Identifying Cyber-Attackers to Require High-Tech Sleuthing Skills

The White House released in May 2011 the first “International Strategy for Cyberspace.” This policy document promotes the U.S. vision for the future of the Internet and the nation’s role in shaping that plan.

A key objective of this strategy is implementing a policy of deterrence that unequivocally states the government’s intention to use “all necessary means to respond to hostile cyber-activity that threatens U.S., allied, or partner interests.”

Deterrence relies on the ability to identify an attacker and demonstrate an effective means to dissuade further hostile activity. Currently, attribution remains a difficult endeavor as the anonymity afforded by the Internet often frustrates efforts to link actors with events. The attribution problem hinders the application of countermeasures, preemptive actions and mitigation strategies that minimize or neutralize threats before they are deployed.

Technical analysis attribution is insufficient to support a deterrence strategy alone. Rather, attribution must embody a fusion of technical, behavioral and cognitive analysis to achieve a higher rate of actor identification.

No standard methodology exists today for establishing a degree of confidence in determining cyber-attribution. The defender must be able to identify the perpetrator for an appropriate response action. Consequently, they must believe their actions will be attributed so as to deter any further activity.

Compromising computers in different countries before launching an attack obfuscates an actor’s true country of origin. Anonymous or proxy use further reduces identification efforts through technical means, as the last apparent source country of a cyber-attack is not necessarily the one from which the attack originated.

While technical software and hardware tools assist in detecting cyber-assaults, they do little in ascertaining the attacker’s identity, intent or potential nation-state affiliation. 

Perpetrators have been known to use botnets — a network of compromised computers that they control. 

Operational security measures combined with an increasing sophistication of developed malware — such as Trojans, worms, keyloggers, rootkits and viruses — pose real challenges in determining who is actually conducting the malicious activity as well as the intent behind it.  

The following are established methodologies that do not adequately address the nuances of the problem. 

“Analytic Hierarchy Process” is a structured technique for application against complex decisions, but the methodology is too static, and requires the ranking of alternatives into a fixed, weighted hierarchy. Cyberscenarios are more dynamic and do not easily fit into the established ranking system. AHP focuses on “effects” of an action — analyzing hypotheses about what is true or what is likely to happen — rather than on the motivations behind an event.

“Analysis of Competing Hypotheses” advocates the identification and analysis of alternative hypotheses rather than a single “most likely” conclusion. Like Analytic Hierarchy Process, this method is unable to take the dynamic nature of the Internet into account. The matrix structure of Analytic Hierarchy Process does not consider what is “behind” a piece of evidence. It only looks forward from that piece of evidence. It demands the analyst make too many judgments. Cyberspace is very much a gray area, and it would be nearly impossible to consider the number of possible actors for every successful or attempted network intrusion.

“The Delphi Technique,” meanwhile, is forecast-focused, which can aid predictive analysis. It does little to support dynamic analytic problems such as cyber-attribution. Delphi is not a viable tool of investigation but a means of supporting studies with more established and reliable methods. It has a tendency to lead a group to a predetermined outcome and the risk of lowest common denominator consensus is high.

Technical data is helpful in determining the skill level and actor tactics. It cannot take into account behavioral traits of intent, motivation, or desire exhibited by these actors, nor can it provide predictive forecasting of future attacks and targets.  

According to an Institute for Defense Analyses study, limitations include:

Attribution Delays. The defender must determine if the incident is actually malicious, identify the computer originating the activity and decide on a response. During this period, an attacker may be gone before attribution has occurred.

Failed Attribution. Technical analysis is not always able to provide successful attribution because of the limited capabilities of technical equipment, human error or actor tradecraft.

Misattribution. Technical analysis may identify the wrong location or identity of a perpetrator. There are many possible causes for this, including defective software, incorrect and ambiguous data.

Proxy servers, which are able to hide Internet protocol addresses, hop points (intermediary computers), and spoofed IP addresses still provide levels of anonymity that can successfully mask an actor’s source.  

Also, technical analysis does not account for intruder cognitive aspects such as why the actor chose a specific computer, and the level of risk he was willing to assume.  

At their base, network intrusions are criminal acts that are committed by serial offenders, and like serial crime, analysts must approach attribution with an objective mind, allowing the details of the intrusion activity to dictate the course of the investigation.  

In this sense, the Internet must be viewed as an extension of the physical world and not a domain separate from it because the individual is the driver of the criminal activity whether virtually or physically.

The new analytic approach must be multidisciplinary, requiring a fusion of technical analysis, an understanding of offender behavior and a cognitive review of his thought process.  

Technical analysis is equivalent to crime scene analysis, which looks at the details from the crime itself, the victim, and how the actor conducted the crime. He may have the ability and sophistication to conduct all types of network exploitation. But continued patterns of the same intrusion methods over similar targets can assist in attributing similar activity to the same person. 

A new methodology would include evidence collected through technical analysis and computer forensics of the intrusion incident, the last known IP address from where an intrusion began, the Internet service provider used to facilitate the intrusion, and the tactics or methods used to perform missions. This includes network or computer reconnaissance, discovered vulnerabilities of the victimized computer, and the tools used to exploit the computer.

Also needed is the identification of the make and model of the victimized computer or network, the operating system, trace evidence left by the intruder, the victimized computer’s owner, the information resident on the computer and the networks or subnets that are accessible from the victimized computer.

Next is the correlation of evidence into meaningful categories and patterns.

An analyst must determine the primary intent of the intrusion whether it was probing, network reconnaissance, unauthorized access, data theft, data manipulation, data or network disruption or destruction.

Risk is determined by identifying the agency or organization network that is being targeted. A hacker targeting higher visibility U.S. government agencies risks more exposure than choosing a more benign target. The time of intrusion activity needs to be considered as to relate to possible locations from where the actor is operating. 

Motivation is a key factor. Probing networks may not necessarily reflect an espionage element, nor does the theft of data necessarily indicate nation-state sponsorship. The information stolen can differentiate a criminal from a nation-state sponsored intruder.

Once the technical evidence and behavioral aspects of the intrusion are analyzed and correlated, the analyst can start to build an actor profile that addresses motivation, possible location, skill level, occupation tools and any correlation with previous similar activity. 

And when the congruence of this profile is completed, it can better aid network defenders to shore up their organization’s network security. More importantly, details in the profile can assist in producing indications and warning information to those organizations that may be targeted in the future.

For the White House’s International Strategy for Cyberspace to be effective, adversaries must believe that the United States can accurately attribute hostile activity and use that information to successfully target and conduct a response action at least once.  Technical analysis cannot be the lone tool to be leveraged in the attribution of malicious cyber-activity as it lacks many of the necessary components to achieve a more complete understanding of the perpetrator. Analysts must provide more accurate intelligence judgments, as well as pertinent leads that can further be explored and pursued. 

The incorporation of behavioral and cognitive factors is essential because they allow for a holistic approach in identifying the individuals and/or groups behind network exploitation, something that current technical analysis or methodologies cannot successfully accomplish. 

Emilio Iasiello is chief of threat analysis at iSIGHT Partners Inc., Chantilly, Va. The views expressed in this article are the author’s.

Photo Credit: iStockphoto

Topics: Cyber, Cybersecurity, International