Independent analysis of the malware used in the breach of the Democratic National Committee confirmed Russian actors...
were most likely behind the attack, and experts said human intelligence was key to the cyber attribution.
Fidelis Cybersecurity said the cyber attribution performed by CrowdStrike in the hack of the Democratic National Committee (DNC) was accurate in identifying Russian advanced persistent threat (APT) groups, COZY BEAR and FANCY BEAR, in the attack. The original attribution was questioned by some experts following a lone hacker, Guccifer 2.0, coming forward with what appeared to be documents stolen in the breach.
Michael Buratowski, senior vice president for the security consulting services group at Fidelis Cybersecurity, based in Bethesda, Md., told SearchSecurity Fidelis' job was mainly to verify the analysis of the malware, but he did find some anomalies in the metadata of the stolen DNC documents released by Guccifer 2.0 that made him question if the documents were original, or if they were copied from another source.
"The situation is the only people who can validate the actual content -- the names and dollar amounts and other information in there -- fortunately or unfortunately, is the DNC," Buratowski said.
"The malware samples matched the description, form and function that was described in the CrowdStrike blog post," Buratowski wrote in a blog post. The malware contained "complex coding structures and utilized obfuscation techniques" that have been associated with these actor sets in malware found in separate attacks.
"We scoured through all the various information out there on that particular malware that included analysis from CrowdStrike, FireEye, Palo Alto, Kaspersky and Microsoft, and we ensured they weren't looking at one single incident," Buratowski told SearchSecurity. "They had all come across the malware on their own on different occasions, as had we. So, we essentially went through and did full reverse-engineering of the malware and looked at its functionality, and it absolutely lines up with the reporting, the characteristics that CrowdStrike reported on.
"What struck us is ... the pieces of malware we looked at are very complex; they're very elegant in their programming, in their functionality, in what they're set up to do both in a persistence perspective, as well as from hiding your tracks," Buratowski said. "They actually have functionality to erase any fingerprints it would have left on a system."
Throughout SearchSecurity's conversation with Buratowski, he couched his cyber attribution analysis as likely being the identified Russian groups and that his investigation surpassed the threshold for reasonable doubt.
"In a situation like this, we can't say 100% that it was this person in this unit, but what you can say is it's more probable than not that it was this group of people or this actor set," Buratowski said.
Jeffrey Carr, CEO of security consulting firm Taia Global Inc., with offices in Seattle and Washington, D.C., questioned the conclusions drawn in the investigation of the DNC case.
"In the physical world of crime investigation, common sense dictates that the perpetrator of a crime may use any weapon and not just one made in the country of his birth, and that the developer or manufacturer of the weapon most likely isn't the criminal," Carr wrote in a blog post. "And yet, those seemingly crazy assumptions are made every day by cybersecurity companies involved in incident response and threat intelligence."
Buratowski admitted there could be flaws in cyber attribution if one were to only look at the technical information found in the analysis.
"When you do attribution, and any time you're investigating a cybercrime or cyberintrusion, you are dealing with a situation where it's a lot more circumstantial evidence," Buratowski said. "You're not at a crime scene where you can see the bad guy holding a gun. So, what you end up doing is looking at everything that's around it. Putting a single person behind a keyboard ... you're not likely to do that. However, when you look at the totality of the circumstances, you look at the targeted victims, the information stolen, what the information is used for after it's stolen, as well as the artifacts within the malware and the tactics and procedures, you then start building that probable-cause base."
CrowdStrike was criticized by experts, like security researcher and former black hat hacker Hector Monsegur, for not including the possibility of incorrect attribution in its analysis. In addition, Carr said when he looked into the data from various cybersecurity firms, he found evidence of confirmation bias in the analysis.
"I chose to look at FANCY BEAR (APT28 in FireEye's ecosystem). The most comprehensive report on that threat actor was written by FireEye and released last October, 2014, so I started with that," Carr wrote. "To my surprise, the report's authors declared that they deliberately excluded evidence that didn't support their judgment that the Russian government was responsible for APT28's activities."
Buratowski said he couldn't second-guess what CrowdStrike did because he didn't know everything the company learned from the human intelligence piece of its business.
"In its simplest form, human intelligence takes into account who people associate with, where they go -- essentially, their day-to-day activities and relationships. Some companies do have people who do real-world surveillance, whether directly or through contracted employees, as well as Deep Web comms," Buratowski said. "That adds into the total analysis. When you look at everything from a technical perspective that's there, as well as the corroborating information from other researchers and other intelligence organizations like that, then you're able to kind of link things together. You don't get to see what the whole puzzle looks like by looking at one piece. You have to put all the pieces together and see the picture."
