Cyberattacks attribution, a cat and mouse game

Coming out of a webinar dedicated to cyberattacks attribution, we interviewed the speaker Mohamed Ghozzi, Technology Analyst in Ercom, so that he will share his knowledge on the whys and wherefores of the investigation exercise implemented to find out a cybercriminal.

 

What is behind the term cyberattack attribution?

The attribution of a cyberattack is a very complex search process aiming at determining what is hidden behind a cyber-attack and find the motivations of the haker(s).

 

What are the underlying stake in cyberattacks attribution?

The stakes of assigning cyber attacks are multiple.

First of all, it serves to deter attackers by demonstrating to the world that their wrongdoings will not go unpunished. Second, attribution enable to dismantle criminal networks whose hacking activity is only one facet. Then, it allows to know the operating modes and motivations of the attackers to better protect computer systems. Finally, attribution consolidates a knowledge base that will help accelerating attribution of future attacks.

 

Who is in charge of cyberattacks attribution?

Depending on the target of the computer attack, one or more of the following actors may have authority to assign.

The first are the government services such as judicial police or intelligence services that intervene in a complaint or when the victim is an OVI (Operator of Vital Importance).

Then comes the computer security firms, essentially antivirus software vendors, serving customers who don’t necessarily want to go through police investigation.

Finally, cybersecurity research institutions often intervene in the case of unresolved attribution problems that require in-depth scientific research to better cross-reference data.

 

What are the steps to follow to attribute an attack?

The attribution of an attack is a problem involving a combination of several analyses to stem this violation.

Among a non-exhaustive list, let’s focus on the two analyses that seem to me to be the most strategic in this resolution.

First there is the forensics analysis, or technique, which consists in exploiting the traces left by the attackers in their path by looking at the event log, malware or any other clue. At this level of the investigation, we seek to know what was the modus operandi followed by the hackers to enter in the system as well as the possible similarity of the malware used compared to those known today.

The second point, and not the least, is the geopolitical and economical context of the attack. This overview helps to determine the attacker’s motivations. Does the attacker wants to extract money? Does he want to steal industrial information? Or does he just want to harm his victim? This contextualization will also tell us more about the nature of these malicious actors: are we facing isolated criminals or forces sponsored by states?

To carry out this analysis it is necessary to take into consideration several things among which we can quote the scale of the attack (what means, human and material, did he implement to carry out the attack?), the nature of the data exfiltrated by the attackers (what is their value on the market?), the sector of activity of the targeted organisation and the geopolitical context of the country where the targeted organisation is located.

 

Why is it that difficult to locate the source of an attack?

The search for the origin of an attack is based on the analysis of the traces left by the pirates, their operating mode and their motivations, the study of the profile of the victims… All these steps are difficult to grasp, for two main reasons.

First of all, the technical dimension is a huge impediment to investigations. In fact, attackers have at their disposal an arsenal of highly sophisticated tools allowing them to leave as few traces as possible and, most of teh time, their process consists in «redoing backwards» the path to erase the remaining traces. Time is their ally because, very often, the intrusion is detected long after the attack. In this case, the computer traces may be incomplete or not saved (rotation of the trace files)

Finally, attackers enjoy to lead us on false tracks by planting for example «false flags*» at the level of the computer traces left behind to create diversion.

The second barrier is the legal aspect. How is that a barrier? It is important to know that attackers do not carry out their attacks directly from their computers. Instead, they pass through several intermediate servers before reaching the target organization’s network. Most often, these servers are based in foreign countries that have different jurisdictions than the country that was the victim of the attack. For the purposes of the survey it is sometimes necessary to access the log of these servers. This access requires requests for authorisations to the judicial services of the countries concerned: these authorisations may be refused or at best granted with long waiting.

 

Attribution in figures: what is the percentage of cyberattacks’ attribution?

There are few official statistics on the topic but we notice a rising interest for attribution due to the explosion of more and more vicious and harmful cyberattacks these last months.

According to some estimations, the cost of harm attributable to cyber criminality would have stood at nearly $6trillion in 2021 vs. $3trillion in 2015.

Thank you for your time and see you soon for the next webinar!

 

*false flag: this term comes from navigation universe and designate an act committed with the intent of disguising the actual source of responsibility and pinning blame on a second party

 

What is a Technology Analyst in Ercom?

The daily life of Technology Analyst in Ercom is about tree main missions.

First, the analyst has to provide a support to Business Units for the scientific and technical understanding of technologies arousing interest: he will thus help to arbitrate the interest or not of this technology for their businesses. Concretely it means delivering presentation of technical analysis and necessary documentation.  

Then the expert has to lead a technology watch about topics identified which will fuel future analysis. To finish, he shares his knowledge in the form of event such as webinar, or continuing on forums or intranet.