Every two weeks the HP Security team invites you to join in a tweet chat on a topic plucked from the headlines dealing with what matters to you.
Recently the conversation turned to attribution and it's many challenges in the digital world. I joined in the chat this week along with a bunch of smart people who dared ask some great questions - this is a summary of that 1 hour chat...
The opening question was this: "Can we define attribution, in a digital cyber world?"
After a few initial questions the group started to question whether attribution was even necessary for the way that organizations behave in the face of attack today. @OrlandoDoctrine asked "Do we even need to have attribution?" When we think about the way that attacks are carried out today the question of whether you have to know who's attacking you before you start to defend yourself is pertinent. While the participants in the chat seemingly agreed that in the extreme short term response simply required to understand what was happening rather than who the perpetrator was... it became apparent that we needed to have a framework for understanding why attribution was needed, or if at all.
@brasscount defined attribution as "identification of a responsible party", which makes a lot of sense, but is that all? OrlandoDictrine replied - "You need to separate the actual attacker from the intermediary actors. In many cases I don't care who the actual attacker is" to which @bitSecure added- "I think it's bigger than identifying an IP address or region. In the anti-spam industry, we tracked many spam gangs" and touched a key point. The attacker can be a person but in order to assign attribution you must understand the person, the group, their allegiances, and maybe even the specific cause. An attack can be attributed to a person but if that person is part of a larger organization which in tern is acting on behalf of a nation-state we can start to build the case against the nation-state rather than the individual. In real-life police do this all the time.
@dfreamon wanted to make sure that were all on the same page thus said "more important, attribution/response is very different for a single actor (hacker) than for 'cyberwar' " ...absolutely true. Attribution becomes paramount when declaring war, cyber or kinetic... because there are potentially lives at stake in that situation.
Paul Calento (@pcalento) made an interesting point... "Attribution [is]helpful (critical?) to determining intent of an attack or breach in order to best address it" - thus addressing intent more closely and bringing to light the fact that an attack is often multi-faceted and rarely single-threaded. Sometimes you're attacked by a single person over an SQL Injection attack, but more often than not it's a group working together exploiting multiple avenues of compromise. Understanding their intent is perhaps the best way to thwart the attack and keep from being a victim. Otherwise you'll essentially wind up playing whack-a-mole where-ever the 'bad guys' pop up.
Christian Verstraete, a colleague of mine here at HP, made a fantastic point as well ... Attribution has a short and long-term aspect to it. In the short term you want to counter the attack and essentially "make it stop", while in the long-term you want to understand where it came from and hopefully prevent yourself from either being a target in the future, or at least be better prepared next time around.
Somewhere along the conversation mixed metaphors happened between the real physical law-enforcement type world and the digital one, and we quickly realized that these two weren't really compatible in how we treated them because physical attacks are always different than being attacked in digital space... and while cyber-space doesn't really afford a whole lot of anonymity, it's still a lot more than what you get when you're face-to-face with a person wielding a weapon.
The group disagreed for a while whether retaliation (striking back) at the attackers was something that was needed - but at least we agreed it wasn't necessarily legal ... at least not within the US legal system. This notion of the legal system brings to mind the complex legal system within which we find ourselves fighting these cyber battles... this is real life and the legal system is far from caught up with the international laws, regulations, and rules of engagement. As was pointed out, often times when an attack is cross-state it's difficult to "go get them" much less when it's across many nation-state lines and even into what we would consider hostile territories.. Ultimately, counter-measures aren't legal, and they're not a great idea to begin with... although some argued that you only need to be able to defend your actions in a court of law.
A great example was if a hospital network was used to hack a nuclear power facility, assuming worst-case scenario on both would it be defensible for the security staff at the nuclear facility to counter-attack and shut down the attack from the hospital ...potentially jeopardizing lives? Or does the potential danger to the nuclear facility systems outweigh the hospital's needs? I don't even want to begin to touch this... I am clearly not a lawyer.
