The Arcane Art of Attribution


“Home and office routers come under attack by China state hackers, France warns” – Ars Technica headline.

This story was shared in my team’s Slack channel a few weeks ago and prompted a short conversation about how do we know it’s China? Are we just checking the IPs on the incoming messages? What if someone is just pretending to be from China? Who is a credible source for this kind of information?

So I thought I’d put together a few quick words on an introduction to a school of Cyber Security that’s less glorified than Red Teaming, less ubiquitous than Blue Teaming, and slightly less brain breaking than Cryptography. Attribution is the act of ascribing an event or task to a subject. In other industries that may be answering “Who first coined this common phrase?” or “Who painted this ancient mural?”, in security it’s “Who keeps trying to DDoS us?”. As with many security related fields Attribution is a growing discipline, with some detractors and some supporters, and many people still trying to figure out the best ways of achieving good outcomes.

How does it work?

To answer the first questions raised in our conversation: No, we are not just looking at inbound IPs and saying with confidence that an attack originates from a given country. That said, gathering technical information about the network and computers involved in an attack is a good first step in the process. More information can be gleaned by looking at the process an attacker employs in a given event or series of events. The recent trend is to analyse attacks with the lens of Terrorist Tactics, Techniques, and Procedures (TTPs), borrowed from the physical world of attributions. TTP involves trying to understand repeated patterns of behaviour inside given groups of attackers, be they state actors or large criminal enterprises. A common tool to aid this understanding is the MITRE ATT&CK framework, a globally accessible knowledge base of TTPs designed to be used to develop specific threat models and methodologies. Using this shared set of information from past events, experts can recognise patterns in both technologies and techniques employed in a cyber attack incident and infer who was behind it.

Yo Ho Hoist the Flag

A common question and concern is the idea of False Flag Attacks. The phrase doesn’t actually come from ye olde pirate days and in fact, has always been used in the figurative sense. It means an act committed to disguise the actual source of responsibility in an attempt to pin the blame on a third party. The potential for false flags makes the already challenging task of attribution significantly harder and adds the risk of mistakenly accusing a third party of malice. Given the trend towards cyber attacks in nation-state contests, this could have significant consequences as intelligence agencies attribute attacks, potentially damaging relationships and starting feuds.

Research into the efficacy of False Flags being planted throughout the kill-chain continues and will hopefully yield meta-analysis wherein the attempts to hide may reveal the attackers themselves. Even when False Flags are detected, as with Russia’s attempts to pin the “Olympic Destroyer” on North Korea, they can still be useful at slowing down attribution and lowering public confidence in the outcomes of the investigation.

So who do you trust?

With the discipline maturing and malicious actors being wise to the game, who is an appropriate authority on attributions? Political interests and economic incentives further complicate the question. These conflicts of interest put large grains of salt alongside findings from many world governments, and the lack of interest and finance from the private sector can lead to a lack of due diligence to confirm findings from government agencies.

As with many things, I argue that the best solution to this problem is through community consensus. Meta-analysis of multiple attribution findings is more likely to yield trustworthy results than any individual agency or company report. However, staying across multiple investigations from various countries is a lot of work, and most of us don’t have the time to keep up. As such, I’d recommend finding a source who does that work for you. I’ve found Patrick Gray and Brian Krebs to be reliable sources of information for both attribution and broader cyber security news.

Wrapping it up

Attribution is more of an art rather than a science. An investigation will rarely yield evidence considered adequate for a court case. Even without malice from government agencies, mistakes happen and attribution can be pointed at the wrong target.

Most news companies are in the business of clicks rather than information these days. They know that a headline about Russia or China is more likely to drive audience engagement than one about a member of Five Eyes.

Make sure you treat all findings with a healthy level of scepticism and don’t take rash actions based on other peoples findings.