![Sample our Politics & International Relations journals, sign in here to start your FREE access for 14 days]({"type":"image" , "src" : "/sda/5947/TOC-Subject-Sample-2021-Politics-International-Relations.jpg"})
Abstract
Who did it? Attribution is fundamental. Human lives and the security of the state may depend on ascribing agency to an agent. In the context of computer network intrusions, attribution is commonly seen as one of the most intractable technical problems, as either solvable or not solvable, and as dependent mainly on the available forensic evidence. But is it? Is this a productive understanding of attribution? — This article argues that attribution is what states make of it. To show how, we introduce the Q Model: designed to explain, guide, and improve the making of attribution. Matching an offender to an offence is an exercise in minimising uncertainty on three levels: tactically, attribution is an art as well as a science; operationally, attribution is a nuanced process not a black-and-white problem; and strategically, attribution is a function of what is at stake politically. Successful attribution requires a range of skills on all levels, careful management, time, leadership, stress-testing, prudent communication, and recognising limitations and challenges.
Acknowledgements
The authors wish to thank Dmitri Alperovitch, Ross Anderson, James Allen, Richard Bejtlich, Kurt Baumgartner, Kristen Dennesen, Brandon Dixon, Vicente Diaz, Alexander Gostev, Mike Goodman, Bob Gourley, Clement Guitton, Nathaniel Hartley, Jason Healey, Eli Jellenc, Robert Lee, Joe Maiolo, Sergei Mineev, Daniel Moore, Ned Moran, David Omand, Costin Raiu, Marcus Sachs, Igor Soumenkov, Jen Weedon, two anonymous reviewers, and members of the intelligence and security community in the United Kingdom and the United States who have to remain unnamed. Several companies provided valuable insights, especially CrowdStrike, FireEye, Kaspersky Lab, and Booz Allen Hamilton. The views expressed in this paper are solely those of the authors; potential mistakes are their responsibility alone.
Notes
1 For an early contribution, see, David A. Wheeler and Gregory N. Larsen, Techniques for Cyber Attack Attribution (Alexandria, VA: Institute for Defense Analysis 2003); Richard Clayton, Anonymity and Traceability in Cyberspace, vol. 653, Technical Report (Cambridge: Univ. of Cambridge Computer Laboratory 2005); Susan Brenner, At Light Speed”: Attribution and Response to Cybercrime/Terrorism/Warfare’, The Journal of Criminal Law & Criminology. 97/2 (2007), 379–475. For an early case study, see, Clifford Stoll, The Cuckoo’s Egg (New York: Doubleday 1989).
2 ‘Perhaps the most difficult problem is that of attribution’, P.W. Singer and Allan Friedman, Cybersecurity and Cyberwar (New York/Oxford: OUP Press, 2014, p. 73. See also, David Betz and Tim Stevens, Cyberspace and the State, Adelphi Series (London: IISS/Routledge 2011), 75–6.
3 See for instance, W. Earl Boebert, ‘A Survey of Challenges in Attribution’, in Committee on Deterring Cyberattacks (ed.), Proceedings of a Workshop on Deterring Cyberattacks (Washington DC: National Academies Press 2011), 51–2. Also, Martin Libicki, Cyberdeterrence and Cyberwar (Santa Monica, CA: RAND Corporation 2009), 43.
4 Jack Goldsmith and Tim Wu, Who Controls the Internet? Illusions of a Borderless World (Oxford: OUP 2006).
5 Mike McConnell, ‘How to Win the Cyberwar We’re Losing’, Washington Post, 28 Feb. 2010.
6 See, Matthew C. Waxman, ‘Cyber-Attacks and the Use of Force’, The Yale Journal of International Law 36 (2011),. 421–59, 447; Nicholas Tsagourias, ‘Cyber Attacks, Self-Defence and the Problem of Attribution’, Journal of Conflict & Security Law 17 (2013), 229–44. For a discusson on levels of attribution necessary for the use of force, see Marco Roscini, Cyber Operations and the Use of Force in International Law (Oxford: OUP 2014), 33–40.
