I’m trying to build up some background knowledge to form an opinion about potential rules of engagement for cyberwarfare. I read and hear news stories and even posts here where people seem quite certain who is behind what cyberattack. How might a nation determine who is responsible for an active, outside* attack over the Internet?
*From RFC 2828, p.13
$ attack
(I) An assault on system security that derives from an intelligent
threat, i.e., an intelligent act that is a deliberate attempt
(especially in the sense of a method or technique) to evade
security services and violate the security policy of a system.
(See: penetration, violation, vulnerability.)
- Active vs. passive: An "active attack" attempts to alter system
resources or affect their operation. A "passive attack"
attempts to learn or make use of information from the system
but does not affect system resources. (E.g., see: wiretapping.)
- Insider vs. outsider: An "inside attack" is an attack initiated
by an entity inside the security perimeter (an "insider"),
i.e., an entity that is authorized to access system resources
but uses them in a way not approved by those who granted the
authorization. An "outside attack" is initiated from outside
the perimeter, by an unauthorized or illegitimate user of the
system (an "outsider"). In the Internet, potential outside
attackers range from amateur pranksters to organized criminals,
international terrorists, and hostile governments.
OK, I’m drawing a lot of parallels between a more traditional terrorist attack and a cyberattack.
I think I’m having trouble understanding what kind of thinking goes into the inference. Motive makes sense to me, “who has something to gain from this attack”? But how do you determine who has the means and opportunity? A cyberattack doesn’t necessarily require physical proximity, and investigators don’t necessarily have access to records which identify where the attacker operates out of.
If the attack code contains Russian words, there is a starting presumption that it was developed by Russians.
If the attack code has mostly affected Ukrainian targets, there is a starting presumption that it was developed by Russians.
If the attack code is a further development of code presumed to be Russian, there is a starting presumption that it was developed by Russians.
If there is later evidence that the code is being used by the Russians, it is contributory evidence that the earlier code was being used by the Russians.
If the command and control servers are located in Russia, there’s a starting presumption that it was deployed by Russians.
Looking at an individual random piece of attack code, you can’t make all these assumptions: maybe it’s got Russian words in it because the Chinese put them there. Maybe it’s a bit of NSA code that’s been taken over by a criminal organisation. Typically, attempts at attribution come weeks or months after the code is identified, after people have had time to look at it, and compare other code and other attacks.
The US (and other nation’s) cyber defense folks have lots of samples of the other guys’ stuff already. Because cyber terrorism isn’t something that might happen some day. It’s something that happens continuously every day all the time and has for 10+ years. See
It is certainly possible (witness Stuxnet) for a major attack to be mounted using all-new code with no identifiable antecedents. But that’s a pretty high risk attack strategy since it amounts to launching something that is untested from end to end.
Far more likely any attack will include elements of recognized code, comes from recognized network sources, use recognizable bits of cyber-tradecraft.
If you assume for a minute that the defending nation also has embedded malware (or human spies) inside the attacking nation’s / subnational-organization’s cyberforces, attribution may be trivial; you’ve already read all their mail about the development and launching of the attack against you. But admitting you have that information may be problematic. So we may see, it play out like this:
USA: We know the Slobovians did this and we’re gonna physically incinerate their capital and all their cyber attack physical facilities worldwide. Slobovia: But how do you know it was innocent little us? USA: We know and we’re not going to explain how we know. We just do. Sux to be you.
Thanks, so I see the C&C servers in Russia + attack on Ukraine as parallel to a terrorist known to have placed a phone call to Russia shortly before an attack on Ukraine. There’s good reason to suspect ties with Russia. And the code comparison sounds sort of like handwriting analysis. The final attribution could be an inference like Chronos said, rather than a smoking gun.
Okay… “smoking gun” doesn’t necessarily mean eyewitness testimony, it just means conclusive evidence. The traditional example would be a finding a literal smoking gun when the officer arrives on-scene.
Never forget that the most successful cyber attacks are not just technological. The human element always gets you much further. So we might assume that many if not most serious attacks include a range of social engineering exploits to gain a foothold. These may be much easier to sheet home to their source than the eventual technological part of the attack.
The entire alt-news insanity of the last 4 err 8 aah 12 umm 16 years are exactly a social engineering cyberattack / “media-attack” to coin a term.
A sustained assault by bad actors on the body politic of an undefended democracy. “Free speech” in this case amounts to living in a “Free fire zone” for deliberately conceived and deliberately amplified active disinformation.
The only problem we have now is attribution.
How much of it is foreign governments and which, how much of it is US malefactors of great wealth, how much of it is opportunistic US politicians, how much of it is opportunistic US commercial & media interests selling outrage to the rubes, and how much of it is simply the rubes reinforcing one another into a frothing sea of know-nothing fury?
Damn good question. But our society is collapsing before our very eyes under the onslaught.