Behind the mask: The challenges of attributing cyberattacks to nation states

When a major cyberattack hits, the question of who is responsible quickly arises. But accurately attributing an attack is exceptionally challenging, as Lucy Ingham finds out from Cybereason CISO Israel Barak, and, with no clear rules of engagement, the implications are significant.

Once largely the concern of major nations and multinational corporations, cybersecurity is now a problem that impacts enterprises and countries of all sizes, and when an attack hits the effects can be devastating. Naturally, there is a strong desire to determine who is responsible, with certain nations often being cited as responsible for some of the biggest incidents in recent years.

However, pointing the finger of blame is not as simple as media reports sometimes suggest, as Israel Barak, CISO at Cybereason, a company specialising in the creation of technology for detection and response, knows well. A former member of the Israeli Defense Forces where he founded and led the red team unit, he has been working in cybersecurity since the mid-90s.

Now in his role at Cybereason he sees first-hand how challenging the attribution of attacks to specific threat actors can be.

“As part of working through the data the technology collects, analyses, responds to, we very often identify advanced techniques, sometimes we're able to attribute them, sometimes not, but we're often exposed to a lot of these advanced technique trends in the industry,” he says.

Better, faster, cheaper: Embracing ‘smart’ manufacturing

Over recent years, shipbuilders have been steadily moving away from their legacy production methods and increasingly outdated, and often out-of-sync, yards, to embrace ‘smart’ manufacturing approaches and bring streamlined, data-rich efficiency to the design and build process.

Now, with naval budgets under pressure and defence spending in general subject to unprecedented scrutiny, those moves have gained even more traction as the demand to build warships better, faster and cheaper has become the mantra of the day.

The next generation, digitised and date-driven shipyard not only promises cheaper and more efficient design and construction, but should also drive down the cost of ownership too. The key is creating a digital thread, a synchronised body of information that encompasses the entire supply chain, and builds into what has been called a ‘single version of the truth’ that governs everything from conception, design and construction, to upgrades and modifications throughout the vessel’s in-service life.

Identifying an attacker: why correctly attributing a threat actor is a serious challenge

When cybersecurity experts seek to uncover the threat actor behind an attack, they typically rely on what are known as tools, techniques and practices (TTPs), which Barak characterises as “fingerprints” left on the tools an attacker uses.

“Traditionally TTPs were used to help associate a certain incident to a certain actor. You would know that certain TTPs are very indicative of certain advanced actors and that would help associate that incident to that actor,” explains Barak.

However, as hacking tools and other cybersecurity data and intelligence has become more widespread, a problem has arisen.

“One of the issues that has become very prevalent over the past five or six years is that the knowledge in TTPs on how to launch advanced attacks is actually distributed and has now reached far beyond just a small group of advanced nation state actors,” he says. “Today you can find hundreds of different actors; some of them are criminal actors, some of them are business intelligence actors, some of them are just contractors and some of them are nation state actors but many of them use very, very similar TTPs, very similar techniques, very similar tools.

“The knowledge in how to build those tools has distributed significantly, the knowledge in how to conduct an advanced operation has distributed significantly, so the number of players in the market, the number of actors in the market that can be behind that type of attack has increased exponentially. There are no usual suspects anymore, at least technically speaking.”

At the same time, threat actors now take great pains to disguise who they are and where they are acting from, seeking to mask their identity by mimicking that of an actor from another state.

“A built-in part of any operational plan of an advanced attack is to choose who you want to resemble.”

“That's a built-in part of any operational plan of an advanced attack; you choose who you want to resemble. A lot of threat actors, some of them are criminals, some of them are nation states, want to resemble the NSA, for example,” he says. “Some want to resemble Chinese activities, some want to resemble Korean activities, some want to resemble Russian activities.”

Attackers do this in part because they know that if they are detected the tools and techniques they use will be investigated and used to form conclusions about their identity, but they are aided by the fact that many of the tools those acting on behalf of nation states use have been leaked in the last few years.

