level where outside law enforcement and intelligence teams organize their thinking, using terms like "intrusion sets." All of these groups are trying to cope with long-term engagement with the adversary, and must balance hiring, organization, training, and other factors over budget and business cycles.

4. At the level of Strategy, attribution matters to an organization's management and leadership, as well as policymakers. These individuals must decide if they should adjust how they conduct business, based on who is attacking and damaging them. Although they might direct technical responses, they are more likely to utilize other business methods to deal with problems. For example, strategic decisions could involve legal maneuvering, acquiring or invoking insurance, starting or stopping business lines, public relations, hiring and firing, partnerships and alliances, lobbying, and other moves.

Strategy is different from planning, because strategy is a dynamic discipline derived from recognizing the interplay with intelligent, adaptive foes. One cannot think strategically without recognizing and understanding the adversary.

5. Finally, the level of Policy, or "program goals" in the diagram, is the supreme goal of government officials and top organizational management, such as CEOs and their corporate boards. These individuals generally do not fixate on technical solutions. Policymakers can apply many government tools to problems, such as law enforcement, legislation, diplomacy, sanctions, and so forth. All of these require attribution. Policymakers may choose to fund programs to reduce vulnerabilities, which in some sense is an "attribution free" approach. However, addressing the threat in a comprehensive manner demands knowing the threat. Attribution is key to any policy decision where one expects other parties to act or react to one's own moves.

Remember the five levels of strategic thought and their associated parties and responsibilities when you hear anyone (especially a techie) claim "attribution doesn't matter" or "don't do attribution."

Also, check out Attributing Cyber Attacks by my KCL professor Thomas Rid, and fellow PhD student Ben Buchanan.

Sunday, December 28, 2014

Don't Envy the Offense

Thanks to Leigh Honeywell I noticed a series of Tweets by Microsoft's John Lambert. Aside from affirming the importance of security team members over tools, I didn't have a strong reaction to the list -- until I read Tweets nine and ten. Nine said the following:


9. If you shame attack research, you misjudge its contribution. Offense and defense aren't peers. Defense is offense's child.

I don't have anything to say about "shame," but I strongly disagree with "Offense and defense aren't peers" and "Defense is offense's child." I've blogged about offense over the years, but my 2009 post Offense and Defense Inform Each Other is particularly relevant. John's statements are a condescending form of the phrase "offense informing defense." They're also a sign of "offense envy."

John's last Tweet said the following:



10. Biggest problem with network defense is that defenders think in lists. Attackers think in graphs. As long as this is true, attackers win

This Tweet definitely exhibits offense envy. It plays to the incorrect, yet too-common idea, that defenders are helpless drones, while the offense runs circles around them thanks to their advanced thinking.

The reality is that plenty of defenders practice advanced thinking, while even nation-state level attackers work through checklists.

At the high end of the offense spectrum, many of us have seen evidence of attackers running playbooks. When their checklist ends, the game may be up, or they may be able to ask their supervisor or mentor for assistance.

On the other end of the spectrum, you can enjoy watching videos of lower-skilled intruders fumble around in Kippo honeypots. I started showing these videos during breaks in my classes.

I believe several factors produce offense envy.

  1. First, many of those who envy the offense have not had contact with advanced defenders. If you've never seen advanced defenders at work, and have only seen mediocre or nonexistent defense, you're likely to mythologize the powers of the offense.
  2. Second, many offense envy sufferers do not appreciate the restrictions placed on defenders, which result in advantages for the offense. I wrote about several of these in 2007 in Threat Advantages -- namely initiative, flexibility, and asymmetry of interest and knowledge. (Please read the original post if the last two prompt you to think I have offense envy!)
  3. Third, many of those who glorify offense hold false assumptions about how the black hats operate. This often manifests in platitudes like "the bad guys share -- why don't the good guys?" The reality is that good guys share a lot, and while some bad guys "share," they more often steal, back-stab, and inform on each other.


It's time for the offensive community to pay attention to people like Tony Sager, who ran the Vulnerability Analysis and Operations (VAO) team at NSA. Initially Tony managed independent blue and red teams. The red team always penetrated the target, then dumped a report and walked away.

Tony changed the dynamic by telling the red team that their mission wasn't only to break into a victim's network. He brought the red and blue teams together under one manager (Tony). He worked with the red team to make them part of the defensive solution, not just a way to demonstrate that the offense can always compromise a target.

Network defenders have the toughest job in the technology world, and increasingly the business and societal worlds. We shouldn't glorify their opponents.