7 Former Secretary of Defense Leon Panetta famously said on the USS Intrepid, ‘the [DoD] has made significant advances in solving a problem that makes deterring cyber adversaries more complex: the difficulty of identifying the origins of an attack.’ Leon Panetta, Remarks on Cybersecurity to the Business Executives for National Security, New York City’, Washington DC: Department of Defense, 12 Oct. 2012.
8 David D. Clark and Susan Landau, ‘Untangling Attribution’, in Committee on Deterring Cyberattacks (ed.), Proceedings of a Workshop on Deterring Cyberattacks, (Washington DC: National Academies Press 2011). See also Jason Healey, A Fierce Domain (Washington DC: The Atlantic Council 2013), 265.
9 Robert K. Knake, ‘Untangling Attribution: Moving to Accountability in Cyberspace, Planning for the Future of Cyber Attack’, Washington DC: Subcommittee on Technology and Innovation, 111th Congress, 15 July 2010.
10 The most influential articles on intrusion analysis seem to assume that the evidence speaks for itself, as they do not focus on the problem of communicating results to a non-technical audience. The two most influential and useful contributions are the ‘Diamond Model’, see Sergio Caltagirone, Andrew Pendergast and Christopher Betz, The Diamond Model of Intrusion Analysis, ADA586960 (Hanover, MD: Center for Cyber Threat Intelligence and Threat Research 5 July 2013), as well as the ‘Kill Chain’ analysis, see, Eric M. Hutchins, Michael J. Cloppert and Rohan M. Amin, Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains (Bethesda, MD: Lockheed Martin Corporation 2010).
11 See Boebert, ‘A Survey of Challenges in Attribution’, 41–54. For a wider perspective, see, Amir Lupovici, ‘The “Attribution Problem” and the Social Construction of “Violence”’, International Studies Perspectives 2014, 1–21.
12 Carl von Clausewitz used coup d’œil to describe ‘military genius,’ the ‘inward eye’ that enables good commanders to make the right tactical decisions under stress, information overload, and time-constraints, see, Carl von Clausewitz, On War, translated by Michael Howard and Peter Paret (Princeton UP 1976), 100–12.
13 Q alludes to a number of things: first and foremost it hints at questions, the crux of attribution. Q also links to quartermaster, a type of naval officer with particular responsibility for signals and steering. The etymological root of ‘cyber’ is κυβερνώ (kyvernó̱), to steer.
14 The model is deliberately designed neither as a flowchart nor as a checklist. In several focus group sessions with operators it became clear that any linear representation would not be able to reflect the uniqueness and varied flow of the wide range of cases investigators handle.
15 For an overview see Jon R. Lindsay, ‘Stuxnet and the Limits of Cyber Warfare’, Security Studies 22/3 (2013), 365–404.
16 The exception may be some forms of crime. Identifying a monetary incentive is easier than examining a political incentive.
17 Staff with a more abstract and formal training, for instance those with a mathematical background, may be inclined to formalise cyber security problems. This can be counterproductive. Abstraction can conceal a lack of insight. For an example of highly questionable formalisation and faux-precision, see Robert Axelrod and Rumen Iliev, ‘Timing of cyber conflict’, PNAS 111/4 (28 Jan. 2014), 1298–303. Even the mathematical formalism in one widely used model for intrusion analysis, the so-called ‘Diamond Model,’ may imply an exaggerated degree of precision. Caltagirone, Pendergast and Betz, The Diamond Model of Intrusion Analysis.
18 For an overview of moonlight maze, see Adam Elkus’s chapter in Healey, A Fierce Domain, 152–63.
19 Author interviews with former members of JTF-CND and the FBI’s moonlight maze Task Force, Washington DC, Sept to Nov, 2014.
20 Nathaniel Hartley, Hat-tribution to PLA Unit 61486, CrowdStrike, 9 June 2014; see also Putter Panda, CrowdStrike, 9 June 2014.
