Word Notes 5.9.23
Ep 147 | 5.9.23

attribution (noun)


Rick Howard: The word is: attribution

Rick Howard: Spelled: A as in acknowledgement, T as in traceability, T as in a token, R as in recognition. I as in individuality, B as in blame, U as in uniqueness, and tion, T I O N, as in to push away, which has absolutely nothing to do with the word, but I just thought it was funny.

Rick Howard: Definition one: The recognition of a set of repeatable attack patterns across the intrusion kill chain. Definition two: Determining the responsibility for offensive cyber operations.

Rick Howard: Example sentence: While traditional intelligence faces similar issues, attribution of cyber operations has additional challenges because of the opportunities to mask one's own identity or appear as someone else.

Rick Howard: Origin and context: From almost the beginning of InfoSec history, network defenders have been exposed to colorful names attributing cyber offensive operations like crime, espionage, activism, continuous low level cyber conflict, et cetera. Two specific groups, like the Lazarus Group, Wicked Panda, and APT 29, just to name three.

Rick Howard: The first and arguably the most famous called Moonlight Maze was the U.S. government's 1998 attribution of Russian hacker activity directed against the Pentagon, NASA, and some affiliated academic and laboratory facilities. Back then, commercial cyber intelligence didn't really exist. Most of the attribution naming came from governments and didn't make it into public circles until long after the activity began. One example is the code named TITAN RAIN, an umbrella code word used by the U.S. Department of Defense in the early two thousands to depict Chinese cyber operations. A decade later, Mandiant established the precedent of commercial cybersecurity vendors naming hacker groups in 2013 when they released the report "APT1: Exposing One of China's Cyber Espionage Units." the first public document that outlined Chinese government cyber attack campaigns across the intrusion kill chain. Today most cybersecurity vendors have some sort of a public facing intelligence team that conducts in publishes independent research for marketing purposes.

Rick Howard: Unfortunately, there is no agreed upon naming convention, so everybody has their own scheme. Mandiant uses numbers as in APT1, CrowdStrike uses animal names like Fancy Bear, and Microsoft just changed their naming scheme in 2023 from elements like Hafnium to two-word names based on weather. As the years go by, confusion compounds for several reasons. First, because everybody has their own naming scheme, we tend to have a smorgasboard of names that all refer to the same activity. For example, as of this writing the Mitre ATT&CK framework wiki lists 15 different aliases that refer back to APT29. Second, there is a difference in the fidelity of attack campaign intelligence, like the Mitre ATT&CK wiki, and the attribution of who is actually behind the attacks.

Rick Howard: Campaign intelligence has high fidelity. As a community, we're pretty sure how APT29 traverses the intrusion kill chain. On the other hand, the fidelity of who is behind those campaigns is low. You might read that Cozy Bear is associated with the Russian Foreign Intelligence Service, SRV, formerly the KGB, but you have no idea if that attribution is correct and how could you, you're watching network traffic, not people in the real world. Government spy agencies can attribute activity at this level, but they're not likely to tell you what they know except for some niche special cases. For the most part, they're trying to protect their sources and methods. The chances that your favorite security vendors intelligence team has any inside information to confirm the assertion is low.

Rick Howard: They might have some suspicions, like language used in the code, IP address, geographical location, time of day, et cetera. But if I'm the president of the United States, I'm not launching the nukes on that flimsy evidence. What is likely when you read the attribution is that some other intelligence team in the past attributed Cozy Bear to the SRV, and this new report you're reading is just passing the information along without telling you the source. The bottom line is that for public intelligence reports, the fidelity of most attribution to some nation-state isn't supported by strong evidence. On the other hand, the fidelity for the listed Mitre ATT&CK TTPs associated with Cozy Bear is high, and that causes confusion. The point is, for most of us, it doesn't matter which government is behind the attacks.

Rick Howard: If you know that North Korea is attacking you, who cares? Unless you're a nation-state spy organization tracking useful human intelligence sources, or a law enforcement agency seeking to indict people, that knowledge doesn't help a typical network defender at all. What is important is knowing whether your team is observing attack patterns consistent with the Lazarus Group in your networks, and whether they have deployed prevention controls to counter them at each stage of the intrusion kill chain.

Rick Howard: Nerd Reference: On Mark Nunnikhoven’s YouTube channel called Cybersecurity Basics, in his episode number nine on Attack Attribution in 2018, he talks about the difference between the attributing people and attack campaign.

Mark Nunnikhoven’s: So anytime there's a cyber attack, people are always wondering who it is, and that's totally natural. I'm not trying to dissuade people from figuring that out. The challenge is, is that it's extremely difficult to make a strong attribution with a high level of confidence. So the challenge here is, how do you say that It was Mark sitting behind the keyboard that launched a specific cyber attack. And the answer is, it's really hard to do that. And you can normally find different properties or attributes of an attack that will point to an entity, but you won't be able to tie that entity to people unless they make a massive mistake maybe leave a little bit of pieces here or there, we know this IP has been used in different hacks before. Um, we know that this IP is also a tax system E. Okay, well now we've got more pieces of the puzzle, but at no point does that relate to Mark behind a keyboard typing and attacking people. And that's why attack attribution A, it isn't that useful for most people, unless you're in law enforcement or nation state politics, figure out who attacked you, isn't that useful? Figuring out the category of attacker is extremely useful.

Rick Howard: Word Notes is written by Tim Nodar, executive produced by Peter Kilpe and edited by John Petrik and me, Rick Howard. The mix, sound design, and original music have all been crafted by the ridiculously talented Elliott Peltzman. Thanks for listening.