In the world of cybersecurity, questions regarding attribution are most frequently focused on 'who' is behind a particular attack or intrusion – and may also delve into the 'why'. We want to know who the threat actor or threat agent is, whether it is a nation state, organized crime, an insider, or some organization to which we can ascribe blame for what occurred and for the damage inflicted. Those less familiar with cyberattacks may often ask, “Why did they hack me?”
These questions are rarely helpful, providing only psychological comfort, like a blanket for an anxious child, and quite often distract us from asking the one question that can really make a difference: “HOW did this happen?”
The current focus on the WHO and the WHY does the industry as a whole little service. Not only in this particular instance, regarding the hacking and leaks from the DNC and others during the 2016 political season, but also in almost every major attack or intrusion.
Let’s start by looking at the popular 'risk equation' commonly used when assessing the possibility of a breach or cyberattack:
Risk = ThreatVulnerability x Asset Value or Consequence/Impact
As someone who has been responsible for managing information risk and security in the enterprise for 15-plus years, I have thought through this equation countless times strategically, as well as tactically, during an incident. The conclusion I have arrived at over and over and over again is that I have little control or influence over threat actors and threat agents - the 'threat' part of the above equation. The primary variable I do have control over is how vulnerable I am – meaning the strength of my present as well as my future control.
So what must always be analyzed and reported on is HOW an intrusion or attack was successful, so we can give attribution to either the control(s) that failed, the lack of control(s), and to those responsible for maintaining proper control.
A great example of this sort of investigation and analysis is the House Committee on Oversight and Government Reform OPM breach report (1). In a report published last week by the Office of the Director of National Intelligence (2), there are a few important items to note from the upfront background section:
1) “Intelligence Community judgments often include two important elements: judgments of how likely it is that something has happened or will happen (using terms such as 'likely' or 'unlikely') and confidence levels in those judgments (low, moderate, and high) that refer to the evidentiary basis, logic and reasoning, and precedents that underpin the judgments.”
2) The nature of cyberspace makes the attribution of cyber operations difficult but not impossible. Every kind of cyber operation—malicious or not—leaves a trail. U.S. Intelligence Community analysts use this information, their constantly growing knowledge base of previous events and known malicious actors, and their understanding of how these malicious actors work and the tools that they use, to attempt to trace these operations back to their source.
The government - which has badges, guns, jails and laws to enforce - should continue to focus law enforcement and other government agencies on attribution related to the source(s) of attacks, so they can take action to deter (via conviction and jail time) the threat actors who wish to do harm. They can also post an incident if enough evidence exists, and attempt to detain and prosecute those responsible. However, this alone is a completely insufficient forum of attribution and per the report itself, has a degree of judgment.
One thing that can be done with complete certainty is to look closely at HOW the threat actors who went after the DNC were successful, and hold those people and organizations accountable. We can also look back in history and learn how every other reported intrusion occurred in the past decade, including the now-infamous attacks on Sony, Home Depot,OPM, Yahoo, Target, Anthem, and JPMC. This attribution is irrefutable, and the only question we now have left to answer is how it can be that the same story has presented itself over and over again, yet we (as an industry) fail to pay attention to it.
All of these intrusions have been successful due to one or both of the following incidences occurring:
1) Control(s) that failed, and/or
2) Incomplete or lack of control(s)
We can attribute the source of these items very simply and with certainty by answering two basic questions:
1) Who is accountable for the control environment?
2) Who created the control(s) that failed?
So, whom should we really hold accountable for the success of all these intrusions? The none-too-flattering answer is that while the breached organizations may shoulder some of the blame, we can attribute the success of these attacks to the cybersecurity industry itself.
Here is the simple reason: the security industry sells controls that fail, and do so repeatedly. And here’s the rub. These products and services don’t just fail in extreme conditions or due to highly unusual or sophisticated attacks. Every one of the organizations that suffered a breach was relying on the capabilities of a security provider that failed.
As NSA’s Rob Joyce explained a year ago at the USENIX Enigma 2016 conference:
“Contrary to popular opinion, the NSA and other APT attackers don’t rely on zero-day exploits extensively—unique attacks that take advantage of previously unknown software holes to get into systems. That’s because they don’t have to. There (are) so many more vectors that are easier, less risky and quite often more productive than going down that route.”
Why are these vectors so easy? The simple reason is due to the fact that in many cases, the security solutions deployed don’t work with high enough success rates to make an attack difficult or even challenging.
In order to move forward and refocus our industry's energies on making attacks more difficult for malicious actors, we need to break free from our own obsessive infatuation with attribution. By investing all of our resources into finding out 'whodunnit,' we get to play the victim card to minimize our own responsibilities and limit our liabilities. None of that helps the organizations that have been breached or the customers and clients who trusted those companies with their private information.
Instead, we need to focus on WHY those intrusions were successful, so we can give attribution to the real source of the intrusion – the controls that failed which were sold to the breached parties by the security industry.
This form of attribution will bring real accountability, and recalibrate our collective sights to take aim at the one variable in the risk equation that we have real influence over - our strength of control. Then, and ONLY then, can we start to make a difference and put a bend in the curve of risk we have been witnessing, versus continuing to let it grow unchecked.
Cylance Chief Security and Trust Officer