In the wake of major cyberattacks, security researchers rush in to determine who might have been behind the threat....
While recent cyber attributions more often point to malicious actors in Russia, China or North Korea, the accuracy of cyber attribution is often questioned because of the ease of manipulating digital data.
Meanwhile, the debate continues over the value of cyber attribution data in terms of law enforcement efforts to catch, prosecute or deter cybercriminals or for enterprises aiming to improve defense.
Peter Tran, general manager and senior director at RSA Security, spoke with SearchSecurity during the RSA Conference 2017 in San Francisco about the potential benefits of cyber attribution and the type of data that could prove more useful to cyberdefense strategies.
What is the value in cyber attribution for the average enterprise?
Peter Tran: Attribution only matters when it can be a data point and [can be used] to effectively defend networks more proactively. And so for me, priority of attribution is actually lower on the stack for a cyber offender or a proactive cyber offender.
Just because I care more about how they're doing it as far as techniques, tactics and procedures and whether they're leveraging our own techniques against us. If we think we're being clever using machine learning, [threat actors are] certainly going to use machine learning and data analytics too. So, counter measures are nothing new -- just like being able to detect a VMware [virtual machine].
So to me, it's more about the how and really the intent and why. You can spend a lot of your time in attribution, and [cyber attribution] only matters if you can actually gain valuable data to make your decisions. Is there something new, novel, that we haven't seen with respect to, say, a root kit author, or a syndicated group of malware authors that are creating something relatively new?
I did care about Mirai because when it was released in the wild, it was very tailored to a relatively small footprint of a smart device as a very isolated function. So that's interesting to me, and that would also be interesting to me from as far as attributing going forward: Who is going to be using that particular footprint to modify the code to be able to use its function to then scale it to a billion devices versus 300,000 that took down Dyn DNS last October?
My approach to that question is: You can use machine learning, you can use all the technology you want, and it becomes very asymptotic in attribution. You can get darn close to it, but just because I might know you authored something doesn't mean that [you should] be attributed.
Is there value in attribution related to predicting if you're going to be a target for a new threat or be a target for a certain threat actor based on the type of company you are or the type of data you have?
Tran: No, I think the table stakes are always going to be there. I think that forecasting like you would weather patterns, you can see certain groupings occur that might be indicative to financial services. But again, weather patterns change, and that's valuable.
It's like the CDC trying to say, "Look, I'm going to use Google Analytics to try to predict the next relative strain of the flu based on movements," or if you have shoppers in the aisle of a store that's trying to determine the next baby boom based on spending patterns. But there's only so much confidence that you're going to put in those indicators, just like if I saw Eastern-Bloc-based malware being used. It's a spike and then the tactics change because we start detecting it faster.
The escalation of known malware in the last three years has just been mind-bending. The statistics aren't even that accurate, but what's reported is 500 million per year in the last three years. And then that still varies, but when I do the analysis, I have to settle on general growth. So, just like in the forecast, it's 150% year over year, quarter over quarter.
It seems like there's so much focus on attribution and finding out which nation state is behind an attack or where hackers are located. How much does this cyber attribution help?
Tran: So, this is circa late 1990s, the Pentagon first got hit with Solar Sunrise and we read about Moonlight Maze. Some of the earlier generation that's out in the public and you can read about Solar Sunrise and Moonlight Maze and then eventually when Time magazine released [its story on] Titan Rain, everything is based on one nation state. They're really banking on that -- and very myopic in that view, because it's the indicator. It's the indicator.
Then geopolitical landscapes change, geoeconomical landscapes change, and what happens is the advanced persistent threat starts thinking of it more like a business. So, they're running it more precisely. But they're running it with their own forecast and leveraging different technologies. And now we're still saying, "Oh, I'm still interested in the who."
It's completely wrong. Now, I'm more interested in: Are they leveraging the same technology and how [are] they ... doing it? And if they're going to obviate [my technology, and] my ability to detect.
It's a no-brainer playbook for them to actually say, 'Wow, okay, so maybe I'll just troll the U.S. Patent and Trademark Office.' The USPTO releases all the patents out there. How easy is it for anyone to say, 'Well, I guess you just gave me the secret sauce and that should be publicly available and I care about that.'
So, I would approach it and be like, 'Well, actually how many ... what's being queried from the USPTO database of certain types of technologies and at what time? Is this coming from GMT+5?"
