[BreachExchange] Attack attribution does little to improve enterprise security

Fri Jul 29 14:16:45 EDT 2016

http://www.networkworld.com/article/3101727/security/attack-attribution-does-little-to-improve-enterprise-security.html

After every major data breach, the security community engages in a game of
whodunit and attempts to figure out what entity or nation state carried out
the attack. The North Koreans were behind the Sony breach, while China
carried out the attack on the Office of Personnel Management (OPM).
Meanwhile, hackers linked to the Iranian government hacked a small dam in
New York as well as the networks of AT&T, Bank of America and the New York
Stock Exchange, among other major U.S. businesses.

And now Russia is being singled out for supporting hackers who infiltrated
the Democratic National Committee’s computers and disclosed sensitive files
and emails.

While people want some sort of closure after a crime has been committed and
to see the perpetrators brought to justice, it’s time to reconsider the
benefits of attributing cyber attacks. Having a corporate security team
attempt to figure out who is behind a hack is complicated, is time
consuming and does very little to improve an enterprise’s defenses, which
should be a company’s priority after an attack. And, perhaps most
important, many attributions are just guesses or completely wrong.

When laws are broken in the physical world, there’s irrefutable evidence
that links the guilty party to the crime. Maybe it’s fingerprints or a
strand of hair or surveillance footage from a security camera. Whatever the
evidence, it’s tangible and hard to manipulate. In the cyber world,
however, evidence can be easily altered, making the task of figuring out
who pulled off an attack much more difficult and sometimes impossible.

To understand why attribution does not work, think like the people who are
behind the operation. They have invested significant time and resources
masking their identity prior to the operation’s start. They employ basic
precautions like making sure their tools never communicate with a server
based in the country where the attack originated. Instead, they’ll make the
communication appear to originate from another nation and buy domain names
in different countries.

The hackers also want to avoid establishing any link between them and the
hardware and software used in the operation. This means instead of
purchasing equipment with credit cards connected to the hackers, they will
use bitcoins or stolen credit cards.

Deception is always a major part of an attack. The attackers want to make
sure that if the operation is discovered, any evidence that’s unearthed
points toward someone else. Russian hackers, for example, may include
Chinese in the malware’s code to make it appear that China played a role in
the attack. Or nation state hackers will employ tactics and techniques
typically used by cyber-crime groups in an effort to pin the attack on a
criminal organization instead of a nation state. In recent years, the
sophisticated attack techniques used by nation state attackers have been
adopted by cyber criminals, making attack attribution very tricky.

Even if a security team correctly identifies an attacker, the return may
not be worth the investment. Figuring out who hacked a company may fill
security professionals with pride, but how can they retaliate against the
group or nation that executed the attack? While the U.S. government can
take action against the country behind a data breach, as it did with North
Korea with the Sony hack and imposed sanctions, federal officials don’t and
can’t seek retribution after every attack. I suspect the U.S. government
lacks the ability to investigate all cyber attacks. Additionally, going
after every attacker doesn’t seem like a sound cybersecurity policy.

When an attack has been attributed, prosecution by the U.S. government
rarely happens. Extraditing hackers to the U.S. for trial is not an option
in many cases, as seen with the Iranian attackers. If the hackers don’t
reside in the U.S., federal prosecutors have little legal recourse against
them.

My main concern is that the effort spent on attributing an attack distracts
organizations from fully remediating a breach. A company’s limited security
resources are better spent understanding how the attackers infiltrated the
network and their capabilities and using this intelligence to prevent
future attacks. Having corporate security teams focus on attack attribution
does nothing to protect their company from getting hacked again.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160729/a519e280/attachment.html>