John Reed Stark

Along with all of the other anxieties about the upcoming Presidential election, there is the concern that someone, somewhere will use some type of cyberattack to interfere with the electoral process. If that were to happen, the immediate question will “Who did it?” In the following guest post, John Reed Stark, President of John Reed Stark Consulting and former Chief of the SEC’s Office of Internet Enforcement, underscores the difficulties associated with identifying the actors behind any cyberattack and cautions against jumping to conclusions about who might have been involved. A version of this article previously was published on Cybersecurity Docket. I would like to thank John for allowing me to publish his article as a guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is John’s article.

 

*****************************

 

When investigating a cyber-attack, just because you have figured out the whatwhen and how, does not mean you have figured out the who.

No doubt that after Election Day 2020, someone somewhere will allege that some form of cyber-attack compromised the results. Though it may be tempting to round up the usual suspects, don’t take the bait. While countries like Russia, China and North Korea certainly lack clean hands, they are not necessarily the perpetrators of every cyber-attack targeting a U.S. organization or government entity.

Of course, aggressor nation-states and their proxies have been targeting U.S. institutions with cyber-attacks for years. That fact is undisputed. Indeed, state-sponsored cyber-espionage has spawned a new cyber-arena for global warfare and societal disruption – a dangerous and unpredictable shifting of the battlefield paradigm, especially when it comes to U.S. elections.

Along these lines, the U.S. Department of Justice recently unsealed criminal charges against six Russian intelligence officers in connection with some of the world’s most damaging cyber-attacks, including disruption of Ukraine’s power grid and releasing a mock ransomware virus — NotPetya — that infected computers globally causing billions of dollars in damage. But this recent DOJ case (which took years and a special prosecutor to investigate) is the exception and not the rule, because the perpetrators of most cyber-attacks are rarely identified, let alone charged and actually brought to justice.

This article tackles the issue of attribution of cyber-attacks head-on. Specifically, this article warns that before rushing to judgment regarding the attribution of the perpetrator of any cyber-attack, especially pertaining to an election, consider the complex and intricate anatomy of data breaches; the subjectivity and circumstantial nature of digital forensic evidence; and the extraordinary level of guesswork, supposition and hypothesizing inherent in most attribution calculations.

 

Cyber-Attackers Leave No CSI-Evidentiary Trail

After a cyber-attack, there is rarely, if ever, a CSI-like evidentiary trail leading to the perpetrator. The cases are almost always circumstantial, and the digital forensic evidence rarely resides in plain view.

Evidence gleaned from a cyber-attack can rest among disparate logs (if they even exist), volatile memory captures, server images, system registry entries, spoofed IP addresses, snarled network traffic, haphazard and uncorrelated timestamps, Internet addresses, computer tags, malicious file names, system registry data, user account names, network protocols and a range of other suspicious activity. Evidence can also become difficult to nail down — logs are destroyed or overwritten in the course of business; archives become corrupted; hardware is repurposed; and the list goes on.

In fact, the technological tidbits identified by digital forensic experts often lack enough of an evidentiary foundation to initiate a prosecution – especially when the intelligence becomes politicized. This is why former Director of National Intelligence James Clapper, former FBI Director James Comey and former CIA Director John Brennan all reportedly had different opinions regarding the motives (and truth) behind the 2014 and 2015 alleged hacking into the systems of the U.S. Democratic National Committee.

Like medical experts who disagree about a diagnosis or treatment, cybersecurity experts are notorious for disagreeing about attribution conclusions gleaned from the digital forensic remnants, residue, fragments and artifacts left behind in the aftermath of a data breach.

 

Malware is in the Eye of the Beholder

When a digital forensics investigator analyzes the attack vector of a company’s devices or systems such as “deleted recoverable files” residing in the more garbled sectors of a hard drive, including “unallocated and slack space” or the boot sector, facts and conclusions become subject to interpretation, guided by the assumptions and experience of that investigator.

Consider for example the intricacies and complexities of malware-reverse engineering. “Malware” is oft defined as software designed to interfere with a computer’s normal functioning, such as viruses (which can wreak havoc on a system by deleting files or directory information); spyware (which can secretly gather data from a user’s system); worms (which can replicate themselves and spread to other computers); or Trojan horses (which upon execution, can cause loss or theft of data and system harm).

The definition of malware, however, is actually broader and a bit of a misnomer, and can mean any program or file used by attackers to infiltrate a computer system. Like the screwdriver that becomes harmful when a burglar uses it to gain unlawful entry into a company’s headquarters, legitimate software can actually be malware. Thus, malware reverse engineering, a crucial aspect of incident response, presents extraordinary investigatory challenges.

More Art Than Science

Attribution identification is far more art than science and too often contains a patchwork of hypothesizing, speculation, supposition and simple old-fashioned guesswork, rendering attribution conclusions overly subjective, skewed or even mistaken.

