More Data On Attackers, But Attribution Still Dodgy

Identifying the groups behind attacks is still a dicey proposition, but security firms are collecting more information on attackers' techniques and their infrastructure

Dark Reading Staff, Dark Reading

February 7, 2013

4 Min Read
Dark Reading logo in a gray background | Dark Reading

Following the compromise of The New York Times' network, Mandiant -- the company that responded to the incident and conducted the forensics analysis -- collected enough evidence to identify the attacker. Yet "identify" is a loaded word in the field of digital forensics, and the name that the company had for the perpetrators came down to an internal designation: APT group 12.

Mandiant tracks some 20-odd information-stealing groups -- all related to China -- basing its identification on characteristics of the attackers' tactics, techniques, and procedures, including the specific pieces of malware that are being used, the command-and-control channels, the specific domains from which they attack, and the sorts of data they target.

While the firm does not necessarily identify individuals in the monitored groups, by linking the attackers to APT-12, Mandiant also linked them to China, which can help inform a target's strategy, says Nick Bennett, principal consultant with the firm.

"We can tie this activity to a specific group that we've been tracking through our forensic analysis," Bennett says. "This group, and other groups like it, we have been able to monitor over months and years, and based on that, their activities fall in line with the interests of the Chinese."

Yet do not expect actual individuals to be named as being part of the group or groups behind the attacks. While Mandiant calls them APT-12, another firm -- security-intelligence firm Cyber Squared -- argues the attacks likely involve six groups as part of an ongoing operation, likely originating from China. Meanwhile, other firms, such as network-security provider Damballa, assigns random names -- such as ScarySpiderCrew, ThreeFootConvicts, and HotSideDoctors -- to the hundreds of APT and cybercrime groups it tracks.

[The sophisticated cyberattack launched on The New York Times revealed earlier this week was not the first attack on U.S. media by Chinese entities. See Following New York Times Breach, Wall Street Journal Says China Hacked It, Too.]

If what passes for identity on the Internet feels a bit squishy, get used to it, because technical attribution is not getting markedly better. However, with the advent of big data analysis and a crop of startups focusing on gathering global threat intelligence, more information is being collected on attacks as well as attackers, their techniques, and infrastructure.

Security-intelligence startup TaaSERA, for example, uses network sensors, honeypots, and client agents to collect information on malware and malicious infrastructure operating from nearly 200,000 IP addresses. The company only goes so far as to identify the IP addresses, but it can cluster the attack nodes into groups that are targeting specific industries or utilized for specific types of attacks. By analyzing the massive volume of data, the company determines the reputation of a specific Internet address over time, says Srinivas Kumar, chief technology officer for TaaSERA.

"We stop at the IP address; we don't identify if Anonymous is behind it, or someone else," he says. "We are not looking to pinpointing the actual attacker entity."

It's a tactic that has become popular: Risk-intelligence firm Norse uses its own network sensors and virtual Internet agents to collect information on malicious activity online, assigning a reputation to specific IP addresses. Banks and retailers can use the information to help reduce fraud, says Norse's CTO, Tommy Stiansen.

Because Norse's service aims to be a real-time reputation feed, attempting to assign attack traffic to a specific entity is not very valuable, he says.

"If we look at doing forensics and identifying the attack, we get the information to our clients far too late," Stiansen says.

Outside of organizations that are looking to take specific offensive or punitive actions against the attackers, attribution has limited value. Companies do not expect to attribute an attack to a specific set of individuals, especially if those people are outside their country's jurisdiction. Yet getting as much information on the threat as possible is valuable, says Rich Barger, chief intelligence officer for Cyber Squared, whose ThreatConnect platform brings together security analysts to help investigate incidents.

"People give us a chunk of rock, and we chip away at it to identify the indictors," Barger says. "I guarantee that the industry does not have the complete snapshot of the advanced persistent threat that is out there."

The ultimate value in attribution is for deterrence -- so a country's government can know who to punish. With the United States taking the stance that cyberattacks launched from another nation could result in reprisals, intelligence agencies will have to build an iron-clad case assigning attacks to specific actors. While Mandiant's Bennett declined to reveal whether the company had tracked The New York Times attack back to its source, he does believe the U.S. government has better data.

"I would venture to guess that the State Department has more evidence that The New York Times was attacked by China," Bennett said. "Mandiant has been investigating this stuff for years, but we are not the only ones. The government has also been looking at this activity for years."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights