Cyber warfare refers to the use of technology to launch attacks on nations, governments and citizens, causing comparable harm to actual warfare using weaponry. Cyberwarfare has developed into a more sophisticated type of combat between countries, where you can destroy critical infrastructure such as power, telecommunications or banking by damaging the computer systems that control those infrastructures. Russia, China, Iran, North Korea, and malign actors all use cyber operations as a low-cost tool to advance their interests.
There are several benefits of pursuing cyber warfare, including the fact that these attackers are more difficult to track down. Malware, too, can lie dormant and communicate in secret with a command-and-control server until its operators decide to pull the trigger on its destructive capabilities. Quite often, nobody will initially claim responsibility for these attacks, creating havoc and confusion as victims speculate as to who may be responsible.
Attribution is important because it forms the basis of appropriate and effective technical, political and legal determinations and underpins technical, political and legal action and responsibility. Cyber threat attribution is fast becoming an important component in cyber defense operations. Determining cyber threat attribution enables an organization to understand the adversaries modus operandi and the Threat Actor’s objective. This allows organizations to augment their defenses, thereby, preventing future cyber-attacks. Cyber attribution, or the identification of the actor responsible for a cyber attack, therefore is a critical step in formulating a national response to such attacks.
Challenge of Attribution in Cyber
In the cyber context, attribution has often been presented as a challenge because of the anonymity cyberspace affords, the possibility of spoofing, the multi-stage nature of cyber attacks, and the indiscriminate nature of cyber tools. To this, one should add the required human and technical resources, the lengthy time scales, and the associated investigatory demands. State to state attribution is treated with even more trepidation since the aforementioned problems are magnified whereas attribution or misattribution can engender serious consequences.
Attributing responsibility to who perpetrated an attack against a state and, even more importantly, who ordered it, is a way to achieve cyber deterrence. The main goal of publicising a cyber attribution is deterrence – the victim is making it known that it has enough capabilities to identify the perpetrators, and as such, emphasise its ability to punish and retaliate. However, in the case of states, deterrence is not always achieved. Boebert comes forth with scenarios that help elucidate this dilemma. He highlights four potential cases of cyberattacks on states: 1. Attacks that are directly planned and organised by a state without the use of non-state actors; 2. Attacks that are planned and sponsored by a state, but executed through non-state actors; 3. Attacks that are tolerated by the host country and executed by non-state actors; and 4. Attacks that are planned and executed by non-state actors with no involvement of any state.
In the first case, public attribution would have little effect in terms of deterrence, as it would most probably take place in an environment of international tension and imminent direct conflict. Public attribution, in this instance, could even be the trigger for war. In the second case, the involvement of non-state actors brings a cloak of plausible deniability to the state, making attribution obscured. The individual or group behind the attack would also be under the protection of the organising state, making it harder to enforce prosecution. In the third case, attribution is even more obscure, as there are no overt detectable links between the attackers and the organising state. The individual or group behind the attacks might be vulnerable to prosecution, but deterrence from attacks backed by states is not achieved. Finally, the fourth scenario is the only where deterrence is achieved through public cyber attribution. The organiser of the attack, being a non-state actor, is uncovered and at the mercy of a much more powerful actor, making the promise of harsh punishment enough to act as deterrence from similar attacks.
Thus, cyber attribution is an intricate process that does not work in binaries, but rather in a scale of quality where absolute certainty is impossible. Making attribution public aims to increase cyber deterrence. However, this tactic may not work for states dealing with direct or indirect attacks by another state.
International cyber attribution is a complex process that puts together and tests two different layers of investigation: technical and strategic. Analysts can assess responsibility for a cyber attack in three ways: the point of origin, such as a specific country; a specific digital device or online persona; or the individual or organization that directed the activity. This third category often is the most difficult to assess because we have to link malicious cyber activities to the specific individuals and assess the sponsor and motivators of these individuals.
Technical cyber attribution
Ascertaining the machines associated with a malicious cyber incident usually involves technical forensics—the art and science of looking for technical clues left behind in an intrusion. The technical attribution deals with the direct proofs of the cyberattack, meaning the digital forensic evidence. The painstaking work in many cases requires weeks or months of analyzing intelligence and forensics to assess culpability. In some instances, the IC can establish cyber attribution within hours of an incident but the accuracy and confidence of the attribution will vary depending on available data.
When attempting to work out who may be behind an attack, incident responders typically assess both indicators of compromise (IoCs) and attackers tactics, techniques, and procedures (TTPs) that had been observed during the respective attack
Every kind of cyber operation—malicious or not—leaves a trail. Our analysts use this information, along with their knowledge of previous events and the tools and methods of known malicious actors, to attempt to trace these operations back to their sources. Analysts compare the new information to existing knowledge, weigh the evidence to determine a confidence level for their judgments, and consider alternative hypotheses and ambiguities to produce cyber attribution assessments, writes ODNI.
