This morning I read an article about attribution for cyber attacks and it just struck me that I believe too many people are hiding behind over-classification. The article was “What makes cyber attacks so hard to trace?”
I asked a good friend and I was told this could not be answered ‘in the open’, meaning the unclassified world.
In my humble opinion there shouldn’t be any problem answering this in the open, non whatsoever. Perhaps the only reason for this classification is to not reveal capabilities or limitations, it’s certainly not sources and methods.
It used to be a simple matter of examining the IDS logs and determining from which IP the attack come from on the last hop before hitting the target. Now, that was in the 20th century where we had to call up the ISP, once we had a court order, and ask for the IP address from which the attack came, previously. We’d continue on until there was no hop, but an originating IP of origin. If we had a judge on standby, it could be accomplished in a few hours, sometimes as little as four hours on the simple ones. But, for argument’s sake, let’s say 48 hours. From there Law Enforcement and Human Intelligence took over, depending on the jurisdiction. We were beholden, in the intelligence community, to take a back seat to law enforcement. Only occasionally did that relationship work out. It worked out in Solar Sunrise, where Ehud Tenenbaum in Israel was caught, along with two kids in California. I actually guessed that at least one of the attackers was in Israel on about the second or third day of that investigation, based on time zone analysis, using an ancient electronic Casio calendar with a rudimentary timezone map. I was surprised about three weeks later when the arrests took place at how accurate I was.
That was over ten years ago. If it was an ongoing attack, intelligence personnel could ‘hack back’, and figure out the point of origin in much less time. I’m not talking legalities here, I’m talking doing it because we’re ‘being attacked’. Back in those days some intelligence personnel had so much more freedom than they do today.
Fast forward to the 21st Century, that’s where we barely are but that is the reality. I would say it’s child’s play to develop a program that can almost give a near-real-time ‘hack back’. At the speed of electrons aka the speed of light, we can even measure the time for the electrons to transit the route, giving us a distance estimate for geographical location in one of two to four time zones (East and West), and then guess at the cities within those time zones. I would say it’s even possible to establish the IP of origin in mere seconds to a few hours at the most. At the speed of light we can even do a satellite bounce. For intelligence purposes, legalities be damned, we can even transit countries with whom we are not friendly. For intelligence purposes, so far, so good. If we’ve done any analysis of the electronic packets being thrown in our direction, we can probably ID an identifier and throw that into the signature filters and sniffers we have strewn throughout the electronic world and trace them to the point of origin. The only differences are 1, I’m not sure this would be useful at all for law enforcement purposes and 2, by admitting such it would throw ‘a’ fear of God into the bad actors of the world, which would be a good thing.
Now… for law enforcement purposes, the only difference is having a court order asking for the information from the various ISPs along the way – all of which should be handled clinically, to keep a chain of evidence intact. I know that Congress is broken and that Law Enforcement lacks the cajones to actually think and act ahead, so I’m assuming the speed of the evidentiary chain has not improved significantly in the past ten years. Perhaps they’ll sit on the sidelines of intelligence operations and develop a keen sense of awareness of what they need to be asking for, but that might be claimed as bias to sow doubt on their investigation by a legal defense team. If this was a perfect world and law enforcement had its act together, there would be a blanket agreement to conduct ‘hot pursuit in cyberspace’ to gather evidence and chase down attackers to their point of origin – with most ISPs. Privacy wonks throughout the world would have severe heartburn, but in the name of security, it’s needed.
As part of the research for this blog piece I received a draft of an article by Dr. Sam Liles, in which he divides attribution between technical and political. Excellent insight, you should be salivating until you read it!
One point of clarification before someone tries to nuke me in place… the attribution I am referring to is to the keyboard from which at attack or attacks originated, I am not referring to the human or humans conducting the attack nor who ultimately gave the order. That requires human intelligence and that does not fall within the scope of this article.
What have I missed?
- Cybersecurity Exec Order Authorizes DHS to Gather Digital Data on All Americans (occupycorporatism.com)
- On US, China, cyber espionage, and cyber war (net-security.org)
- S. Korea misidentifies China as cyber-attack origin (straitstimes.com)
- China IP link to South Korea cyber attack was bogus (information-age.com)
- International cooperation is needed to make the internet safe for the world (telegraph.co.uk)
- South Korea traces cyber-attacks to Chinese IP address (guardian.co.uk)
- South Korea says cyber attack came from IP address in China (computerweekly.com)
- Basha’s supermarket chain hit by cyber attack ()
- Should law enforcement have easier access to Pennsylvanians Internet records? (pottsmerc.com)
- More Clues From This Weeks Cyber Attack Against South Korea (warnewsupdates.blogspot.com)