Along that thread, the group touched on another interesting point - responsibility to keep from being used as a point of attack. If your systems are poorly secured and are then compromised and used in an attack against me ... do I have legal recourse against you for poor security? This rabbithole led us to discuss 'due care' which organizations must take to protect themselves, and to keep from being used as a weapon against another entity. This 'due care' is extremely difficult to attain, or worse, prove or even disprove. How can you prove someone didn't take due care in securing their systems if their assets were used to attack you? I guess this is one of those things that will have to be left up to the courts to decide... Also, if I need to "make it stop" can I strike against your systems to take them down to quell the assault? In a real-life scenario if your infrastructure including DNS servers are being used in an amplification attack against me, can I have your DNS servers taken down? This of course impacts not just me but also you and potentially many of the systems and people who rely on your DNS servers for name<>number translation. This is a tricky business and walking a fine line is difficult between defending and going on the offense.
@bitSecure made another excellent point from the vendor's (3rd party) perspective - "It's weird because many of us are third party vendors too, and have no right to prosecute or retaliate without the target's permission". So if you're a cloud provider and one of your clients is being attacked by way of your cloud- what is it that you can legally do? What are you obligated to do? I think the group agreed the lines are very blurry and there isn't much case law here or even the ever-present best-practice to make a good judgment call. It seems like this would be a gut reaction based on the policies and procedures you've set aside in your customer agreements, right? Trick bit of game here too...
Mark Tomlinson suggested that attribution could be differentiated for two specific use-cases - publicity and accountability. This makes sense, since knowing who to attach the attack to for the evening news isn't as important as knowing which nation state or terrorist group you would hold accountable. Accountability is tricky too though, since we have to be very, very sure beyond the shadow of a doubt before we start talking about holding someone, or a group of people accountable.
The major point everyone could agree on is that attribution is necessary for secondary action, but not always for defense. Secondary action being retaliation, accountability, prosecution, etc... it's more important at the instant of attack to be able to make the attack stop, then afterwards be able to move on and assign blame and make the legal case.
The notion of a defensive continuum was brought up. This concept is really about a series of events and actions that constitutes defense in a closed-loop process. The defensive continuum is something I'd like to go into further, but we didn't have enough time to address during the hour-long chat... but I'm pretty sure defense starts before you're attacked, and ends long after the attackers have been hauled off to be held accountable. More on this soon...
It was suggested that cooperation is the key to successful attribution and even surviving an attack. Whether it's Internet Service Providers, or owners of Internet routers, we need to have a way to positively identify traffic's origin and shut it down when there is a proven issue that requires immediate action. Of course, this is a slippery slope, as this can lead to infringements on freedom of speech and even governmental oppression. The key is to find balance between information sharing for intelligence purposes and proportional response, so as to keep the Internet just well enough to pass good traffic and not implode on itself. Under no circumstances should anyone ever utter the words "facebook for intelligence sharing" ... those are just wrong.
Wrapping this up we highlighted a few key parting pieces of wisdom:
- @OrlandoDoctrine: It might just be time to stand up for ourselves & look at offensive capabilities used responsibly
- @Christianve: Defend first, then try to understand where it came from and look at silencing them
- @mtomlins: More research on the responses from organizations (legally, or otherwise) when there is/not attribution for an attack
Links and additional resources
- @pcalento - Attribution -- "the new Phantom Menace" suggest HP brief on Cyber Reputation Mgmt (PDF http://t.co/ZlviA3Nr)
- @cebess - Symantec document: The Elderwood Project -- an example of attribution http://t.co/tM9VRJ3
- @mtomlins - According to @sbucci "Without attribution, there can be no real retribution for cyber attacks." -> http://t.co/86ynO4J8
- @Thedodgeretort - "How bad is the problem? A billion detectable threats in Q2 '12 and 89.5 million serving URLs with malicious code"
Cross-posted from Following the White Rabbit