Accenture's Justin Harvey explains why cyber attribution isn't important

Incident response poses many challenges for enterprises, but according to Accenture's Justin Harvey, cyber attribution isn't one of them.

That's because attribution is low on the list of priorities for incident response teams. Harvey, who leads Accenture's FusionX Global Incident Response practice, has more than 20 years of experience in the infosec industry and has spent much of that time working in incident response.

He got his start in 1994 with Netcom On-Line Communication Services and, a year later, was part of the team that responded to Kevin Mitnick's notorious hack of the Netcom ISP. He later worked for ArcSight and assisted Sony Entertainment in responding to the company's 2014 breach. He followed that with stints at Mandiant, FireEye and Fidelis Cybersecurity.

Harvey joined Accenture in late 2016 as managing director and global lead of the company's incident response practice. At RSA Conference 2018, he discussed the incident response challenges facing enterprises, the problems with cyber attribution and the most common threats he sees today.

Editor's note: This interview has been edited for clarity and length.

From your experience dealing with different companies over the years, what are the biggest incident response challenges? What is elusive about incident response for even large enterprises that have security operations centers, SOC analysts and have invested a lot in security products?

Justin Harvey: I love that question. No one's ever asked me that, and I think it's important because I always talk about this.

Number one: It is a highly technical domain because if you're running an incident, you have to know Windows internals, you have to know Mac internals and you have to know Linux internals.

Let's just say you're not a man or woman who is multi-OS friendly; let's just say it's Windows. Well, you better know all of the methods by which Windows is vulnerable. You have to know how remote exploits work, how local exploits work, how credential dumping works and [how] to stop all that. You have to know how PowerShell works, and method of persistence, and how the registry works.

There are something like 15 different ways in Windows 10 that you can persist. One of those ways is with Windows Management Instrumentation (WMI), which has the capability to put in persistence through its WMI cache, and that is stored as a Base64 encoded blob, and it's usually PowerShell. How the hell does anyone know that? But you have to know all of that.

And you need to know the network -- I can't get to that box; is it because it's a connection refused, the connection timed out, and if so, what caused that? Is there a host-based firewall? It's a very, very high-level of demand that we have for technical expertise.

The second one is creativity. It's why every beat cop doesn't become a detective, and why many in law enforcement don't reach certain points in their career or don't go to certain parts of the law enforcement business -- you have to think like an adversary. It's the five questions, and I drill this into my team over and over and over: who, what, why, where and how?

We may not always know the why. I was working a case one time and it was Fin7, which is an Eastern European cybercriminal group, and it was against a financial services company. And they were triaging for a couple of days and I asked for the person's name [who was attacked]. And they gave it to me and I typed it into LinkedIn and I saw who she was. Then I typed in the company name and SEC filing and her name came. Boom. It was the first result to come up. So immediately you know she was probably targeted.

Now, if you get some help desk person who was attacked, it's probably an adversary just looking for a foothold in the network. But this was highly targeted. That's a why. And we also won't always know the who, but I'm a little bit down on attribution now.

It seems like a lot of people in infosec are down on it. Does cyber attribution not matter to enterprises? Do customers ask you about it when you respond to an incident?

Harvey: They do. The who is certainly important in order to know what type of adversary it is and which adversaries are targeting you. But I think the corollary is more important. Meaning, if we're a business and we're going into China, then we know these types of adversaries are going to come after us, and we're going to take these steps to mitigate them.

Maybe I'm wrong, but I don't think that I would do anything differently if nation-states or cybercriminals or hacktivists were coming at me. It's the same stuff, and you have to take all of the same steps.

Do the basics right: have a threat-hunting program, think like an adversary, have the CISO speak business and technology, and employ breakthrough technologies. From an attribution standpoint, you'll often find that a lot of the indicators are either blurry or, sometimes, it's just impossible to know who it is.

From an attribution standpoint, you'll often find that a lot of the indicators are either blurry or, sometimes, it's just impossible to know who it is.

We're also entering an age where I think that I can't believe attribution anymore from the perspective of false flag in attacks. I think that if you were a nation-state [advanced persistent threat] for the Russians, why in the heck would you ever use your best tools or your own tools by which you are known?

I would pick an American university or I would pick a foreign country like Thailand or some other country and attack from there. Or I will steal a credit card and create an AWS account and attack from there -- unless you want to be discovered. And then, on top of that, I'd also probably get a hold of some of the other nation-states' tools and use those instead.

So companies may ask about cyber attribution and may be interested, but do companies say to you, 'We really want to know who did this'?

Harvey: Not really, no. Typically, that's not the case.

I just ran another investigation with a significant dollar amount involving transfer of funds to a foreign country and the company [said], 'Well, it's gone.' They're trying to work with the Secret Service and other law enforcement agencies, but what good would it do for them to know if it was X group versus Y group? You've got to do the same stuff [to defend against them]. Everyone is a target.

Do you think cyber attribution would matter more to enterprises if there was a greater chance that threat actors could be apprehended by law enforcement and get some type of recompense?

Harvey: Well, now you're getting into not necessarily attribution, but into the mechanics of the investigation. As soon as an investigation crosses the ocean, you better hope that Interpol is involved. If it's not an Interpol-related country, then it's going be very difficult for extradition and for the investigation purposes on the other side.

I'm still surprised that people are caught. I see some examples and I'm shocked and I think 'How the heck is that happening? They must be pretty sloppy.'

Looking at the incidents you've responded to over the years, did most of them involve conventional attacks like phishing and exploiting known vulnerabilities? How many of them involved a zero-day exploit that you had never seen before?

Harvey: I don't think I have ever seen a zero-day. I'm not saying those attacks don't exist, obviously, but they're quite rare. There may have been zero-days used in my investigations somewhere in the process, but I have to tell you -- we're not looking for that weird zero-day. We're looking for the behavior.

We look for three things. The first is, in our investigations, we apply what we call known bad, which is applying threat intelligence. The second thing we do is look for anomalies or things that don't quite look right or things that shouldn't happen, but do. And then the third thing is the suspicious [activity], as in you see a bunch of brute force attempts and then a root login.

So the vast majority of the stuff you see is brute forcing logins, phishing emails, some drive-by downloads and so on?

Harvey: Yes. It can be 'Click on this link' and there is a remote payload, exploited browser, or it's abusing Flash or something of that nature. There's the business email compromise, too.

Is business email compromise that big of a problem?

Harvey: Oh, yes. We're hearing a lot about it.

I'm getting a lot of cases with [business email compromise]. And I'll tell you what would fix this: multifactor authentication. It would fix it very easy.

The problem is that I have heard some organizations are struggling to implement multifactor authentication because they're on Windows 7 and they're on older versions of [Microsoft] Office and you have to use the newest version of Office in Windows 10 to get [multifactor authentication] all working with the cloud. There's that issue. And then there's also the phishing email that says, 'Here's an attachment, please open the attachment,' for something that looks really important.

We use a lot of these same methods for our adversary simulation with our red team. In fact, our red team has a 100% success rate in getting into the enterprises on the first go-around meeting. Not the first attempt, but the first engagement. If a new customer comes in, we'll get them. We'll accomplish the mission.

Now, as we go along, the customers get progressively better. There was a U.S.-based bank that we worked with that we hit over and over and over. And we worked with them a period of three or four years and now they're one of the best banks at security. They turned it into a game. They said, 'You guys have shamed us enough. We're going to find you guys and actually counter your threats' during that same time period, and they did.