Malicious actors in cyberspace currently operate with little fear of being caught due to the fact that it is extremely difficult, in some cases perhaps even impossible, to reliably and confidently attribute actions in cyberspace to individuals. The reason cyber attribution is difficult stems at least in part from a lack of end-to-end accountability in the current Internet infrastructure.
Cyber campaigns spanning jurisdictions, networks, and devices are only partially observable from the point of view of a defender that operates entirely in the friendly cyber territory (e.g., an organization’s enterprise network). The identities of malicious cyber operators are largely obstructed by the use of multiple layers of indirection. The current characterization of malicious cyber campaigns based on indicators of compromise, such as file hashes and command-and control infrastructure identifiers, allows malicious operators to evade the defenders and resume operations simply by superficially changing their tools, as well as aspects of their tactics, techniques, and procedures. The lack of detailed information about the actions and identities of the adversary cyber operators inhibits policymaker considerations and decisions for both cyber and non-cyber response options.
In 2016, Defense Advanced Research Projects Agency (DARPA) solicited innovative research proposals in the area of cyber attribution.” The goal of this “Enhanced Attribution” program is to develop technologies that can generate “operationally and tactically relevant information about multiple concurrent independent malicious cyber campaigns, each involving several operators.” The hope is that this information will allow the Department of Defense (DoD) to identify threat actors perpetrating attacks and potentially to predict future attacks.
Angelos Keromytis, the program lead at DARPA, admitted in announcing the project that this will be an extremely difficult undertaking but that malicious cyberactors currently operate with little fear of being caught and he wants to be more proactive in identifying threat actors. Craig Young, cybersecurity researcher for Tripwire, said attacker profiling and attribution is “an extremely daunting problem.”
“While it is helpful to recognize tools and infrastructure associated with individuals and groups, it is generally not sufficient for definitive claims as adversaries commonly try to disguise their actions through false flags,” Young said. “In general, I would say this is a worthwhile plan, but it is also very ambitious and the results of such a system should be taken with a grain of salt.”
Dr. Chase Cunningham, director of cyber threat research at Armor Defense Inc., based in Richardson, Texas said that while such a cyber attribution system may never produce a 100% accurate identification of the actor behind such an attack, it may be able to “make a well-educated guess about who the likely actors or groups are that are behind a particular action.” “However, because well trained and seasoned threat groups use things like proxies and a variety of other means to hide their tracks it would be very hard to have really actionable points for any one particular event,” Cunningham said. “Essentially when it is all broken down, without actually having some method for having the bad guys get counter-hacked and the DoD installing some sort of telemetry or beaconing software on the actual bad guy’s machine, they would always be making an analytic leap when they said that ‘this group did this thing at this time.'”
The Enhanced Attribution program aims to make currently opaque malicious cyber adversary actions and individual cyber operator attribution transparent by providing high-fidelity visibility into all aspects of malicious cyber operator actions and to increase the government’s ability to publicly reveal the actions of individual malicious cyber operators without damaging sources and methods. The program will develop techniques and tools for generating operationally and tactically relevant information about multiple concurrent independent malicious cyber campaigns, each involving several operators, and the means to share such information with any of a number of interested parties.
Michael Angelo, CRISC, CISSP, and chief security architect at Micro Focus, said that the current rate of acceleration for attacks and sophistication of attacks means that “2020 will be too late.” “The methodology for attacking systems has been automated to the extent that a single entity can attack hundreds of thousands of machines an hour,” Angelo said. “While previous attacks were designed to deliver their impact relatively fast and destroy systems or attempt the exfiltration of data, evolving attacks may remain dormant for quite some time, attempt to lock and ransom data, or even be leveraged for other attacks. Even the ransoming of data seems to be evolving to cover the release of the basic fact you were hacked.”
Over the last three years the program has developed techniques and tools for generating operationally and tactically relevant information about multiple concurrent independent malicious cyber campaigns, each involving several operators, and the means to share such information with US. law enforcement, intelligence, and Allied partners.
In late 2020, DARPA EA researchers used their data analytics to develop timely, accurate threat information regarding Russian-attributed malicious cyberinfrastructure and associated actor personas. EA shared this information with close partners at the FBI Atlanta and Pittsburgh field offices, contributing to the October 2020 indictment of six GRU personnel associated with a worldwide destructive malware
campaign and the remediation of that malware campaign in U.S. and Allied critical infrastructure.
The program seeks to develop:
–technologies to extract behavioral and physical biometrics from a range of devices and vantage points to consistently identify virtual personas and individual malicious cyber operators over time and across different endpoint devices and C2 infrastructures;
–techniques to decompose the software tools and actions of malicious cyber operators into semantically rich and compressed knowledge representations;
–scalable techniques to fuse, manage, and project such ground-truth information over time, toward developing a full historical and current picture of malicious activity;
–algorithms for developing predictive behavioral profiles within the context of cyber campaigns; and
–technologies for validating and perhaps enriching this knowledge base with other sources of data, including public and commercial sources of information.
“The program is divided into three technical areas (TA) that will be working in parallel, starting at program kickoff, and will span three 18-month Phases,” they noted.
“TA1 performers will develop technologies for network behavior and activity tracking and summarization. TA2 performers will develop technologies for fusion of TA1-generated data and for predictive analysis of malicious cyber operator activities, and will serve as the architect and integrator of the experimental prototype. TA3 performers will focus on validation and enrichment of TA1- collected and TA2-fused data with non-sensitive information (e.g., publicly available data feeds) with the goal of generating a description of the malicious activities using only such data that the Government can publicly reveal in order to expose the actions of individual malicious cyber operators without damaging sources and methods.”