21 Author communication, by email, 6 Aug. 2014. The significance of persona research is highly controversial among the leading cyber security firms, with FireEye and Kaspersky being more sceptical. Focus group session with FireEye staff, Reston, VA, 15 Sept. 2014 and with Kaspersky staff, Barcelona, 8 Oct. 2014.
22 The indictment will be discussed in some detail later in this paper.
23 Richard K. Betts, ‘Analysis, War, and Decision: Why Intelligence Failures Are Inevitable’, World Politics, 31/1 (Oct. 1978), 61–89, 61.
24 Analysts repeatedly and unanimously voiced scepticism towards linear ‘checklists’ in a number of focus group sessions in the private and public sectors over the summer of 2014.
25 We will not have space to introduce these examples in detail, and will therefore provide references to the most authoritative source in each case. These sources are sometimes academic publications, but more often company reports.
26 Eric M. Hutchins, Michael J. Cloppert and Rohan M. Amin, Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains (Bethesda, MD: Lockheed Martin Corporation 2010), 3.
27 An exception is denial of service attacks. These seek to deny availability of certain computer systems by overwhelming them with basic, often meaningless, data.
28 Uri Rivner, Anatomy of an Attack, RSA, 1 April 2011.
29 According to an internal State Department cable made public by WikiLeaks, ‘Since 2002, [US government] organizations have been targeted with social-engineering online attacks’ which resulted in ‘gaining access to hundreds of [US government] and cleared defense contractor systems’. Brian Grow, and Mark Hosenball, ‘Special report: In cyberspy vs. cyberspy, China has the edge’, Reuters, 14 April 2011.
30 Nicole Perlroth, ‘Hackers Lurking in Vents and Soda Machines’, New York Times, 8 April 2014, A1.
31 For an example, ‘Is This MITM Attack to Gmail’s SSL?’, Google Product Forums, <http://bitly.com/alibo-mitm+>; also Seth Schoen and Eva Galperin, ‘Iranian Man-in-the-Middle Attack Against Google Demonstrates Dangerous Weakness of Certificate Authorities’, Electronic Frontier Foundation, 29 Aug. 2011. See also Nicholas Weaver, ‘A Close Look at the NSA’s Most Powerful Internet Attack Tool’, Wired, 13 March 2014.
32 The Epic Turla Operation, Kaspersky Lab, 7 Aug. 2014.
33 Author interviews with various operators, Summer 2014.
34 United States of America v Wang Dong, Sun Kailiang, Wen Xinyu, Huang Zhenyu, Gu Chunhui, Criminal Nr 14-118, Erie, PA: US District Court Western District of Pennsylvania, 1 May 2014, Exhibit F.
35 On 6 Aug. 2014, for instance, FireEye disclosed an operation in which ‘malware appears to beacon to legitimate domains’, in an attempt to ‘lull defenders into a false sense of security’, see Ned Moran, Joshua Homan and Mike Scott, Operation Poisoned Hurricane, FireEye, 6 Aug. 2014.
36 Ned Moran and James Bennett, Supply Chain Analysis: From Quartermaster to Sun-shop, FireEye Labs, 11 Nov. 2013.
37 See Costin Raiu, ‘Inside the Duqu Command and Control Servers’, presentation at source Boston 2012, 4 May 2012, <http://youtu.be/nWB_5KC7LE0>.
38 The Symantec report on Duqu notes, ‘Duqu shares a great deal of code with Stuxnet; however, the payload is completely different. Instead of a payload designed to sabotage an industrial control system, it has been replaced with general remote access capabilities. The creators of Duqu had access to the source code of Stuxnet, not just the Stuxnet binaries [compiled versions],’ W32.Duqu, Version 1.4, Symantec, 23 Nov. 2011, 3.
39 United States of America v Wang Dong, Sun Kailiang, Wen Xinyu, Huang Zhenyu, Gu Chunhui, Criminal Nr 14-118, Erie, PA: US District Court Western District of Pennsylvania, 1 May 2014, 12–13, Exhibit F.
