14 September 2015

The Complexities of Attribution in Cyber Space: An Overview

By James Palazzolo, 25 August 2015

The challenges with attribution and Cyber Space are a study of both social and political aspects that directly relate to the overall technical architecture of the Internet as a whole.

Rid and Buchanan argue that attribution is not a matter of technology but a matter of want; meaning: attribution in Cyber Space is determined by the importance for states to want accurate high confidence attribution with regards to cyber systems. If this want is not realized than little kinetic effort will be spent on the process of attribution.

The challenges of attribution are a well-known argument from a technical studies perspective, but it still does not help to answer: what can organizations do in the short term when looking for high degrees of confidence in attribution? If high degree confidence technical attribution is possible how long will organizations (that utilize cyber systems to conduct business) have to wait until states globally accept levels of concrete identity over the Internet for all systems? From an analogous perspective the wait for an answer to the question is the ‘gorilla in the room’.

There is a good possibility that consistent high confidence attribution of cyber systems will never be achieved. From a covert operations viewpoint the lack of high confidence attribution benefits states’ Intelligence communities.

The ability to launch political campaigns with almost complete anonymity is too convenient for states to ignore (Alyia Sternstein in Defense One). It can be argued that social applications have cemented this stance as these applications are able to reach millions of individuals rapidly and typically cost the end user nothing to use.

Therefore, why would states want to engage other states in creating policy that reflects the technical gaps surrounding attribution in Cyber Space?

Additionally, there is no monetary incentive from a private industry stance to push the conversation closer towards high confidence attribution for cyber systems. With billions of dollars already invested in offensive and defensive cyber systems there is no need to reel in development costs and towards developing systems that offer high degrees of user and host attribution.

The slippery concept of attribution

The term attribution itself poses a further layer of complexity when dealing with cyber systems. Due to the social, technical, and political nature of interconnectedness involved in these systems makes asking the question of attribution a multidimensional question itself.

The ‘who’ portion of this attribution question may range from a single user sitting at a desk within an organization to several individual(s) scatter across the globe. Furthermore, autonomous cyber systems such as botnets further dilute the pursuit of attribution.

It is not entirely uncommon for bots to sit on infected machines but are long forgotten by their creator. Using this example as a frame of reference is it more important to know who created the autonomous system(s) or is it more important to know that it was the autonomous system(s) at the root of the event.

Eric Mejia {Colonel, USAF} contends that this can be distilled into a simple question whereby the most important attribute in the question of attribution becomes whether or not a state was responsible for a cyber-attack (p118). Although this may apply to state vs. state contention within Cyber Space it does not cover the multiplicity that actually is Cyber Space.

When considering the dilemma of attribution from a small-to-medium (SMB) and large enterprise standpoint they both share one attribute in common with regards to negative events within Cyber Space: jurisdiction (“Evidentiary Issues in International Disputes Related to State Responsibility for Cyber Operations” by Marco Roscini). Neither type of organization has jurisdictional authority to pursue an investigation beyond their own physical perimeter. Furthermore, both have to rely on law enforcement who they themselves also have a limited jurisdiction when considering the scope of Cyber Space. 

The physical reality when dealing with jurisdiction and attribution almost makes attribution a moot point from a response and enforcement perspective. This reality becomes a vicious cycle of repeating affairs with no real resolution taking place.

Confidence and tools

Blending in all of these already known principals regarding Cyber Space and attribution the next greatest contributor to the attribution quagmire becomes ‘confidence’.

When developing the final output of any attribution analysis confidence becomes the indicator as to whether or not the effort is fruitful; meaning: an effort in determining attribution can provide actionable Intelligence that can then be transformed into a kinetic response (i.e. changing firewall rules, enhancing user awareness training et al).

Confidence is a blended attribute in the Intelligence lifecycle when performing an analysis of collected data and is not different when applied to Cyber Threat Intelligence (CTI). Here organizations can leverage this confidence an apply CTI data into their security programs (Shackleford and Northcutt 2015). Tools have been in development with regards to CTI and CTI sharing for the past few years and a small number standards have evolved out of these efforts (Farnham and Leune 2013).

Also, as Cyber Defense Systems mature they include architectural requirements for sharing between like vendor systems; thus, creating large vendor distributed Intelligence networks.

However, if considering this evolution from a self-serving attribution basis does this create excess pressures on vendors to provide CTI and if so, what is the level of quality assurance is applied to this data? (Libby and Rennekamp 2012.) If questionable then the validity of attribution becomes further entrenched in the trust of the evidence presented by these systems.

Considerable investment is required to achieve enforceable treaties: decades of diplomacy and treaty negotiation, thousands of individuals working together in an international setting to develop technology and procedures, and continuous refinement of treaties and practices.

Nuclear non-proliferation treaties can serve as a positive example for managing the reduction of malicious activities on the Internet (Hunker, Hutchinson & Margulies 2008, 4-5).

Regardless of the challenges surrounding achieving high confidence attribution in Cyber Space, the fact remains: attribution is important (Hunker, Hutchinson & Margulies 2008). It will most likely be many years before a consensus is agreed upon with regards to acceptable use of the Internet and attribution on a global scale.

Like the global talks regarding nuclear non-proliferation, the groundwork for this future discussion has finally been laid.

James Palazzolo is a Cyber Security Researcher with a focus on Cyber Intelligence. He has a degree in Information Assurance from Eastern Michigan and is currently scheduled to complete his Graduate Degree in Cyber Intelligence by the end of 2016. James has also worked in security for Healthcare and in Local Governments. See his other articles on Dark Matters website, and his bio on LinkedIn.

About Norse

Norse is the global leader in live attack intelligence. Norse delivers continuously updated and unique Internet and darknet intel that helps organizations detect and block attacks that other systems miss. Norse’s globally distributed distant early warning grid of millions of dark sensors, honeypots, crawlers, and agents deliver unique visibility into the Internet – especially the darknets, where bad actors operate. Norse products tightly integrate with popular SIEM, IPS, and next-generation Firewall products to dramatically improve the performance, catch-rate and return-on-investment of your existing security infrastructure.

See their website for more information.

No comments: