Introduction
One area we frequently get questions about is how cyber attribution is achieved, and how much of it involves science versus politics or geopolitics. To address this, I’ve put together the first of two articles to explore the topic of cyber attribution.
Attribution is when an entity is named as being responsible or accountable for an act. Achieving attribution within cyber security may in some cases prove complex. Some consider it trivial and a less beneficial endeavour as it does not make any difference to an organisation after compromise. After all, what matters to a business is rapid recovery to normality, above “trivialising” over who hacked them. In some instances that might be the case, however, for businesses that have cyber insurance or cyber insurers for example, identifying the attacker is maybe essential. Benefits of attribution are myriad including understanding threat actor trends and their choice of victim. An understanding of threat actor behaviour is particularly useful when implementing threat informed defence systems.
The nation sponsored adversarial cyber events in 2017 such as Wannacry and Notpetya for instance coupled with several recent cyber-attacks targeting Ukraine has made some insurers revisit and consider their war exclusions to include cyberwar. There remains a debate on the meaning and definition of the term cyber war however for this report one of the proposed definitions has been adopted. Cyberwar is “the use of computer technology by a nation state or its subjects under the direction of the state, to disrupt the activities of another state or its organisations, for strategic or military purposes.”
In any case the variations in cyber war definition does not add or take away from the subject at hand which is, who did it or attribution. This report explores the cyber attribution as a science, an art and how that can be achieved in practice.
The Diamond Method
One popular approach employed to track and analyse characteristics of a cyber-attack is the diamond method. In this method, for every intrusion there is an intruder (adversary), who uses certain capabilities or methods over an infrastructure to attack a victim. It is an analysts’ responsibility to analyse numerous cyber-crime scenes to identify patterns. Threat groups are studied long enough to be able to reveal their capabilities, infrastructure, and victim choice. Not all threat actors have the similar capabilities, some specialise in gaining access and they will operate as access brokers and sell access credentials only and not necessarily run ransomware capability. The infrastructure defines the platforms such as IP addresses or domains used to launch attacks. Victim preferences also play a part in identifying threat groups. Groups that are affiliated to nation states, are often less financially motivated than non-nation-state actors and often this is evident in their choice of victims. In 2010, the Stuxnet virus disrupted the uranium enrichment facility in Iran. With no obvious financial gain from attacking such a facility, analysts were quick to dismiss the involvement of financially motivated threat groups over hacktivist groups and nation state actors. The diamond method forms the basis of an early investigation.
Figure 1.1 Diamond method
Attribution
The four primary approaches to cybercrime attribution are from a careful analysis of evidence that come from four evidence categories. The categories are adversary admission, leaks, direct access, and Intrusion analysis (digital forensics). In the field of Cyber threat intelligence (CTI) the most convincing attribution is one which combine Intrusion Analysis with at least one of the other three. A brief description of each follow.
Figure 1.2 Categories of Evidence useful in attribution
Adversary admission
As surprising as it sounds this often happens. Ransomware groups will often leave behind a “calling card” and details for victim to make contact. Ransomhouse for instance, has been attributed to at least 6 major cyber-attacks in 2022. The threat group admitted to compromising Africa’s biggest grocery store Shoprite. Despite their name the threat group does not use ransomware. They hacked and exposed data on chip manufacturer AMD and the insurer Crum and Forster. Ransomhouse have in each of these cases explicitly claimed ownership and followed the announcement with disclosure of victim’s data onto the internet.
Leaks
In some cases, threat actors have intentionally or unintentionally leaked the information that identifies them in various hacker forums. The Edward Snowden leaks are a good example of leaks that helped identify various US based operations. There were also leaks that attributed the French government to various operations they ran known as “Animal Farm.”
Direct Access
This is classic spy type work and may involve hacking the suspected hacker to reveal their true identities. Many countries today including the US, UK, Russia, China, Iran, North Korea. Israel, for instance have mature cyber capabilities to conduct both defensive and offensive capability to carry out such activities. In 2022 the USA government admitted to FBI carrying out offensive cyber intrusion into botnets that were strategically placed across the Europe and Asia. They were able to identify that they had been placed by the Russian cyber operatives before FBI disrupted the botnets.