40 Author interview with Dmitri Alperovich, Arlington, VA, 15 Sept. 2014, see also Global Threat Report, Arlington, VA: CrowdStrike, 22 Jan. 2014, 18.
41 Unveiling ‘Careto’, Version 1.0, Kaspersky Lab, 6 Feb. 2014, 46.
42 For example, elpais.linkconf[dot]net/ and elespectador.linkconf[dot]net, see ibid., 34.
43 Ibid., 46.
44 Nate Anderson, and Cyrus Farivar, ‘How the feds took down the Dread Pirate Roberts’, Ars Technica, 3 Oct. 2013.
45 John Leyden, ‘The one tiny slip that put LulzSec chief Sabu in the FBI’s pocket’, The Register, 7 March 2012.
46 Dan Verton, Confessions of Teenage Hackers (New York: McGraw Hill 2000), 83.
47 Ron Rosenbaum, ‘Cassandra Syndrome’, Smithsonian Magazine 43/1, (April 2012), 12.
48 Ivanka Barzashka, ‘Are Cyber-Weapons Effective?’, RUSI Journal, 158/2 (April/May 2013), 48–56, 51.
49 Kim Zetter, ‘How Digital Detectives Deciphered Stuxnet, the Most Menacing Malware in History’, Wired Magazine, 11 July 2011.
50 William Broad et al., ‘Israeli Test on Worm Called Crucial in Iran Nuclear Delay’, New York Times, 15 Jan. 2011.
51 APT1, Alexandria, VA: Mandiant, 18 Feb. 2013.
52 Gavin O’Gorman and Geoff McDonald, The Elderwood Project, Symantec, 6 Sept. 2012.
53 Author conversations with various analysts over the spring and summer of 2014 in Toronto, London, and Washington.
54 Christopher Drew, ‘Stolen Data Is Tracked to Hacking at Lockheed’, New York Times, 3 June 2011.
55 For a detailed description of the incident, see Thomas Rid, Cyber War will Not Take Place (Oxford/New York: OUP 2013), 26–9.
56 Ralph Langner, ‘Stuxnet’s Secret Twin’, Foreign Policy, 19 Nov. 2013.
57 Geoff McDonald, Liam O’ Murchu, Stephen Doherty and Eric Chien, Stuxnet 0.5: The Missing Link, Version 1.0, Symantec, 26 Feb. 2013.
58 Ronald J. Deibert, Rafal Rohozinski and Masashi Crete-Nishihata, ‘Cyclones in Cyberspace’, Security Dialogue 43/1 (2012), 3–24.
59 Gauss, Kaspersky Lab, 9 Aug. 2012.
60 See David Shamah, ‘New virus may be US, Israeli digital strike against Hezbollah’, Times of Israel, 13 Aug. 2012.
61 ‘2014 Data Breach Investigations Report’, Verizon, 22 April 2014, 23.
62 Jim Finkle, ‘Exclusive: Insiders suspected in Saudi cyber attack,’ Reuters, 7 Sept. 2012.
63 Jill Slay and Michael Miller, ‘Lessons Learned from the Maroochy Water Breach’, in E. Goetz and S. Shenoi (eds.), Critical Infrastructure Protection, Vol. 253 (Boston, MA: Springer 2008), 73—82.
64 Paul Quinn-Judge, ‘Cracks in the System,’ Time, 9 June 2002.
65 Christopher Bronk and Eneken Tikk, ‘The Cyber Attack on Saudi Aramco’, Survival 55/2 (April–May 2013), 81–96.
66 Ralph Langner, ‘Stuxnet’s Secret Twin’, Foreign Policy, 19 Nov. 2013. For a detailed discussion of Stuxnet, see Kim Zetter, Countdown to Zero Day (New York: Crown 2014).