Note: Thanks to Chris Palmer for his Tweet -- "He [Lambert] reads like a defender with black hat drama envy. Kind of sad." -- which partially inspired this post.

Monday, December 22, 2014

What Does "Responsibility" Mean for Attribution?

I've written a few posts here about attribution. I'd like to take a look at the word "responsibility," as used in the FBI Update on Sony Investigation posted on 19 December:

As a result of our investigation, and in close collaboration with other U.S. government departments and agencies, the FBI now has enough information to conclude that the North Korean government is responsible for these actions. While the need to protect sensitive sources and methods precludes us from sharing all of this information, our conclusion is based, in part, on the following... (emphasis added)

I'm not in a position to comment on the FBI's basis for its conclusion, which was confirmed by the President in his year-end news conference. I want to comment on the word "responsibility," which was the topic of a February 2012 paper by Jason Healey for The Atlantic Council, titled Beyond Attribution: Seeking National Responsibility in Cyberspace.

In the paper, Jason created the excellent table at left. You can read more about it in the original document.

Using the Spectrum of State Responsibility, in my assessment, the US government's statements include a range of possibilities, from State-encouraged to State-integrated.

(Options such as State-Prohibited, State-prohibited-but-inadequate, and State-ignored, are outside of the US government's "responsibility" statement.)

Given the nature of the DPRK regime and other factors, it is probable to conclude that the FBI's statement indicates State-ordered, State-executed, or State-integrated activity.

For example, if Bureau 121 is responsible, the attack would be State-executed.

If the DPRK contracted with third party criminal hackers, the attack would be State-ordered.

If the DPRK used both Bureau 121 and third party criminal hackers, the attack would be State-integrated.

It is unlikely the attack was State-rogue-conducted, meaning "out-of-control elements" attacked a victim. The incredibly restrictive, authoritarian nature of the DPRK regime and Internet access makes that highly unlikely.

Note that, using the Spectrum, some seemingly contradictory arguments can be resolved. For example, in a State-ordered scenario, the US government could correctly assert DPRK "responsibility," although the attack could have been executed by third party criminal hackers.

I believe the debate about the nature of DPRK activity would be more fruitful if concerned parties placed themselves on the Spectrum.

I do not know which option from the spectrum the FBI or other elements of the US government would place this DPRK incident, but as I said it is probable to conclude that the FBI's statement indicates State-orderedState-executed, or State-integrated activity.

On several related notes, I highly recommend reading Did North Korea Hack Sony? by RAND's Bruce Bennett, a true DPRK expert. Bennett explained his role recently on CNN. Also listen to this interview, read this story citing Korean defector Kim Heung Kwang, and read this paper (PDF) by DPRK expert Dr Alexandre Mansourov. I also agree with the analysis here by Professor Michael Schmitt.

Finally, I suggest that critics of government attribution need to think beyond their current positions, towards the consequences of their beliefs. If they demand higher standards for attribution, they're essentially asking for less anonymity, and more identification on the Internet. That would likely lead to government identity schemes, which the critics would also detest. They should be careful what they ask for, in other words.

Friday, December 05, 2014

Nothing Is Perfectly Secure

Recently a blog reader asked to enlist my help. He said his colleagues have been arguing in favor of building perfectly secure systems. He replied that you still need the capability to detect and respond to intrusions. The reader wanted to know my thoughts.

I believe that building perfectly secure systems is impossible. No one has ever been able to do it, and no one ever will.

Preventing intrusions is a laudable goal, but I think security is only as sound as one's ability to validate that the system is trustworthy. Trusted != trustworthy.

Even if you only wanted to make sure your "secure" system remains trustworthy, you need to monitor it.

Since history has shown everything can be compromised, your monitoring will likely reveal an intrusion.

Therefore, you will need a detection and a response capability.

If you reject the notion that your "secure" system will be compromised, and thereby reject the need for incident response, you still need a detection capability to validate trustworthiness.

What do you think?

Tuesday, December 02, 2014

Bejtlich on Fox Business Discussing Recent Hacks

I appeared on Fox Business (video) today to discuss a wide variety of hacking topics. It's been a busy week. Liz Claman and David Asman ask for my perspective on who is responsible, why the FBI is warning about destructive malware, how the military should respond, what businesses can do about intrusions, and more. All of these subjects deserve attention, but I tried to say what I could in the time available.

For more on these and other topics, don't miss the annual Mandiant year-in-review Webinar, Wednesday at 2 pm ET. Register here. I look forward to joining Kristen Verderame and Kelly Jackson Higgins, live from Mandiant HQ in Alexandria, Virginia.