Those mean something to me. Then I'm going to think, okay, so you have the who --which is important, but lower in the stack -- but then you're like, wait a minute, the tactic is changing. They're actually harvesting details of technical disclosures based on the PTO's ability to have to do it. And then you see the next wave of zero-day malware that was created and they obviated over the next generation firewall that had the actual methods and claims that were fully disclosed. So when you start to aggregate that together, it's more meaningful.
Okay, so you would have to pull from a lot more data sets. You have to go out into who these actors are associating with, or other legal ways that they might be using to generate new techniques?
Tran: Yeah, it doesn't get me that excited when I see a report on the [indicators of compromise] of a particular type of malware. And then someone code names Fancy Bear, Cozy Bear, or whatever bear you want to call it -- Teddy Bear -- whatever you want to call it.
Then what happens is you start putting [malicious activity] into sets. But you're thinking about isolation in a set, and you're not thinking about it as in where is the movement of the DNA of where malware is moving functionality-wise because it's a cross-subcontractor community that works.
An author can get paid up to $1,000,000 per year just slinging code and selling it on the darknet. So you think about if it were me, I'm going to have a supply chain of malware authors. If I'm the who, I would have a supply chain like you wouldn't believe. And I would say, 'It doesn't really matter if they're trying to get attribution based on malware because I've got 25 different authors.' And they're not even tightly coupled with a set. Because I know that you're already saying that there's Cozy Bear. Okay, so I'll buy a piece of malware from Cozy Bear, but I'm not Cozy Bear. I'm somebody else. So really, where's that get you at the end of the day?
Then you start thinking about does the who really matter in a business risk and security approach? I care more about how and the why they're doing it because it's going to affect my bottom line. I don't think they care about who at the end of the day. It really doesn't matter.
But, to the cyber attribution topic: Even when someone attributes potentially, 60% to 70% probability, you actually have to be prepared to age that. Most you see hold onto these APT sets. They just get set on it and they follow the indicator on and on, but they haven't seen material activity. But by mere definition, intel and intel attribution [have] to be aged. This is known bad, known bad stale in the last 30 days, I don't care. And you're not seeing enough of that cycle through when you're applying AI or machine learning or other things.
It sounds like you're never going to get closer than a vague set, so for law enforcement, can you use cyber attribution for deterrence?
Tran: You certainly can't. When have we actually executed on a nation-state arrest or any type of arrest? We haven't, because what does the arrest really do at the end of the day?
It's a great headline. It creates a mind-share around, 'Way to go. Keystone Kops are on the job.' But did it really improve our defensive posture across the board of the public/private sector? Not necessarily.
It's like going to the doctor and saying, 'You know, my head just hurts.' And they do all the diagnostics and throw in the MRI and in the end of it, your doctor just says, 'You know what? Go ahead and just take two aspirins, call me in the morning if it still hurts.' Okay. ... You threw me through all those tests, but now I'm taking aspirin. Why did I just go through all that?
Theoretically, your big data platform and your analytics should just tell you, "Oh yes, do that." But we haven't reached it in security yet, and true data-driven, so that leaders can look at it and say, 'Okay, I trust it.' Do you trust it 60% of the time? Seventy percent of the time?
It does feel like there's been more talk about how to actually approach the board to convince them that security matters and convince them that there are preventative things you need to do, and you can't just wait for a breach. How does cyber attribution fit in there?
Tran: Business outcomes. I don't know how many times, at least from an RSA perspective, that I'll get called in as that kind of 'extra appendage' in the board meeting. Every single time, [I] zone out when they start talking about the who.
And I've actually had CIOs and others in those environments say, 'Stop, stop, stop, stop. I actually don't want to hear about the who. It really doesn't matter to my business outcome.'
Most don't come prepared to talk about that part. They want to just have these scared straight presentations. 'Oh my goodness, it's North Korea. They just fired another test cyber thing.' So? I've got a profit loss; I've got a top end; I've got a bottom end. And unless you're telling me something otherwise from our businesses outcome, you're going to get exactly the same budget, if not less than last year, at the end of it all.
Our customers are only successful by being able to drive the right business outcomes from the security. And it's a hard lesson learned.
And I think [at this year's RSAC] there's been a lot more of not only the undercurrent, but a more obvious current around. Yeah, you can go to the Detroit auto show and look at a really fancy car, but is that what you're really going to drive when you go home? That was cool that I got to see the new Corvette, all carbon fiber and all that, but when you get back, I'm still getting in like my seven-year-old beater or whatever. And I still have to figure how I'm going to make it work and drive and all that stuff.
Learn about the DoD contract awarded to study cyber attribution.
Find out about the independent cyber attribution body proposed by Microsoft.
How criminals use advanced cyberattacks.