67 Andrea Peterson, ‘eBay asks 145 million users to change passwords after data breach’, Washington Post, 21 May 2014.
68 Siobhan Gorman, ‘Chinese Hackers Suspected in Long-Term Nortel Breach’, Wall Street Journal, 14 Feb. 2012.
69 Nicole Perlroth and Quentin Hardy, ‘Bank Hacking Was the Work of Iranians, Officials Say’, New York Times, 8 Jan. 2013.
70 Winston S. Churchill, The Gathering Storm: The Second World War, Volume 1 (New York: Rosetta Books 2002), 415.
71 Leon Panetta, ‘Remarks on Cybersecurity to the Business Executives for National Security’, New York City, Washington DC: Department of Defense, 12 Oct. 2012.
72 United States of America v Wang Dong, Sun Kailiang, Wen Xinyu, Huang Zhenyu, Gu Chunhui, Criminal Nr 14-118, Erie, PA: US District Court Western District of Pennsylvania, 1 May 2014, 11.
73 For an overview, see Kim Zetter, Countdown to Zero Day (New York: Crown, 2014).
74 Two of the most notable reports are APT1 and Putter Panda, APT1, Alexandria, VA: Mandiant, 18 Feb. 2013, Putter Panda, CrowdStrike, 9 June 2014.
75 Costin Raiu, Aleks Gostev, Kurt Baumgartner, Vicente Diaz, Igor Soumenkov, Sergey Mineev, interview with authors, Barcelona, 8 Oct. 2014. See Unveiling ‘Careto’, Version 1.0, Kaspersky Lab, 6 Feb. 2014.
76 Alexander Gostev, The Flame: Questions and Answers, Kaspersky Lab, 28 May 2012.
77 Vitaly Kamluk, ‘ The Mystery of Duqu: Part Six,’ Securelist, 30 Nov. 2011.
78 ‘Red October’ Diplomatic Cyber Attacks Investigation, Version 1.0, Kaspersky Lab, 14 Jan. 2013;Costin Raiu, Igor Soumenkov, Kurt Baumgartner and Vitaly Kamluk, The MiniDuke Mystery, Kaspersky Lab, 25 Feb. 2013; The ‘Icefog’ APT, Kaspersky Lab, 25 Sept. 2013.
79 Focus group session with Kaspersky Lab, Barcelona, 8 Oct. email communication with Costin Raiu, 12 Oct. 2014, 11:49 BST.
80 Threat Report: Beyond the Breach, Reston, VA: Mandiant, 18 Feb. 2014, 18.
81 Richard Bejtlich, email communication, 11 Oct. 2014, 01:41 BST.
82 One example is the so-called NetTraveler campaign, which simply moved its command-and-control servers to Hong Kong, then continued operating from there, email communication with Costin Raiu, 12 Oct. 2014, 11:49 BST. See The NetTraveler, Kaspersky Lab, 4 June 2013.
83 Sherman Kent, ‘Estimates and Influence’, Studies in Intelligence 12/3 (Summer 1968), 11–21.
84 Ibid.
85 Focus group sessions with analysts from the private and public sectors, Summer 2014.
86 Perhaps the best articulation of this view is Richard Clayton, Anonymity and Traceability in Cyberspace, Vol. 653, Technical Report (Cambridge: Univ. of Cambridge Computer Laboratory 2005).
87 See, for instance, Joseph S. Nye, Cyber Power (Fort Belvoir, VA: Defense Technical Information Center 2010).
88 For instance Michael McConnell, ‘Cyberwar is the New Atomic Age’, New Perspectives Quarterly 26/3 (Summer 2009), 72–7.
89 For one of the first articulations, see John Arquilla and David Ronfeldt, The Advent of Netwar (Santa Monica, CA: RAND 1996), 94; also Department of Defense, Cyberspace Policy Report, Nov. 2011, 2.
Additional information
Notes on contributors
Thomas Rid
Thomas Rid is a professor in the Department of War Studies at King’s College London. He is author of Cyber War Will Not Take Place (Oxford University Press/Hurst, 2013).
Ben Buchanan
Ben Buchanan is a PhD Candidate in War Studies and a Marshall Scholar. He is also a certified computer forensic analyst.
