If you even remotely pay attention to the news and current events, you can't help but notice the media is enamored with two things: hacking [or rather the fallout from hacking] and geopolitics.
There is no hope for reading the front page of a newspaper and not seeing either a story of how company XYZ was hacked, or some new tensions between nations at odds.
Often the two themes run into each other as the very real geopolitical tensions run over in a skirmish in the digital world... or so many 'experts' will claim.
For someone who grew up in the tail-end of the "Cold War" this is like watching US and USSR tensions being played out all over again, except this time everyone is involved with everyone else in shadow games and instead of sending spies and posturing with missiles we have weapons created with 0's and 1's zipping along on the trans-Atlantic fiber.
Maybe it's my love for spy stories, or my desire to be a double-0 agent as a kid, or the fact that I've probably watched every James Bond movie at least a dozen times - but I can see many parallels between then and now. What I can also see is how additionally complex these types of sensitive issues are when it comes to the digital realm.
After thinking about it for a while, I asked my twitter pals if it was just me or if others believed that right now, more than ever, false-flag operations were not only easier to conduct, but more dangerous than at any other time in recent history.
Apparently I'm not the only one thinking that right now is a perfectly fertile climate for false flag operations. Josh Corman of Akamai and Brian Martin wrote about it in a controversial piece too. This mix of political unrest coupled with anxiety over the next big cyber attack colliding with the hype that the media, vendors and the community have created is breeding a climate where uncertainty rules, and attribution is largely based on a hunch.
It's not FUD that cyber attacks can be powerful and cause very real damage and maybe even loss of human life one day. With all the posturing and chest-thumping over international supremacy in the digital domain, you'd think every claim of "they hacked us" was backed by hard facts and irrefutable data.
The fact is that this isn't always the case. Making a claim that an attack originated from a specific part of the world isn't simple, nor does it ever come gift-wrapped in certainty. Attribution in the digital world is difficult when the attacker isn't being evasive and purposely trying to veil their presence - but when attackers are faceless enemies on the other end of a string of digital pulses... certainty isn't a word to be taken lightly.
False flag is a term used for when an operation of some kind is carried out by one group, but falsely attributed to another. The implications for this are very real. Whether it's a rogue attacker attributing a successful attack to a rival hacking group, or a nation-state with an evil agenda attempting to cause increased tensions between already rival nations for their own benefit - the conspiracy theories write themselves.
The problem is it's very difficult to prove that just because we can trace a packet stream to an originating IP address, that we know anything for certain about the attacker. In fact, even if you could turn the webcam on the originating computer, you still can't be certain to a reasonable degree where or whom the attack is truly originating.
There are several critical issues here...
- Can the attack reliably be traced to a specific originating address or group of addresses? Often times attacks are 'bounced' off of several systems including compromised machines in which case the place where the attack is appearing to originate is just another victim who has no idea what is going on.
- Even if IP addresses are reliably traced, it is still very difficult to attribute an IP address to a specific attacker, or even to a specific country or nation state. With IPv4 addresses being in such high demand (there are no new unallocated blocks anymore) the IP blocks particularly in certain eastern parts of the world are constantly being assigned and re-assigned ... and the records of where an IP address physically geolocates are rarely up-to-the-minute correct.
- Attack tools such as malware are often written in a supply-chain manner, meaning, the place where the piece of software originated may not in fact be the origin of the attack. More specifically, if someone in Arizona wrote some code to attack systems of the governor of California it doesn't necessarily mean that Arizona has anything against California because someone in New York could have paid for it.
- On many devices, logging is scarce, and unreliable when present. In order to be admissible in a court of law, and to be useful for attribution logs need to be stored in a tamper-resistant format. This is rare even on critical systems. Logging is rarely done off-device with the intent of nonrepudiation because can be costly, difficult to implement properly, and add complexity.
- Due to time synchronization issues between devices across the physical world, it may be virtually impossible to find evidence within a sliding window of time especially if the clocks on systems are off, by even seconds. In addition to having to overcome the challenge of time zones, evidence investigators must understand and match device-specific timestamp precision to ensure a "full picture" view.
- The sheer volume of logs in many cases makes investigation extremely difficult without having automation and tooling in place ahead of time. Even a decade ago at a previous employer my team logged only very specific security-related items and still ran into challenges when our data set for an hour ran into the tens of millions of records.
- Finally, proxy servers, traffic agregators, "bulletproof" VPNs and anonymizers make an investigator's life difficult. For just under 120 Euro for 6 months a VPN can be had which allows an attacker to originate at one of a dozen high-traffic, zero-logging, zero-cooperation points throughout the world. These VPN concentrators built on disposable technology platforms log nothing and aggregate sometimes gigabytes of bandwidth. While much of it is for legitimate use in maintaining anonymity, when an investigator hits one of these devices it is often a dead - and the attacker effectively disappears in a crowd.
Once again, with all these difficulties in getting solid attribution, coupled with the highly tense geopolitical climate of today's world politics - the time is prime for attackers to sow the seeds of distrust and doubt amongst already distrusting nation states.
While it is widely known that the United States participates in ongoing digital campaigns, what is not widely known is which and to what extent. In retaliation the level of sophistication being targeted at the US State assets and corporations is rising to staggering levels while uncertainty over the origination of much of the attacks reigns.
Given all of this tension, it is critical to have solid investigators, irrefutable evidence, and near real-time data available. Having a solid group of researchers and analysts at your call isn't a bad idea either if you suspect your organization is coming under attack and needs to start gathering evidence ... this isn't an undertaking you want to try and do on your own.
In a climate where Bob and Mike distrust each other, Sarah can add fuel to the political and economical distrust by creating an attack against Bob and making it appear as though Bob launched it - it's neither very difficult, nor very high-risk to Sarah... unfortunately, and until the bar is raised on defensive postures globally we'll continue to see this as the battleground of the new 'cold war'... and there is so much more to this still to be written.
Stay tuned, I'll be covering this more from a technology perspective, talking to some folks who investigate these issues, and maybe helping you get a grasp on some of the complex issues with false flag, attribution, and the age of the "cyber spy"...
More to come, stay tuned.
Cross-posted from Following the White Rabbit