Keith Lowry, senior vice president of business threat intelligence and analysis at Nuix, based in Herndon, Va., said human intelligence is the key to fitting the puzzle pieces together.
"Good professional organizations won't make that statement [of assurance in attribution] unless they're able to combine the technical aspect and corroborate it with the intelligence piece," Lowry said, "because those two things together marry up the picture, as opposed to just an event."
According to experts, the process of analyzing the technical aspects of a breach -- the malware characteristics, IP addresses, originating server and so on -- can only get investigators so far, because it is important to understand who the people are behind the attack.
Lowry said it's impossible to understand what the attack was about when focusing on pure technical answers.
"At its core, most people don't understand the fact that a cyberintrusion, a hack or whatever, has a human behind it or a human organization behind it," Lowry said. "Until people understand that technology is merely an indicator, and without a human involved, you don't get the background data, you don't understand the process of the whole hack scheme."
Lowry said the most important part of cyber attribution analysis is to couple the technical response they're getting from their investigation with some sort of human analytics to confirm a specific organization.
"When you add the term human intelligence to it, what you're really saying is who was the human behind the attack, and what do we extrapolate was their cause and rationale for doing it? Then, you can break apart the tactic, technique or procedure that human wanted to use to affect a successful attack -- did they do social engineering? That's where you're combining the technical expertise with the human piece. And the human intelligence is knowing how that works and working it backward."
Buratowski said the technical information in the DNC hack points to COZY BEAR and FANCY BEAR, but the information from the human intelligence investigations performed by other companies helped fill in the gaps to confirm those groups being involved.
"When you look at the malware that's associated with those two actors, substantially more than half end up being compiled between business hours of 8 [a.m.] to 5 [p.m.] Monday through Friday in Russia, or in the Russian language," Buratowski said. "You use a piece of information like that to start laying out the probability of what it is, and then you look at the victims -- who they were going after and who the information would be a benefit to -- and then potentially what the information would be used for."
Lowry said part of human intelligence is having people who go out and the right sources to use to get the information they need or they want, but a big part is the profiles built up on certain threat actors over long periods of time.
"Over the years, going through cyberevents, not only do you get a feel for [what] the tactics, techniques and procedures are, but you get to know certain characters or certain individuals based on how they do things," Lowry said. "People would recognize who [a hacker] was by how that person reacts, how they play, what their tactics are, how they maneuver. And after you've been in the business a while, you get a fingerprint, if you will, an electronic fingerprint of activity that indicates what that is."
The key to trusting this type of analysis, according to Lowry, is humans are creatures of habit.
"People tend to do things they're comfortable with," Lowry said. "Even in this ethereal world of hacking, they continue to do things that they're good at and they progress, but you can follow them simply because that's the behavior pattern.
However, Lowry admitted it was possible for actors to mimic one another, because "hackers like to share their successes."
"But part of the intelligence you gather is cumulative over the years, because you get to gather all this information and become very good at showing these kinds of behaviors typically come from this group. And when you add up the behaviors with the technical answers, those two things are what give you the surety that it's coming from within this particular organization within this state actor," Lowry said. "Can somebody spoof all that? Yeah, there are people that can, but then you're talking very specific and trained people, and not a whole lot of people in the world can do that. And that, in and of itself, is a clue from a technical perspective only."
Cyber attribution security
Ultimately, Buratowski said the value of cyber attribution can be overblown, because knowing who was behind an attack has an unclear return on investment.
"I almost think everyone gets caught up in it because it's exciting and has a bit of James Bond espionage saying it was this person," Buratowski said. "For me, you want to use it as a way to predict what threat actors may come after you; you want to use it to predict the methodologies they may use; and use it to defend against them."
Buratowski said the best advice he could give enterprises when looking at cyber attribution is to keep in mind common-sense security.
"It's being diligent and recognizing that you potentially have information that someone else wants. And it doesn't have to be an intellectual property thing; it doesn't have to be credit card theft. Information is so valuable in our day and age, it's probably, I think, one of the greatest commodities out there. So, all the way from executives desks down to line-level people, you don't want to be paranoid, but you want them to have a certain level of diligence or skepticism about what they're seeing on their screens and recognizing they have information that people want," Buratowski said. "The weakest link in the security chain is the human element. It always has been and it seems like it always will be. So, until people really start being diligent about it, we're going to have situations like this."
Learn more about the rise of antiforensics techniques.
Find out how Russia's tech startups are defying economic troubles.
Get info on whether cyber attribution has value for enterprises.