A Critical Review of Tom Rid and Ben Buchanan's "Attributing Cyber Attacks"

Thomas Rid and Ben Buchanan recently tackled the problem of attribution in cyber attacks in "Attributing Cyber Attacks", an academic paper published by Taylor & Francis. I don't know Ben Buchanan but I do know Tom Rid to be a very bright and honest individual. I believe that this paper is his and Ben's best effort. Unfortunately, they only managed to serve up the same flawed recipe for attribution that information security companies have been using for the past 15 years.

Somehow, the authors completely missed the fact that the U.S. Department of Justice has only brought one indictment in an APT case and zero successful prosecutions of any APT actors - ever. Granted, I'm not a college-trained thinker but in every other area you have to demonstrate proof of your prowess. Someone who's successful at fishing brings back fish, not fish stories. Unfortunately, Rid and Buchanan want you to believe that there's some middle ground between the captured fish and the fish that got away. Coincidently, cybersecurity companies who sell their attribution fish stories to customers want them to believe the same thing - that getting close to catching the fish is the same as hooking it. In their case, of course, the real fish that they're trying to hook isn't the APT actor, it's the customer.
"Attribution is what state's make of it."
One of the authors' main points is that attribution is what states make of it, and that's certainly true. A government will determine who it believes to be responsible regardless of the evidence. Multiple intelligence failures going back to the Gulf of Tonkin incident and before are a testament to that fact. And the finding that North Korea was responsible for the Sony attack in spite of evidence to the contrary may be the latest example - time will tell. But as citizens who pay the price for what our State leaders decide to do, we shouldn't tolerate being spoken to like children; i.e. "It's North Korea because I said it's North Korea, young man. Now go to your room!"
The ultimate goal of attribution is identifying an organization or government, not individuals.
That statement is shockingly wrong. Attribution must be able to differentiate between state and non-state actors because blaming a nation state for the actions of a group of malicious hackers can have negative consequences that far exceed anyone's expectations. If you can't tell the difference between a hacktivist group and a foreign intelligence service, you're in the wrong field. If you believe that the ability to differentiate between the two doesn't matter, you're a menace to society.

In fact, cyber security professionals in the private and government sector have been making assumptions about this since the early 2000's - the principal one being that if a cyber attack is against a bank, then it must be Eastern European hackers in it for the money. And if the cyber attack is against an aerospace company (for example), then it must be a nation state because there's no money in stealing intellectual property.

Actually, there's a lot of money to be made in stealing and reselling intellectual property and its done all over the world. The myth that only governments engaged in acts of cyber espionage from the early 2000's was the genesis of today's APT threat actor business model where each company creates their own "threat actors" and names them using different conventions. No one knows if there are real people in each group or if they're just a figment of some analyst's imagination. In reality, they are merely groupings of technical indicators that were repeatedly observed in different cyber attacks that companies had some insight into. There's no source validation, no central repository, no proven connection to groups past or present, and no way of tracking individual group members (assuming that you did discover one or two) over time.

To make matters worse, the attribution methodology itself includes mistranslation and errors of fact and even something dubbed "hat-tribution" instead of in-country confirmation of data, arrests of suspects and convictions. And that's by two companies with former military and law enforcement officers in their leadership who should know better.

The authors, to their credit, dedicate one paragraph of their 34 page paper to mentioning the danger of cognitive and political biases. Ironically, the example they choose to use has to do with the Saudi Aramco attack and the danger of blaming it on a Shia activist. In fact, it was a Shia activist employee that was responsible for that attack. A better example would have been pointing out how many years Mandiant insisted that every APT attack that targeted IP was in fact an attack by the Chinese government. Not only did the authors not mention that multi-year long error but neither has Mandiant's Richard Bejtlich who promised this author that the company was going to address that during a phone call in 2013. I should note here that Richard Bejtlich is also a new Ph.D. student studying under Tom Rid. Perhaps Tom could ask Richard to honor his commitment to explain how Mandiant refused to see what its critics had seen during those years of heavy APT marketing.

Part II of the paper focuses on the nitty-gritty of forensics, which is interesting but unfortunate because the investigator is simply looking at what the attacker wants him to see.

Part III of the paper is about how nation states sell the illusion that they know who did it. Why the authors felt the need to include this section is beyond me. Selling a faulty analysis to the United Nations about WMDs in Iraq is something that the U.S. government is well-known for and frankly ridiculed for. Part III also includes numerous examples of how actors known only by names given to them by a security company (Kaspersky's Careto, DuQu and Flame for example) responded to the reports being made public. That's nice but at the end of the day, Kaspersky Lab didn't identify the specific individuals involved hence no attribution was made.
Our analysis of the practice of attribution calls into question several commonly held positions in the debate on cyber security. One is that offenders from criminals to spies to saboteurs can cover their traces, stay anonymous online, and hide behind the attribution problem. But attribution is not just possible; it has been happening successfully for a long time. Attackers cannot assume that they can cause serious harm and damage under the veil of anonymity and get away with it.
The above quote comes from Rid and Buchanan's conclusion with my emphasis added. If attribution has been happening successfully for a long time, where are the arrests and convictions? The only successes that the FBI and international law enforcement have had has been against low level hacktivists associated with Anonymous or LulzSec or in the area of financial crime. Today, the FBI and the NSA is certain that North Korea attacked Sony in spite of a mountain of evidence that suggests otherwise. One of the authors of this paper, Tom Rid, called the U.S. government's call on Sony "as good as it gets" on Twitter. That he believes that to be true is the most damning part of this review.


"Responsible Attribution: A Prerequisite for Accountability" by Jeffrey Carr - a NATO Cooperative Cyber Defense Centre of Excellence paper,  Tallinn, Estonia.