Why attribution is hard
If you follow cyber security in the news, or twitter or LinkedIn, you’ll often hear debates about attribution – usually taking the form of Attack X is the work of Country Y. Most recently the attacks on the Swift network have been associated with the hacking group that trashed Sony, which in turn was attributed by the FBI to North Korea (and by this they mean the hacking was the work of state institutions in that country).
Does that mean NK is behind the Swift hacks?
Not necessarily, and this gets to the core of why attribution is hard. The original link between the Sony attackers, and the first Swift attack on the Bangladesh Bank was made by BAE. You can read it here – it’s technical but thorough. You’ll note BAE make no attribution, and simply assess this is likely the work of some of the same people.
This is where it gets tricky – technical analysis will only take you so far, but is extremely unlikely to ever deliver a smoking gun on attribution. In this case BAE and Symantec have shown some plausible connection between hacking groups. However, does that mean that these individuals were always acting at a joint purpose, or for the same organisation? Not necessarily. So, just because we might be confident (because the FBI say so) that the North Korean state was behind the Sony attack, it doesn’t mean we can say with equal confidence that the North Korean state was behind the bank heists. Even if you could hack back, and find yourself on the desktop of the hacker, and it is in Country X, that won’t, in of itself, provide attribution. It won’t necessarily tell why they are doing what they are doing, or for whom.
Perhaps NK bought in expertise from elsewhere, and that expertise does other criminal work? Perhaps individuals who work for the NK state decided to do some freelance stuff. So our technical knowledge, whilst enlightening, is unlikely to lead to concrete conclusions about who was actually responsible for the malicious activity taking place. Was it spies on the orders of Pyongyang trashing both Sony and fleecing banks? Was it freelancers who trashed Sony on behalf of NK, and then did their own bank robbing? Was it some mix of both?
But you said the FBI attributed the Sony hack to North Korea? So how did they do that?
Ah yes I did. And they did so, publicly. They give part of their reasoning in that statement, but also note that they cannot reveal all of the background. However, the attribution will not have been made just by the FBI. The US has the NSA (and courtesy of one E. Snowdon we have an inkling of their capabilities), the CIA, the Dept. of Defence and many, many other capable (and secret) resources to draw on. So the attribution will be drawn from wider intelligence than just analysing known attacks.
Sometimes there are better clues as to attribution. One might ask oneself who would spy on Uighurs and pro-Tibetan activists, or Iranian dissidents, and probably come to a reasonable conclusion. Assessments of attribution are based on lots of things – who would target this group/organisation/government, technical analysis of the attacks, and, crucially, secret intelligence.
So does attribution matter to me?
Luckily, not so much. Sure, it’s useful to know if you’re likely to be spied on by the Chinese or trashed by the North Koreans – you can use it to justify more money if nothing else, but in the grand scheme of things it doesn’t make that much difference to your defence posture. You can never know for sure anyway, so if you believe you may be a target for state backed groups, assume the worst and defend appropriately. All of these groups, be they nation state or criminal, use broadly similar means to get into your network, phishing being the most common. I’ve blogged about this before. Good cyber security will make life hard for attackers regardless of who they are, so don’t get too hung up on attribution.
Comments, thoughts, rants, get in touch. Otherwise, thanks for reading!