Lance Bellers - Fotolia
Adam Rice and Mark Maunu
Published: 03 Apr 2017
Toward the end of the Obama administration, the Department of Homeland Security published a comprehensive list of the tools, techniques and indicators of compromise, called Grizzly Steppe, to out the Russians and their attempts to influence the 2016 presidential election. The Joint Analysis Report, issued in conjunction with the FBI, immediately highlighted the political side of attribution. Network administrators could access the findings in the report to protect their assets from malicious cyber activity such as malware. However, technical indicators on endpoints and networks were reportedly of poor quality, according to some cybersecurity teams, and roughly 40% were not specific to Russia.
In the shadowy world of cyberespionage, the game of who is to blame can be complicated and fraught with politics and turf battles. Cyber attribution occurs when indicators of compromise (IOCs) and tactics, techniques and procedures (TTPs) from the entire cyber kill chain are associated with an advanced persistent threat or APT group.
While the U.S. government has many sources of cyberthreat intelligence, from multiple government agencies to private-sector analysis, there is no "one-stop shopping" for private industry. Grizzly Steppe is the first Joint Analysis Report that publicly identifies unclassified technical indicators and attributes them to a nation-state actor. Within the federal government, confusion reigns as the Department of Homeland Security (DHS), the Department of Defense (DoD) and the Executive Office of the President jockey to position themselves as the authority for government and industry intelligence sharing: Can organizations trust government cyber attribution if the president says he's not buying it? This disorganization matters because the future is based on the strengthening of cyberthreat intelligence sharing between the government and private industry.
Same group, different names
APT actor groups are developed independently from many sources. Governments, private industry and security companies all use traditional intelligence gathering techniques to try to group APT activity into functional areas. If enough cyberattacks use the same IOCs and TTPs, the indicators are then assigned to an APT group. Each organization does this differently. However, the activities of most APT groups in the last five years are known in some fashion to multiple government agencies and private-sector security companies, such as CrowdStrike and FireEye, which deal in APT intelligence.
Cyber attribution plays a big part in the federal government's willingness to share cyberthreat intelligence data with private-sector companies. Of Cyber attribution ficial attribution that country X is hacking the United States usually remains classified because of the political considerations of the cyber attribution and the chance that the adversaries might change their tactics and techniques.
In a 2013 report, Mandiant Corp. publicly exposed APT1 as a Chinese espionage unit, whose activities against U.S. industries were potentially linked to the People's Liberation Army. The FBI then released its entire file on the same Chinese cyber group. Other federal government agencies tasked with watching cyber activity had developed intelligence on an APT group with the same indicators as APT1 as early as 2002, and dubbed the group Byzantine Candor and The Comment Group.
How does the intelligence community, and private-sector security researchers, take additional steps to associate an APT group with China, Russia, Iran, Syria, Israel or the U.S.?
Once a pattern of IOCs and TTPs coalesce to the point that they are credited to a unique group, the APT may be attributed, separately by various entities, to a nation-state actor. Different techniques are used to develop cyber attribution. They center on an exhaustive examination of the IOCs and TTPs to discover a clue that is either aligned with an existing attribution or, in rarer circumstances, evidence of new technical indicators. In both cases, security researchers have a lot of collateral to work with:
- Malware variants and drive-by links can reveal relationships with malicious software attributed to a nation-state. If a malware sample is already linked to an APT group, then the job is done. New or unseen malware can be attributed with a little extra work.
Almost all malware "phones" home to a beacon or command-and-control (C2) server. APT groups establish a network of these C2 sites within the countries of the target network. They take several hops to the C2 sites to obscure the ultimate source of their attacks. Security companies and government organizations will "walk the dog back" to these C2 sites, and without disrupting the site, monitor the traffic to the next hop, and the next, until they are outside the front door of the People's Liberation Army's cyber headquarters in Shanghai. This exhaustive research is the most effective method of attribution, but it is outside the ability of most companies. How intelligence organizations perform this research is often more classified than the cyber attribution itself.
- Registrant tracking is another method. APT actors build infrastructure for their spear phishing campaigns and malware C2 hosting by registering domains and associating them with hosted infrastructure. An examination of C2 and beacon host names, and email domains, can lead a security researcher to establish patterns. Most of this supporting infrastructure is shared by a nation across multiple APT campaigns. As a result, there's a confluence of intelligence associated with the use of domain registrants: the IP addresses tied to the domain registers and the location and underlying hosting environments used by nation actors. Tracking of registrant information can lead to attribution based on known TTPs of the APT actor.
Many companies with mature security programs employ "threat hunters." These analysts spend their days searching for IOCs and TTPs, proactively, placing "blocks" on internal networks to see if indicators have hit their infrastructure. Hunters often create or participate in groups and communities that share cyberthreat intelligence. While there are multiple places to find threat intelligence, not all data is created the same, nor is it infallible. Threat hunters will pull the same IOCs and TTPs from several sources and validate the data.
Most companies lack the depth to independently assign cyber attribution to IOCs and TTPs. Organizations with mature threat intelligence teams, however, can share cyberthreat intelligence across larger groups. When malware from spear phishing is discovered, hunters from multiple companies can make the cyber attribution by comparing what they see to other IOC and TTP patterns.
The Trump administration is signaling that it is going to put the cyber center of gravity with the Executive Office of the President—not the DHS or DoD. But it's still early in the decision process. The president has appointed former New York mayor Rudolph Giuliani, who currently heads security consultancy Giuliani Partners, as someone who will advise the private sector on cybersecurity issues. No one knows what that means at this point. An upcoming executive order on cybersecurity has yet to be signed and has already been heavily revised. While the administration believes that it needs to work with the private sector to improve cybersecurity, possible expansion of surveillance programs and unclear directives on intelligence sharing with critical infrastructure owners have raised concerns. The administration will continue to support the NIST Cybersecurity Framework, however.
If U.S. companies seek well-sourced, fully attributed cyber threat intelligence that has been scrubbed, they may have a better chance with private security firms or industry threat intelligence-sharing organizations.
The U.S. government remains compartmentalized in its approach to cybersecurity, despite the Trump administration's call for a government-wide approach to cyber risk management. Currently, there's no single source of truth for the federal government, nor is there a reliable source of actionable threat intelligence that is agnostic to political influences.
DARPA launches attribution program to ID cybercriminals
Five mistakes to avoid with threat intelligence and analytics
Microsoft proposes global forum to develop cyberattack attribution processes