It wasn’t so long ago that the question of attribution in the case of cyber attacks was moot. Attacks could come from anywhere in the world – at any time. And most attacks almost certainly came by way of a third party’s (compromised) infrastructure anyway. ‘Who knows!?!’ was the standard response to most questions about cyber attribution. Better to focus on the malware used or the software vulnerability that was exploited. There, at least, there was someone to blame: a neck to choke at the headquarters of Microsoft, Adobe or Oracle.
However, these days companies that want to play in the game of responding to cyber attacks can expect to be asked about the identity of those behind any incident. And they better have something intelligent to say when they’re asked, also.
Indeed, cyber attribution is big business. Companies like Mandiant (now part of FireEye) have climbed to multi-billion dollar valuations by promoting the idea that ‘its not what attacked you, but who.’ Startups like Crowdstrike make threat intelligence – and adversary profiling – their calling card. The reasoning is simple: your attackers have an identity, a motive and a modus operandi. The more you know about those things, the better you can respond.
Despite the demand and market pressure to get past “what” and point a finger at “who,” the tools and techniques for doing so haven’t changed much. Incident response can yield lots of information about the source of attacks and the tools and techniques used to compromise a target. Command and control networks used to manage compromised assets can be documented – and linked to previous attacks against other targets.
But when it comes to connecting that data to real-world actors, solid lines turn to dotted lines – or no lines at all. Often the “threat actor” profile is built on open source information – email addresses gleaned from online bulletin boards and cross checked with social media posts, photos or other ephemera. Needless to say, there’s lots of Googling, but little in the way of “HUMINT” – human intelligence – to put individuals behind the terminals conducting attacks. And that means there’s lots of room for error.
The recent attack on Sony was a case in point – the days and weeks following that incident brought a stream of differing accounts of who or what was responsible, but nobody had a firm handle on the facts. As we now know, President Obama decided to move quickly to create a new government Cyber Intelligence Coordination Center in part because of his concern that there was no consistent account, within the government, of what had happened at Sony and who was responsible.
Now Forbes brings us the story of Gaza Strip resident Khalid Samraa, who found himself linked to the recent cyber attacks on Israeli government cyber assets dubbed “Arid Viper.”
Samraa was named in a report by the security firm Trend Micro because he was the registrant of a web domain that was part of the command and control (C&C) infrastructure used in the attack. Trend also noted some circumstantial evidence linking Samraa to anti-Israel groups. His email was associated with a Facebook group called Gaza Under Fire 2012.
But Samraa contends that he has no links to or knowledge of Arid Viper. He told Forbes that he registered the domains in question for a client of his web development and hosting business two years ago. Now he’s worried about the impact of Trend’s report on his business – and worries for his safety and that of his family.
“I am located in Gaza which directly puts my life in danger and anyone close to me, since I am accused of being a terrorist or launching attacks to Israel,” Samraa says. “Currently I am afraid to [have] my wife and kids anywhere near me, my associates and employees are afraid to even come to the company’s office, and I really do not know how to actually prove that I don’t have anything to do with these crimes.”
While its impossible to know who is telling the truth, what is clear is that our age of cyber crime is in desperate need of its Scotland Yard – sober and disciplined professionals who use state of the art techniques and caution as they investigate crimes. Using ersatz “investigations” as marketing isn’t a great way to ensure that cyber incidents and crimes are carefully and properly investigated and the right parties brought to justice.
About Paul Roberts
Paul F. Roberts is the Editor in Chief of The Security Ledger and the founder of The Security of Things Forum.