An online intruder can leave behind a digital crime scene akin to a ransacked home; a crime scene that is seemingly untouched and immaculate; or a crime scene that is somewhere in-between. In order to reverse engineer a cyber-attack, forensic investigators, incident responders, security engineers and IT administrators employ an extensive array of practical skills to isolate malware that targets, accesses or otherwise infects a company’s technological infrastructure.

The most effective cyber-attack investigative methodology is often a tedious and exhaustive iterative process of digital forensics, malware reverse engineering, monitoring and scanning. When the analysis identifies any possible indicator of compromise (IOC), investigators examine network traffic and logs, in addition to scanning system hosts for these IOCs. When this effort reveals additional systems that may have been infiltrated, investigators will then forensically image and analyze those systems, and the process repeats itself. Armed with the information gathered during this “lather, rinse, repeat,” phase, investigators can detect additional attempts by an attacker to regain access and begin to contain the attack.

But in stark contrast to the iterative process and methodology of seeking IOCs (which can be disciplined and comprehensive), determining attribution consists of an altogether different and far less reliable approach.

 

Correlating Cyber-Attack Modus Operandi

One oft used methodology for determining cyber-attack attribution is to draw conclusions by correlating a library of code similarities, shared tools and shared infrastructure and targets of known cyber-attackers. But while matching cyber modus operandi can certainly provide worthwhile intelligence fodder for U.S. government investigative teams and policy-makers, pinpointing attribution to, and ascertaining the motives of, cyber-attackers remains inherently subjective.

Moreover, today’s online threat actors have begun eschewing custom tools in favor of using standard operating system features and off-the-shelf tools to compromise their targets. This “living off the land” hacking trend, where attackers make use of tools already installed on targeted computers or run simple scripts and shell code directly in memory, creates even more attribution challenges.

For instance, just before New Year’s eve in 2016, CNN’s Jim Acosta reported that Burlington Vermont’s electric utility had discovered Russian malware on one of its laptops, but as many have since pointed out, that malware was available for purchase online, and hardly an inculpatory IOC of any particular government or other criminal actor.

Malware can come from anywhere and its mere presence does not necessarily indicate that a particular government hacking gang is involved – the infection could have come from something as simple as an employee using his or her computer to visit one of the millions of infected websites currently live and accessible with a simple mouse-click. The attack might also have been carried out by a disgruntled or former employee (a so-called bad leaver), which is why data breach response is a lengthy, tedious and holistic process exploring all possibilities of attack.

Consider state sponsored cyber-attacks such as an Advanced Persistent Threat or APT attack, where intruders use stealthy, sophisticated, targeted and relentless techniques, employing a carefully crafted and evolving reconnaissance – a low-and-slow approach that is difficult to detect.

Merely identifying APT malware can be tricky, let alone determining the motive and identity of the attacker orchestrating the intrusion. For example, APT attackers might use large data container programs for transporting exfiltrated information, yet those same data container programs have a broad range of legitimate uses – this is one way attackers can hide their technological weaponry in plain sight.

 

False Flag Cyber-Attacks

While some data security incidents may provide key evidence early-on, most never do, or even worse, provide a series of false positives and other initial stumbling blocks. Thus, even if investigators can triangulate a common modus operandi among attackers, the entire criminal design could all be a “false flag” subterfuge, where one country’s cyber gang coopts the practices of another country’s cyber gang, to confuse, misdirect and lead astray.

The term false flag originated during World War I, when British and German auxiliary ships would fly the ensigns of other countries — sometimes the British would fly German flags, or vice versa, in an effort to deceive their enemies. The same unfortunately now goes for cyber-attacks.

From simply issuing false claims of responsibility to emulating the tools, techniques, and even languages typically used by the group or country, false flag cyber-attackers can deceive, interfere and trick even the most seasoned cyber-experts. By interjecting chaos and confusion during a digital forensic investigation of a data breach, false flags make an already problematic undertaking even more byzantine.

One of the more notorious examples of false flag attacks occurred when Russian hackers attempted to disrupt the South Korean Winter Olympics in 2018 by using code of a North Korean origin. Along the same lines, a two-year probe by the UK’s National Cyber Security Centre and US National Security Agency found that the Turla group (purportedly linked to Russian intelligence) carried out cyber-attacks in 20 countries, most of them in the Middle East, by hijacking the backdoors, tool-sets and command control centers used by Oilrig (a hacker group purportedly linked to Iran).

The false flag might not pertain solely to attribution – false flags can also obfuscate motive. Election-tampering is not the only possible motive behind a cyber-attack. Governmental destruction, espionage, terrorism, financial crime, insider trading, intellectual property thievery, trade secret pilfering, extortion and market manipulation (just to name a few) are all potential data beach objectives.

To further confuse attribution efforts, some cyber-attack tools, tactics and even command and control centers can now be “rented” on the dark web – in essence, allowing successful cyber-attackers to franchise their criminal enterprises.

