Attributing Cyberattacks

New paper: "Attributing Cyber Attacks," by Thomas Rid and Ben Buchanan:

Abstract: Who did it? Attribution is fundamental. Human lives and the security of the state may depend on ascribing agency to an agent. In the context of computer network intrusions, attribution is commonly seen as one of the most intractable technical problems, as either solvable or not solvable, and as dependent mainly on the available forensic evidence. But is it? Is this a productive understanding of attribution? ­ This article argues that attribution is what states make of it. To show how, we introduce the Q Model: designed to explain, guide, and improve the making of attribution. Matching an offender to an offence is an exercise in minimising uncertainty on three levels: tactically, attribution is an art as well as a science; operationally, attribution is a nuanced process not a black-and-white problem; and strategically, attribution is a function of what is at stake politically. Successful attribution requires a range of skills on all levels, careful management, time, leadership, stress-testing, prudent communication, and recognising limitations and challenges.

Posted on January 6, 2015 at 6:50 AM • 19 Comments


GrauhutJanuary 6, 2015 11:40 AM

This paper imho contains way too much thinfoil hat conspiracy theory stuff. :)

"What was the motive? is a query that will require developing hypotheses"...

They try to identify conspiracies by attributing events to oh so big enemies where script kiddies stumbled upon something, told others and some tried than to make a business out of it.

Smells like cyber warriors "re-searching" for a good war.

JohnJanuary 6, 2015 1:04 PM

Just to play a little devils advocate:

The single thing the NSA has at this time in its power as a GPA is attribution, the all seeing eye, "should" be able to tell us the agent. Yet they do not. Anyone who has filed an incident report with US-CERT can tell you this, you wont get jack shit back from them. This imo is the single point of undeniable failure of that agency. Had they actually dished out info to us, they might not have had just a backlash with respect to Whistleblower, Ed Snowden. This is also the best leverage we have to strip them of this ability and power, they have failed to use this ability to do the single best thing it could have been used for.

Clive RobinsonJanuary 6, 2015 1:07 PM

Warning the site wants you to have cookies enabled, which is poor practice in this day and age.

WhateverJanuary 6, 2015 4:42 PM

Simple questions to ask yourself (and your experts) before doing any attack attribution:

* What was stolen/exfiltrated? Who does this benefit? Is there a pattern we have seen before?

* What do the attack tell us of the attacker? Who has the capability / who does not?

* What were we doing / what were others doing? Can we tie this attack to a recent event?

* Who is our enemy? Who are the players / Who are not? Who would lose too much if they were detected?

Sancho_PJanuary 6, 2015 5:39 PM

@ Whatever

Probably the very first question before any attribution would be:

“Do we have to point at anybody else but us?”

SoWhatDidYouExpectJanuary 6, 2015 7:12 PM

Speaking of cyber-attacks...

Report: DHS Failing On Cybersecurity

From the Slashdot posting:

The report, "A Review of the Department of Homeland Security's Missions and Performance (PDF)," was released on Saturday. In it, the outgoing Senator said that DHS's strategy and programs "are unlikely to protect us from the adversaries that pose the greatest cybersecurity threat."

Apparently another Pogo observation...we have found the enemy and it is us.

Sancho_PJanuary 7, 2015 5:11 AM

Re Jack Goldsmith

Isn’t it despairing to read such an unethical opinion from a well reputed person?

Attribution is easy! Just point at $official_enemy!January 7, 2015 5:18 AM

Attributing cyber attacks is easy peasy.

"It was $official_enemy".

No evidence required.

This is why we need an international independent open group of experts to investigate acts of cyber-aggression. Instead we get fear-mongering FBI or NSA spooks spouting unsubstantiated accusations. They don't even have to make up a tiny shred of evidence, let alone hint at having any kind of credible evidence, let alone have a transparent investigation open to public scrutiny. It doesn't matter. The media, even here in Western Europe, will avidly regurgitate the worst fear-mongering regardless of FBI and NSA and their ilk repeatedly and openly lying on public record, as if these were organisations one could trust, as if the Iraq WMD lies and the Clapper lies never happened!!!

We don't need North Korea or Russia or China to be profoundly cyber-unsafe. Who needs enemies with traitor governments like that, who undermine our own infrastructure, act with the responsibility of infants, persecute whistleblowers, seem to think cybersecurity is about 100% offensive hacking and 0% cautiousness, and then blame others.

Terry ClothJanuary 7, 2015 9:15 AM

``Successful attribution''

@Attribution is easy!

Yeah, my first thought was that ``successful attribution'' is a different thing from accurate attribution. I suspect the U.S. government considers blaming North Korea a successful attribution.

GordoJanuary 7, 2015 11:00 AM

Quick Responses to Schneier on Attribution in the Sony Hack

“The problem with saying that the ‘secrecy of the NSA’s sources and methods is going to have to take a back seat to the public’s right to know’ is that public knowledge could exacerbate the cyber threat. For when other countries know those aspects of those sources and methods, they can hide their tracks better in the next attack.“ - Jack Goldsmith, Lawfare Blog

U.S. Spies Say They Tracked ‘Sony Hackers’ For Years

“The FBI and U.S. intelligence agencies for years have been tracking the hackers who they believe to be behind the cyber attack on Sony, according to current and former American officials. And during that long pursuit, U.S. agencies accumulated still-classified information that helps tie the hackers to the recent Sony intrusion.” - Shane Harris, The Daily Beast

Organizations holding this kind of classified information are showing themselves to be passive, at best reactive. Information sharing, insofar as it serves to alert, is proactive, defensive. If the objective is to maintain a visibility advantage, i.e., the status quo, i.e., “acceptable losses,” then we have a perpetual “fighting the last battle.” Upping the ante, i.e., shining the light or proactive defense, forces adversaries to work harder, narrows the pool of capable suspects, allows for better use of scarce technical talent, and exhibits a forward-looking mission-purpose that some might mistake for leadership.

