The Red October malware attacks announced by Kaspersky Labs on Jan. 14 came with their own built-in clues as to the source of the unusually complex botnet. Modules used in Red October appear to have been coded by Russian-speaking developers, whereas the exploits used to target Microsoft Word and Excel vulnerabilities are thought to have been created by Chinese hackers, according to analysis by Kaspersky Labs. However, such speculation highlights the difficulties in attack attribution -- and at least a few forensics experts believe the efforts to find "whodunit" may be wasted.
According to Jesus Oquendo, senior security engineer at E-Fensive Security Strategies, most methodologies aimed at attribution are flawed, regardless of what their adherents may claim. Oquendo has taught offensive security, malware analysis and reverse engineering for the Cyber Security Forum Initiative's (CSFI) Defensive Cyberspace Operations Engineer course.
Oquendo said the elements commonly examined when investigating the source of an attack include analysis of IP addresses, the use of keyword searches, evidence from any code used, and plain-old guess work -- what experts in the field would prefer to call inference. "That's it; nothing more, and nothing less. There are really no other reliable means for establishing attribution," Oquendo said.
The crux of the attribution problem is that those elements can be manipulated by highly skilled attackers in an effort to throw investigators off their trail, and in many instances are orchestrated to implicate an uninvolved third party.
"The problems for the investigator are larger than those of the adversary," said network security expert Scot Terban, who specializes in Computer Forensics and Open Source Intelligence (OSINT) techniques. "Attackers want to distance themselves from the crime as much as possible, and muddy the water for those seeking to determine who did what."
IP address analysis
Most investigators will examine any IP addresses associated with an attack, but skilled attackers are most likely pivoting in and out of third-party networks that they have compromised. "An IP address within a log that attacked your resource may just in fact be a pawn in a larger game, and that IP might just be a compromised machine doing the bidding of another at the behest of yet another," Terban said.
Oquendo agreed, saying that IP analysis can provide insight into the structure of an attack, but does little in the way of attribution. "Most attackers -- especially highly technical ones -- are well-versed at flying under the radar. If an attacker is so skilled as to remain out of sight for five years, such as those behind Red October, what makes anyone think they are really originating from whatever netblocks or IP addresses that investigators discover in logs?" he said.
Compounding the problem, savvy actors will often route attacks through nations with a history of not cooperating with international investigations. "Often times the servers/systems involved as intermediaries are in other countries. It is hard to get warrants, [and even] if investigators get them at all, [it's hard] to look at logs," Terban said.
"It makes sense for an attacker to pick countries that have close to zero judicial interactions with other countries and dislike each other politically. This makes the likelihood of governments working together to investigate these crimes unlikely," Oquendo said.
Keyword searches and lexical analysis
Investigators also conduct lexical analysis and keyword searches for terminology or other linguistic clues to associate attacks with a known individual or entity, looking for items such as the Russian slang found in Red October executable code. But such terminology could have been planted by attackers to mislead investigators.
"For example, if a researcher sees something to the tune of Red Dragon, they are likely going to associate this with China. Never mind the fact that the author of any malware or virus could be a fan of the movie Red Dragon, or simply engaged in obfuscation efforts. Some vendors and those in the media will pounce on this and decide it must be so that China is the culprit," Oquendo said.
Another technique investigators use is the collection of open source intelligence -- available through the monitoring of social media, discussion forums and Internet Relay Communications, -- to look for chatter regarding a specific attack. "By monitoring open sources of information as a fly on the wall, one might glean who is attacking whom and why," Terban noted. Of course, these mediums can also be manipulated by attackers to distance themselves from an operation or to implicate a third party.
Inference and intuition
Decision makers do not necessarily require attribution to be conclusive in order to take action, as most of the time intelligence is never 100%, and decisions still have to be made. Often attribution efforts come down to educated guesswork. "More nuanced approaches are starting to be used to determine the attribution of an attack that may not come from solid evidence, but instead from inference and intuition," Terban said.
Is attribution important?
If attribution is so difficult, why is so much emphasis placed on it? Some might say it comes down to creating a case for retaliation, but Oquendo noted that there is a "financial and economic side of vendor antivirus propaganda. From the government side, it is easy to attribute these kinds of actions to an enemy of choice. This is a logical route for governments to take, however, those making these determinations are not technical, so they typically rely on 'experts' who get attribution wrong from the start."
Or as Terban put it: "We are hanging too much on attribution. We need to clean our own house before we even consider trying to go after an adversary that has taken our data."