For example, the increasingly popular Ransomware-as-a-Service (RaaS) model borrows from the Software-as-a-Service(SaaS) model, by providing a subscription-based malicious platform and toolset, enabling even the most novice threat actors to become “affiliates” and launch their own sophisticated ransomware attacks. By reducing the need to design cyber-attacks and code malware, RaaS packages allow global criminals, including rogue nation-states, to carry out complex cyber-attacks using another attacker’s wares, thereby rendering themselves even more challenging to identify.

 

Looking Ahead

In some of the more infamous cyber-attacks, the most compelling attribution evidence remains classified, so we are asked to take U.S. intelligence reports at their word. This is a big ask — and whether we should all blindly accept attribution-related conclusions of the U.S. intelligence agencies merits some deconstruction.

First off, the typically invisible redactions and glaring omissions of government intelligence reports on cyber-attacks can pack a double whammy. Skeletonized intelligence attribution reports released to the public intentionally exclude proof, more often offering strings of conclusions replete with troublesome hearsay and unsupported conclusory opinions. In addition, U.S. intelligence “assertions” about cyber-attacks, like those in most intelligence briefings and reports, allude to having a range of clandestine sources such as intercepted communications, foreign government agents and other covert origins.

Unfortunately, there exists no way to evaluate the evidence presented by, nor assess the credibility of, these deliberately naked conclusions and cloaked sources. We must therefore wholly rely upon the honesty, integrity and expertise of U.S. intelligent officials — a tough pill to swallow, especially for the more cynical or scientific.

Of course, the reasons for all of the secrecy make sense. Risking the compromise of critical intelligence sources is a matter of national security and warrants respect. In the end, perhaps a little blind faith is not too much to ask, especially given the bona fides of the many hard working U.S. experts battling the endless wave of computer crime. These behind-the-scenes civil servants have dedicated their lives to pursuing the truth. I should know, I was once one of them — having spent almost 20 years in government service, most of the time investigating cyber-crimes. Their conclusions, albeit subjective, can be of unique utility and value and should be extolled rather than derided.

On the other hand, history is littered with too many examples of the misguided application of so-called government intelligence. In other words, Fool me once, shame on you. Fool me twice, shame on me. Of particular concern is when political appointees holding the higher ranks of government exploit the raw intelligence findings of career civil service underlings and recalibrate them for political gain, leading to dubious and tendentious attribution conclusions.

The real question thus becomes whether we can seek the truth first hand, because the chances remain slim that any of these threat actors will ever become identified, apprehended, arrested, extradited and brought to trial. Even when the government has garnered enough evidence to warrant a bona-fide indictment allegation, other roadblocks emerge, such as conflicting global sovereignty, clashing treaties and an overall lack of judicial comity.

Apprehending, let alone charging foreign perpetrators, also requires massive resources and is an intensive investigatory and prosecutorial undertaking of a myriad of government agencies. Just note the litany of public agencies, foreign governments and private companies that partook in the recent US DOJ Russian hacking prosecution — clearly it takes a village. However, most federal law enforcement agencies lack the wherewithal to initiate more than just a few transnational investigations and prosecutions, let alone dedicate resources to a worldwide cyber-hunt.

Hence, for politicians looking to advance their ideological interests; for reporters looking to generate headlines and clicks; and for so-called cyber-experts looking to promote their services, it has become fashionable to make highly subjective (and sometimes wildly reckless) cyber-attack attribution claims – especially pertaining to elections. After all, no one will ever really capture the perpetrators, and proving an attribution conclusion to be wrong (i.e. “proving a negative”) is even more challenging than proving attribution in the first place.

My take is that given the myriad of attribution challenges discussed herein, determining the identity of a cyber threat actor for any attack, election-related or otherwise, has evolved into an unmanageable vortex and high-tech gumshoe guessing game.

So when the clock strikes midnight on election day, and the partisans, pundits and armchair analysts begin pointing fingers at state-sponsored hacking gangs, be sure to think twice — or even three times before accepting their conclusions. Stop and weigh the evidence — there is never any smoking-gun. Demand facts, seek truth, be objective and scrutinize the proof. Rushing to judgment not only disassembles and creates confusion, it also undermines the objectivity, candor and confidence that the public deserves.

 

________________________

John Reed Stark is president of John Reed Stark Consulting LLC, a data breach response and digital compliance firm. Formerly, Mr. Stark served for almost 20 years in the Enforcement Division of the U.S. Securities and Exchange Commission, the last 11 of which as Chief of its Office of Internet Enforcement. He currently teaches a cyber-law course as a Senior Lecturing Fellow at Duke Law School. Mr. Stark also worked for 15 years as an Adjunct Professor of Law at the Georgetown University Law Center, where he taught several courses on the juxtaposition of law, technology and crime, and for five years as managing director of global data breach response firm, Stroz Friedberg, including three years heading its Washington, D.C. office. Mr. Stark is the author of “The Cybersecurity Due Diligence Handbook.”