A couple of relatively open-ended “if’s:”
- If Internet balkanization continues (by way of both the private sector and nation states), does visibility diminish?
- If encrypting everything (both at rest and in transit) becomes the norm, does data theft diminish?
- If classified threat intelligence goes transparent (is openly shared and timely), does unauthorized-access incidence diminish?

gordoJanuary 9, 2015 5:28 AM

Attribution claims, information veracity, and trust climates…

On December 9, 2014, the U.S. Senate Select Committee on Intelligence (SSCI) released its Committee Study of the Central Intelligence Agency’s Detention and Interrogation Program. Ten days later, on December 19th, the FBI, in its Update on Sony Investigation press release said, “the FBI now has enough information to conclude that the North Korean government is responsible for these actions.”

A key point in the SSCI study, as reported by The New York Times, was that the “The C.I.A. misled members of Congress and the White House about the effectiveness and extent of its brutal interrogation techniques.” The news-cycle for this controversial story was strong and still going when the FBI announced its attribution findings on the Sony hack.

When one adds to that a generally accepted cultural lens or norm for assessing information veracity, “trust, but verify,” which entered the American, if not international, lexicon, well before the end of the Cold War, then it should come as no surprise that some might be wary of the FBI’s attribution claim, and want to see harder evidence.

As so, it took less than a month for a disparaging cultural meme to enter the public discourse on the subject. As reported by The Daily Beast, FireEye’s Richard Bejtlich said, “I don’t expect anything the FBI says will persuade Sony truthers” (para. 12).

One hopes that as the heat of the moment recedes, so too, such sentiments, especially those that might be construed as blanket, or broad-brush in tone, and coming from persons in positions of authority and influence within the security community. With regard to Mr. Schneier, I believe he’s struck a proper tone, as has, for example, Marc Rogers, of CloudFare, Inc., and Defcon Communications, who told The Huffington Post that he has the same problems with Norse’s claims that he has with the FBI’s (para. 10).

Looking ahead then, and getting back to the Rid and Buchanan paper, Attributing Cyber Attacks, the title of this thread, we read from the authors’ concluding paragraph that a hope they have is that their text,

“... will help senior leaders in public administration as well as parliament to understand how evidence was generated, to ask better-informed questions, to detect perception bias, and thus to probe and improve the output” (p. 30).

One hope’s, as well, as these kinds of nation-state matters come under U.S. congressional oversight, that Congress and the American people do in fact receive from their government agencies the respect that, at times, seems long overdue.

VinnyGJanuary 9, 2015 1:59 PM

@gordo re - thanks, that might just be the funniest web page satire I've seen since the old "Windows RG" page. The unfunny thing about it is that the attribution there may well be of the same order of accuracy as that made by the Flatulent Buffoonish Instigators...


gordoJanuary 10, 2015 3:41 PM


Thanks, hearing that system sound on the old "Windows RG" page brought fond memories! Reboot!

I think the attribution generator might find itself part of a long tradition. Lets not forget these guys, in a publicity pic from the lost film, In the Clutches of the Gang (1914).

Then there's this story line from The Gangsters (1913):

An amusing burlesque of gang fighters. The police go after them, one by one, and each guardian of the peace is caught and despoiled of his clothing and compelled to return to the station. The police put a dummy officer on a plank extending out into the water, and when the gangsters go after him the live police close in on them and a battle royal takes place in the water.

gordoJanuary 11, 2015 11:39 PM

Whether one agrees with the first half of the following headline or not, the second half of the headline gets at the underlying issue.

The Feds Got the Sony Hack Right, But the Way They’re Framing It Is Dangerous

…the critics accurately state that technical analysis is prone to bias and error, making inherent trust in the government’s theory unwise. The evidence presented so far does not accurately show that North Korea was responsible for the Sony attack. And by its nature, the information security community does not generally accept “because I said so” and “trust us” as adequate answers. Not blindly trusting information is exactly what makes for a good infosec professional. And asking tough questions is an important part of solidifying theories and reaching appropriate conclusions. The FBI should have predicted this response from the community when it decided to publicly attribute while withholding significant portions of the evidence. What the government chose was a middle ground that not only polarized the community but set a bad precedent. More transparency would have strengthened the case and established a higher bar for attribution.

As so, Rid and Buchanan, in Attributing Cyber Attacks write:

Communicating attribution is part of attributing. In complex scenarios, only a small fraction of the attribution process will be visible to senior officials and politicians, and an even smaller fraction to the public. Preparing and managing that portion will determine how an agency’s activities are perceived, by the political leadership, by the technical expert community, and by the general public. In many ways, the communication of the process characterises the process for others. Publicising intelligence can harm sources as well as methods. Release decisions are difficult, and officials will often err on the side of caution and secrecy. There are many good reasons for doing so. Yet, perhaps counter-intuitively for those steeped in a culture of secrecy, more openness has three critical benefits: communicating more details means improved credibility, improved attribution, and improved defences. (p. 23)

As well, here’s how Rid and Buchanan began their article:

Attribution is the art of answering a question as old as crime and punishment: who did it? Doing attribution well is at the core of virtually all forms of coercion and deterrence, international and domestic. Doing it poorly undermines a state’s credibility, its effectiveness, and ultimately its liberty and its security. (p. 1)

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient, an IBM Company.