Intrusion Analysis
Most advanced threat actors attempt to clean up after compromising a system to disguise their presence. However, forensic analysis of the cyber incident scene may reveal artifacts of the malware used, programming languages used, IP addresses, domains and a lot of other technical clues used to compromise the system and some log entries can provide an insight of the type of threat actor. Threat actors like businesses or individuals do not possess infinite resources, they tend to use the tools and skills they are best at using. With numerous campaigns by the same actor, overtime, cyber incident response teams can identify characteristics of various threat groups based on their behaviour, technology, certain industry affinity and so forth. This forms the recognised Tactics Techniques and Procedures (TTPs) of the group
The Intent, Capability and Opportunity (CIO) — Attack triad
The evidence gained from the previous processes may in some cases sufficient to achieve attribution. However, it is not uncommon for threat actors to plant false flags or to mislead forensic analyst as they cover their tracks or worse still choose to incriminate someone else. History has cases of national armies across the world deliberately damaging their own infrastructure to then blame it on another nation. In cases of ambiguity, the attack triad process can be utilised. For any attack to occur, there must be an intent to attack, capability to carry out the attack and an opportunity to allow the attack to happen. In other words, Intent is possessing a motivation to carry out a campaign, Capability on the other hand is possessing technology or financial resources to carry out a campaign while Opportunity is possessing direct or indirect access to the victim. The diagram below shows that a real threat is when these three are interwoven.
Figure 1.3 Threat = Capability + Intent + Opportunity
Therefore, when analysing a cyber-crime scene an analyst may include or exclude a threat group from suspicion based on CIO. For instance, a threat actor with an intent to attack a financial organisation but lacking the technical, financial, or social capability to breach the bank’s defence systems is unlikely to be successful. On the other hand, China as an example may have the capability of launching cyber-attacks at the United Kingdom and United States’ interests but may not have the intent to do so due to likelihood of physical confrontation that could playout as a result. Capability can be viewed as both technical and financial feasibility. Threat groups have finite resources/capability at their disposal to carry out attacks, with nation state sponsored attackers with significantly bigger capability and budgets to carry out attacks in comparison to the lowest end of the spectrum, script kiddies.
The intent and capability to attack needs a vector through which an attack is delivered. This is the opportunity a threat actor leverages to attack their victim. It might be the ability to interact with the victim through a third party or it might be the ability to send an email to the victim’s machine. Opportunity is the availability of a means in which the adversary can accomplish their intentions. Opportunity can be technical but does not necessarily have to be. Opportunities for attack may present themselves from a wide range of factors which may include vulnerabilities, social, legal, supply chain or political factors. For example, some jurisdictions and governments reduce opportunity by the laws that dissuade certain threat actors from operating within their jurisdictions. Without each of the elements of CIO a threat actor is unlikely to cause harm regardless of intent. In the Stuxnet example mentioned previously, most hacktivist groups and countries were excluded from suspicion based on capability. The centrifuges in the Iranian enrichment facility were highly specialised and
Analysis of Competing Hypothesis (ACH)
The methods covered in this report so far can be effective to derive attribution as they are. Analysts, however, have more than a few ways to look at a cybercrime scene to validate their findings. The ACH model is particularly important in the cyber domain of threat Intelligence. The process tries to eliminate any bias during analysis. All evidence is gathered, which may include technical from forensic investigators, threat intelligence and geopolitics. Analysts independently come up with reasonable hypotheses that can be supported by the available evidence. This helps the analysts to find some hypothesis, that might not normally be considered. The most likely hypothesis based on the available evidence is then considered to be the most plausible attributable threat actor.
The ACH model is extremely useful that its applied often and with good output during incident response or investigations engagements that explore potential risks. ACH is not discussed here in detail as the final iteration of this report deals entirely on ACH.
Summary
This report explores the methods used in cyber attribution, emphasising that attribution is not solely a technical process. Instead, it requires a combination of both technical and non-technical evidence. Successful attribution involves analysing these diverse inputs over time. To effectively handle nation-state attribution, analysts must draw on expertise from various domains, including language, culture, geopolitics, and technical fields.