COMMENTARY

Part one of a two-part article.

In cybersecurity, attribution refers to identifying an adversary (not just the persona) likely responsible for malicious activity. It is typically derived from collating many types of information, including tactical or finished intelligence, evidence from forensic examinations, and data from technical or human sources. It is the conclusion of an intensive, potentially multiyear investigation and analysis. Investigators must apply stringent technical and analytical rigor along with soft sciences, as behavioral analysis tends to win the day.

Attribution and the public disclosure of attribution are not the same thing. Attribution is the identification of a potential adversary organization, affiliation, and actor. The decision to disclose that attribution publicly — through indictments, sanctions, embargos, or other foreign policy actions — is a desired outcome and instrument of national power.

One example is Mandiant’s APT1 report in 2013, which attributed the attack to the Chinese government, followed by Department of Justice (DoJ) indictments of the APT1 actors and the US State Department’s foreign policy maneuvers against the Chinese government. These public disclosures were highly effective in helping the world realize the dangers of cyber espionage by the Chinese Communist Party. Attribution of those activities was years in the making. The indictments and political maneuvers — the public disclosure — were instruments of national power.

Standards of Proof

When attributing a cyber incident to a threat actor, there are several standards of proof mechanisms at play. One element of attribution — and particularly when deciding how to act upon the results of your analysis — is understanding the importance of confidence levels and probability statements.

Intelligence Standards

In the intelligence community, Intelligence Community Directive 203 (ICD 203) provides a standard process for assigning confidence levels and incorporating probability statements into judgements. ICD 203’s probability statements are:

  • Almost no chance (remote)

  • Very unlikely (highly improbable)

  • Roughly even chance (roughly even odds)

  • Very likely (highly probable)

  • Almost certainly (nearly certain)

Confidence levels in ICD 203 are expressed as Low, Medium (Moderate), and High. To avoid confusion, probability statements and confidence levels must not be combined in the same sentence. There is a lot of debate about using these statements to estimate the likelihood of an event happening, as opposed to assigning responsibility for an event that has already occurred (i.e., attribution).

Judicial Standards

Another factor is that intelligence assessments do not use the same standard of proof as the rules of evidence in judicial process. Therefore, the work streams leading to indictment are different. In judicial terms, there are three standards:

  • Preponderance of evidence

  • Clear and convincing proof

  • Beyond a reasonable doubt

The type of court system (civil or criminal) determines the level of proof you need to support your case. The FBI, being both an intelligence agency and a law enforcement agency, may have to use intelligence standards, the judicial system, or both. If a national security case results in an indictment, the DoJ must convert intelligence judgments to judicial standards of proof (no easy task).

Technical Standards

There are also technical indicators related to attribution. Indicators must be assessed and constantly evaluated for relevancy (curated) as they have a half-life; otherwise, you will spend most of your time hunting down false positives. Even worse, if they are not implemented properly, indicators can produce false-negative mindsets (“no indicators found, we must be OK”). Consequently, an indicator without context is often useless, as an indicator in one environment may not be found in another.

A good formula is: 1) an investigation produces artifacts, 2) artifacts produce indicators, 3) context is indicators accompanied by reporting, 4) the totality of the indicators can highlight tactics, techniques, and procedures (TTPs), and 5) multiple TTPs show threat patterning over time (campaigns). When possible, attack information should be shared quickly.

Why Attribution Is Important

Recently, a friend asked me why attribution matters. Well, if your house was broken into randomly, that’s one thing, but if it was your neighbor, that’s completely different! How I protect my home or network will change depending on who broke in.

Organizations that don’t care who is responsible for a cyber incident and just want to get back online are more likely to become frequent victims. Any mature organization with sophisticated processes, a survival instinct, and that cares about their employees will go the extra step to create shared situational awareness, especially if the adversary returns repeatedly. A company can better defend itself from future aggression if they know 1) why they were attacked, 2) the likelihood of the attacker returning, 3) the goals of the attacker, and 4) the attacker’s TTPs. Knowing who perpetrated an attack can also help remove uncertainty and help you come to terms with why it happened.

In the second part of this article, coming later this week, I will discuss the key methods involved in attributing an event to a threat actor.