The Most Comprehensive Data Protection Solution

Discover, classify, and protect your data from all threats with the only Gartner Magic Quadrant DLP and Forrester Wave EDR Leader.

First and Only Solution to Converge:

  • Data Loss Prevention
  • Endpoint Detection and Response
  • User and Entity Behavior Analytics
DATAINSIDER

Digital Guardian's Blog

Premature Attribution



Technology in general and information security specifically have changed so dramatically in the past 10 years that it’s difficult to even remember how things were a decade ago. Nearly everything has shifted and evolved, but one of the few things that’s remained the same is the minefield of attribution.

The events of the last week have served as a clear reminder of just how hard it can be to identify the source of an attack, let alone what the attacker’s intentions were. On Dec. 29, the FBI and the Department of Homeland Security released a Joint Activity Report describing long-term hacking operations against United States government and private sector organizations, some of which is tied to the intrusion at the Democratic National Committee. The report attributes the campaigns, called Grizzly Steppe, to various Russian intelligence services, known threat actors that have been tracked by security researchers for years.

It’s virtually unprecedented for federal law enforcement agencies to make direct, public attribution for a hacking campaign, something the report acknowledges. But the agencies say their confidence comes from technical indicators provided both by government and private sector sources.

“Previous JARs have not attributed malicious cyber activity to specific countries or threat actors. However, public attribution of these activities to RIS is supported by technical indicators from the U.S. Intelligence Community, DHS, FBI, the private sector, and other entities,” the report says.

“This activity by RIS is part of an ongoing campaign of cyber-enabled operations directed at the U.S. Government and its citizens...The U.S. Government confirms that two different RIS actors participated in the intrusion into a U.S. political party.”

The report goes on to describe a typical spearphishing campaign that was used by one of the Russian groups to infiltrate the DNC. The attack tricked a victim into changing an email password on a server controlled by the attackers, who then dug into the network and made off with data from top party officials. The problem is that the evidence supplied in the JAR is confusing and meandering and attempts to tie together a wide range of activity and techniques that have been used by many other groups for years. As my friend Paul Roberts wrote on The Security Ledger, the report may have made things worse.

“The effect was to water down the report while dangerously muddying the public’s understanding of what Russian government hackers are and are not doing,” Roberts wrote.

Russian government hackers--like U.S. government hackers--are doing plenty. But they’re not doing everything. “Russian hackers” has become a catchall phrase that people use when they’re not really sure what happened or want to make it seem like they got beat by the best. It’s the modern equivalent of saying your bank was robbed by the Dillinger gang.

A case in point is the sensational story that appeared in the Washington Post last weekend saying that the same Russian group that had compromised the DNC had infiltrated the network of a power company in Vermont. The story was attributed to anonymous sources, and officials at Burlington Electric quickly issued a statement saying that the company had discovered malware used in the Grizzly Steppe operation on one laptop not connected to the power grid. The malware, as mentioned above, has been used in many other places and can’t be seen as an indication that Russia is trying to hack the power grid.

“Federal officials have indicated that this specific type of Internet traffic also has been observed elsewhere in the country and is not unique to Burlington Electric. It’s unfortunate that an official or officials improperly shared inaccurate information with one media outlet, leading to multiple inaccurate reports around the country,” the statement from Burlington Electric says.

The rush to point the finger at someone, anyone, for high-profile attacks doesn’t do anyone any good. The Grizzly Steppe report may have served some political purposes, but in the long term it only makes things more confusing for security professionals and observers who are trying to make heads or tails of an already complicated story.

Dennis Fisher

ANALYST REPORTS

Gartner 2017 Magic Quadrant for Enterprise Data Loss Prevention (DLP)

Dennis Fisher

Dennis Fisher is editor-in-chief at Duo Security. He is an award-winning technology journalist who has specialized in covering information security and privacy for the last 15 years. Prior to joining Duo, he was one of the founding editors of On the Wire, Threatpost and previously covered security for TechTarget and eWeek.