The Stakes Are High In The Sony Attack Attribution Gamble

“The FBI has concluded the government of North Korea is responsible for the theft and destruction of data on the network of Sony Pictures Entertainment. Attribution to North Korea is based on intelligence from the FBI, the U.S. intelligence community, DHS, foreign partners and the private sector,” a spokeswoman said in a statement. “There is no credible information to indicate that any other individual is responsible for this cyber incident.” (Politico 29 DEC 2014)
“The administration stands by the FBI assessment,’’ (Wall Street Journal 30 DEC 2014)
I've been researching nation state and non-state cyber attacks since 2008 and I've never seen anything like the firestorm around the government's attribution of the Sony (NYSE: SNE) breach. In spite of mounting evidence to the contrary, neither the FBI nor the White House are showing any evidence that they'll back down from their statements assigning responsibility for the breach to the government of North Korea along with the President's promise of a proportionate response at a time and in a manner of his own choosing.

The stakes are high because if the White House is wrong, it means that a group of hackers comparable to LulzSec successfully mounted a false flag operation which pointed responsibility at North Korea. No other hacker group until today could make that claim but many will be inspired to try. And the technique is easy enough to copy because our entire cyber attribution mechanism is inherently flawed. In order to convey just how flawed it is, here is FireEye COO Kevin Mandia on the topic of insiders:
"Every time we respond to an incident, it's way more likely than not someone assumes it's an insider." Mandia said in an interview. "Well, over 99 percent of the time, there is no insider involvement."
Now compare that assessment with two studies, one of which was conducted with the help of the U.S. Secret Service:
"Ponemon Institute's Survey on Data Security Breaches, reveals that sixty-nine percent of companies reporting serious data leaks responded that their data security breaches were the result of either malicious employee activities or non-malicious employee error. " 
"A 2008 study by the U.S. Secret Service and Carnegie Mellon involving over 400 incidents in the Information and Telecommunications sector showed 27% were perpetrated by insiders."
That Kevin Mandia doesn't see any insiders when the evidence clearly shows otherwise is key to understanding the stakes in the Sony - DPRK attribution mess. Mandia and the company he founded in 2004 (Mandiant) are responsible for two of the rarest events in InfoSec: a DOJ indictment against 5 Chinese PLA soldiers for multiple acts of data theft in 2013 and the White House finding of responsibility against North Korea on the Sony case last month.

Mandiant's style of attribution is founded on the early 2000-era bias that only state actors are interested in IP theft since there's no money in it. Starting with that bias, Mandiant, McAfee, Symantec, and other early infused companies began collecting technical indicators from their investigations, grouping them by target category or other characteristics that they shared and naming them. Mandiant used the name APT and numbered them: APT1, APT2, APT3, etc. CrowdStrike used the name Panda and came up with variations:

Every InfoSec company has its own naming convention, which would be fine if there was a central repository, required source validation or any kind of oversight. There isn't, of course. No one knows if any of these groups are real. Attribution stops at the naming convention, not at the discovery, prosecution and conviction of an actual person. Companies simply make up their own designations and sell their proprietary intelligence to their customers and the federal government, including the FBI who then add it to their own classified database. You can see it for yourself by searching the Wikileaks database such as here, here, and here.

When you invent a name for a collection of indicators and call it an "adversary", that isn't attribution. It's masturbation. It's also a ticking time bomb waiting to explode when the White House doesn't know enough or care enough to question its intelligence sources and methods. If a hacker group can fool the U.S. government into charging another nation state before they have concrete evidence in place, then what's to stop a more adversarial group from using the same tactics to create an incident that could lead to the next war? It certainly won't be our SIGINT capabilities.

One More Prediction
Should this blog post get wide circulation, expect to see more tweets like this one from Mandiant's Richard Bejtlich that deliberately misrepresented an old Forbes post of mine when everyone was speculating about Stuxnet. Personal attacks are the surest way to know that you've hit close to home.