“You can actually learn a lot based on the leaked information, both in terms and practices, how these other guys actually work. And you can take and adopt these techniques and build them into your operational profile and tools to resemble them,” he says.

Appearing to be someone else from another part of the world is no small task, involving a host of different practices to create a false profile of the attacker, extending from lab location to code terminology. When it comes to deploying the attack tools and engaging in an attack, the mimicry continues, with the use of command and control infrastructure that furthers the illusion.

Barak explains, “It's very easy today to buy servers or to deploy command and control infrastructure anywhere you want in the world. If you want to put the blame on someone like China, you can buy command and control servers in China. If you want to make it look like something that operates out of Korea and not it's very difficult to buy servers and control infrastructure in places like South Korea, for example. Or India. Or Africa. Or the United States for that matter. Wherever you want in the world.”

Certain uncertainty: Nation state attribution is not guaranteed

Given these sophisticated disguises, investigators have their work cut out for them when it comes to pointing the finger of blame.

“Investigators basically will have to base their attribution conclusions based on tools and communication profiles that were built specifically by the threat actors to thwart and point the blame at someone else, where they're actually seeing what the attacker wants them to see. They built the attack in the exact same way that they want the investigators to think,” says Barak.

“So these factors are things that essentially make a technical attribution something that is extremely difficult and would mostly lead investigators in the wrong direction.”

As a result, it is near impossible in many cases to say with certainty that an attack came from a specific threat actor.

“The reality is that it's very rare that there would be a technical way to point the finger blame of at the right threat actor.”

“The reality is that with advanced threat actors it's very rare that there would be a technical way to point the finger of blame at the right threat actor,” says Barak.

Instead of relying purely on technological methods, investigators then have to use other tools to determine who is responsible.

“Usually the means that help with accurate attribution, especially when you're in that nation state space, are completely not technological. They're fully based on intelligence infrastructure, intelligence sources that can provide you with insight into what the other side's goals were and who the actor was,” he says.

Share this article

Risks in retaliation: Cybersecurity has no rules of engagement 

This lack of technological certainty poses significant challenges when it comes to responding to attacks, particularly when it comes to the idea of “hacking back” in order to deter threat actors from engaging in future attacks.

This actually increases the likelihood that someone, I wouldn't want to call it a bystander, but someone that's not directly involved in an incident but was just used as a cover for an incident, is actually going to get hit with something like a hack back that an enterprise would be involved in,” says Barak.

However, when it comes to nation-level responses to cyberattacks, this is only one small part of an increasingly thorny challenge. After all, while cyber warfare has now become a mature tool for national defence, the rules surrounding it remain immature.

“Cyber warfare has already become a standard in the tool belt of any sophisticated military organisation. It's already a standard tool, and it's been a standard tool for the past 10 or 12 years,” says Barak.

“The interesting thing is that there are no rules of engagement right now. How you respond to a cyberattack? What is the sliding scale of launching military offensives in cyberspace? Is it legitimate to try to thwart an election? How do you respond to that? Do you send F-16s? Is that the proper response?

“In the physical realm, there's a certain understanding of what the balances are. In cyberspace, these rules haven't been written yet.”

“In the physical realm, there's a certain understanding of what the balances are in terms of what is that sliding scale. Armies or military organisations know that if they launch an operation of type one they can expect the retaliation of type two. In cyberspace, these rules haven't been written yet.”

At this stage, Barak argues, governments are still in the process of working out what the rules are, how far they can go before they provoke a response and what that response will be if they do.

“What you see around us are governments experimenting with how far they can go along with launching cyberattacks and what type of retaliation they can expect and therefore how can they manage their risk,” he says.

“And I think the most dangerous thing about cyber warfare isn't the fact that it's not already standardised – it's already standardised and being used regularly – it's the fact that the rules of engagement, whether written or unwritten, have not been settled. There's no agreed-upon, even informally, understanding of what the common action and reaction would be in cyberspace.

“And I think that is a very slippery path and can lead governments to going very far with launching cyber warfare operations just based on the expectation that there's not going to be any physical retaliation.”

go to top