It studies the computer code and modularity of the software used in the assault, the network activity during the event, and the language artifacts of the software and the system behind it, for example. Technicians will also investigate the type of targeting, which vulnerabilities the malicious software exploited, how it entered the victim’s system and what the intruder was looking for. Due to false flag operations and spoofing techniques, the chances of achieving perfect technical attribution are low.
Acquisition, documentation, and recovery of data within twenty-four hours of a cyber incident also is critical because data-deletion cyber attacks can erase the log data necessary for forensics, advance malware dissipates in computer memory, and adversaries may abandon cyber infrastructure within hours of its discovery.
Attribution efforts benefit from combining the expertise of regional, political, and cybersecurity analysts and the collaboration of network
defenders, law enforcement, private cybersecurity firms, and victims.
The more elaborate the attack, the harder it is to attribute. Even perfect technical attribution, however, will only go as far as identifying the individual or group behind the attack. Nevertheless, in cyber attribution between states, the core question is not “Who did it?”, but “Who is to blame?”
In order to define the responsibility for the attack, a strategic layer of investigation is also necessary. This will analyze the human aspects of the operation, such as the patterns of life of the attack and the level of resources invested in it. This analysis, joined with a study of the geopolitical context, history, politics and information gathered through intelligence, helps shed light on the attacker’s potential influence or backing from hostile states. Cyber attribution is thus a political judgment based on technical and strategic information.
For Chinese state sponsored actors, targeting computer networks of interest and enabling persistence can provide significant access to intellectual property and other sensitive data that can bolster their own technological advancements. This in turn greatly enhances China’s goals of emerging as the world’s biggest economy and superpower.
Iran and North Korea—which are commonly thought as 2 of the 4 countries with the most capable and active offensive threat groups—also use cyber attacks either as a means to exert regional dominance, or in the case of North Korea, provide financial assistance to the regime. Perhaps the best example of this was observed in 2016, in which North Korean APT Lazarus Group stole USD 81 million from the Bank of Bangladesh.
Russia on the other hand arguably wields a far more complicated offensive cyber security program. On one hand Russian actors are known to be rather loud and brash, using deliberate malicious acts like denial of service (DoS) and other computer network attacks (CNA), which often coincide with Russian military action. This was observed in the Russian invasion of South Ossetia and Abkhazia in Georgia in 2008, and also against the Ukraine during the leadup to the invasion of the Crimea in 2014.
The motivations of these attackers are all different, as are the methods and ramifications of their activity. It’s extremely difficult to provide a meaningful framework for responding to a wide array of attacks, which is also undoubtedly influenced by geopolitics.
ODNI’s Key Indicators That Enable Attribution
Attributing an attack to a particular country or actor requires collecting as much data as possible to establish connections to online actors, individuals, and entities. Because this often results in hundreds of conflicting indicators, we identified key indicators to guide us in seeking timely, accurate attribution. The primary 3 indicators are tradecraft, infrastructure, malware, and intent. We also rely on indicators from external sources, such as open-source reports from the private cybersecurity firms.
Tradecraft: Behavior frequently used to conduct cyber attack or espionage. This is the most important indicator because habits are more difficult to change than technical tools. An attacker’s tools, techniques, and procedures can reveal attack patterns, but these unique tradecraft indicators diminish in importance once they become public and other actors can mimic them.
Infrastructure: The physical and/or virtual communication structures used to deliver a cyber capability or maintain command and control of capabilities. Attackers can buy, lease, share, and compromise servers and networks to build their infrastructure. They frequently establish infrastructure using legitimate online services, from free trials of commercial cloud services to social media accounts. Some are loath to abandon infrastructure, while others will do so because they can rebuild it within hours. Some routinely change infrastructure between or even within operations to impede detection.
Malware: Malicious software designed to enable unauthorized functions on a compromised computer system such as key logging, screen capture, audio recording, remote command and control, and persistent access. An increasing number of cyber actors can modify some malware indicators within minutes or hours of suspected compromise, and some routinely change malware between or within operations to impede detection and attribution.
Intent: An attacker’s commitment to carry out certain actions based on the context. Covert, deniable cyber attacks often are launched against opponents before or during regional conflicts or to suppress and harass enemies of the state.
Indicators from External Sources: We also use reports from the private industry, the media, academia, and think tanks to provide such data or share hypotheses about the perpetrators.
In April 2016, DARPA announced a solicitation for proposals related to enhanced attribution. The announced program aims to make currently opaque malicious cyber adversary actions and individual cyber operator attribution transparent by providing high-fidelity visibility into all aspects of malicious cyber operator actions and to increase the government’s ability to publicly reveal the actions of individual malicious cyber operators without damaging sources and methods.
Over the last three years the program has developed techniques and tools for generating operationally and tactically relevant information about multiple concurrent independent malicious cyber campaigns, each involving several operators, and the means to share such information with US. law enforcement, intelligence, and Allied partners.
References and Resources also include: