In-brief: Tools to attribute cyber attacks are still primitive – leading to potentially damaging mis-identification. (This post first appeared on the Digital Guardian blog.)
Despite the demand and market pressure in the cyber security industry to get past “what” and point a finger at “who” is behind sophisticated hacks, the tools and techniques for doing so haven’t changed much in recent years.
Proper incident response (see also: Mandiant) can yield lots of information about the source of attacks and the tools and techniques used to compromise a target. Command and control networks used to manage compromised assets can be documented – and linked to previous attacks against other targets.
But when it comes to connecting that data to real-world actors, solid lines turn to dotted lines – or no lines at all. Often the “threat actor” profile is built on open source information – email addresses gleaned from online bulletin boards and cross checked with social media posts, photos or other ephemera.
Needless to say, there’s lots of Googling, but little in the way of “HUMINT” – human intelligence – to put individuals behind the terminals conducting attacks. And that means there’s lots of room for error.
Witness Forbes story about Gaza Strip resident Khalid Samraa, who found himself linked to the recent cyber attacks on Israeli government cyber assets dubbed “Arid Viper.”
Samraa was named in a report by the security firm Trend Micro because he was the registrant of a web domain that was part of the command and control (C&C) infrastructure used in the attack. Trend also noted some circumstantial evidence linking Samraa to anti-Israel groups. His email was associated with a Facebook group called Gaza Under Fire 2012. But, Samraa, who runs a local IT business, said that the “proof” in the Trend Micro report was just circumstantial evidence – the product of his work helping small businesses get online.
Read more via The Deadly Game of Cyber Mis-Attribution | Digital Guardian.