Browsing Tag


Attribution is not Transitive – Tribune Publishing Cyber Attack as a Case Study

December 31, 2018

I made a number of tweets on this subject but then the voice of Richard Bejtlich entered my head and told me that all twitter threads should be a blog post, and here I am. This blog looks at the cyber attack on Tribune Publishing and the claims that North Korea is responsible as an opportunity to highlight that attribution is not a transitive property.


Shortly after Tribune Publishing lost operations and ability to print papers the press highlighted that there was a cyber attack. The attack was highlighted as a targeted attack by a nation-state. This was all related to one anonymous insider at the company telling the media. Thus, early on I, and many others on social media, called for calm and patience while the details became public. The details are still not public and the company hasn’t officially responded but an insider told media sources that the malware used in the attack was Ryuk which is a family of ransomware (Checkpoint did a great write-up on it here). Checkpoint did some great analysis on the malware and noted that there is commonality in some aspects of the malware and another family of malware called Hermes. They appropriately highlight that while Hermes has been attributed in use to Lazarus Group before, there are alternative explanations including the group who developed Ryuk having access to the source code of the Hermes malware. There are likely alternative hypotheses not explored here as well. However, that link is seemingly being used by others to draw the conclusion that Tribune Publishing was attacked by North Korea.

Here is Forbes making that claim. They are not the only ones though. Fortunately, some journalists took a different approach. Here the New York Times accurately notes that just because (and if) Ryuk was used doesn’t mean it has government ties (thanks David and Nicole!). They also introduce alternative hypotheses including Adam Meyers from CrowdStrike stating that CrowdStrike tracks an eastern european cyber crime group that leverages the malware.

So what is the logic that led to the North Korean claims and what lessons can we extract?

Seemingly, the logic leveraged was that Ryuk has a link to Hermes. Hermes has links to Lazarus Group. Lazarus Group has been attributed to North Korea. Therefore, all uses of Ryuk must be North Korea. That is transitive attribution and is an association fallacy.

The logic seems kind of sound though, so what’s the problem?

There are a few large issues at play for us to explore.

First, we all have a collection bias. I.e. what we analyze is based off what we collect. We cannot know the true extent of collection available, so it is common for analysts to assume their collection is pretty good in comparison to what’s available. In fact though, it’s almost always the opposite where our collection is much worse than we realize. If Ryuk or Hermes malware was leveraged by teams other than Lazarus that would pose a big issue for the attribution claims. The “uniqueness” of malware is directly tied to collection. In perfect collection you could factually state if malware is unique to one team or not. But without perfect collection, and no one has perfect collection, we must understand that malware may appear unique to a specific team but may not be unique to them at all. It just may be unique to them in our collection.

Second, the links Checkpoint drew were not definitive and had other hypotheses identified. Therefore, if an assessment is going to be drawn out for attribution purposes and not the malware analysis purposes done in their blog, we’d need to do a more structured assessment including more data sources such as additional intrusions and cluster those intrusions using some model like the Diamond Model for Activity Groups. Moving the malware usage to a cluster of intrusions would reveal more data points to then start working on a more structured assessment.

Third, I have not looked deeply into Hermes but we’d want to explore the connections Hermes had to Lazarus Group and do the same type of analysis on the links mentioned in the second point for Ryuk.

Fourth, Lazarus Group is a collection of clusters of intrusions from across multiple researchers, teams, and organizations. Whereas Lazarus Group was at one point decently well defined it has come to represent to many a larger clustering of anything North Korean in nature with links to any aspect of known Lazarus Group activity. This is not a put down on any team that tracks the Lazarus Group, it’s simply a realization that the analyst bias that goes into selecting intrusions and putting them into the Lazarus Group is done differently across different teams and thus a super group is not likely to be granular in its accuracy. (I talk about the problem with this type of threat tracking here). This may not matter at all if you want to attribute the principal group responsible for Lazarus Group as North Korea. But attribution, especially when you want to attribute all parties and not just the one chiefly responsible, is not binary. Not every single intrusion that goes into the clustering of “Lazarus Group” is going to be accurate. Not every single intrusion is going to be North Korea developed malware used by North Korea operators. There are alliances (North Korea allies in other states or organizations), there are supply chains (where they source exploits, code, etc.), there are operators vs. developers, there are different operations teams, there are different customers of the operation’s intelligence requirements, etc. to consider. All this means that if you want to do attribution to North Korea off of Lazarus Group you can get to a pretty good confidence level (likely Moderate Confidence if you’re just basing it off of intrusion analysis). If you’re wanting to reverse engineer individual aspects of that grouping though the attribution wouldn’t necessarily hold. I.e. individual families of malware, intrusions, aspects of malware such as encoding routines, etc. could all be an important puzzle piece in multiple puzzles, not just Lazarus Group.

The fourth point is the biggest hindrance in attribution being transitive. All the puzzle pieces that go into doing an assessment can be important. But by themselves they are likely not. I’ve seen so many people ask for the “smoking gun” when talking about intelligence analysis. The FBI’s attribution of North Korea to the Sony Attack comes to mind (which I wrote about here in Wired) where the FBI’s assessment was sound but the infosec community wanted them to “prove it” so they released some technical pieces of evidence, which to the FBI probably seemed pretty good in hindsight but to the public were not conclusive. This is a common analyst mistake. When you do analysis there are pieces of evidence that become really important to you, but only in context of all the analysis you did. I.e. it’s really important to you now with all the knowledge you have about the case. But you needed a lot of other data and context to have it be important. So releasing just “the important stuff” externally will not likely resonate with others who cannot come to the same conclusions you did on just partial data. Even with identical data sets two analysts will likely come to different conclusions anyway. To address this you never get in the habit of arguing about evidence, you position and argue your assessment. The totality of the data and your analysis, not just pieces of data.

All this is a round about way of saying that if you take a piece of data from an assessment (such as links to Hermes malware) and take it away from all the other data, then you cannot take the assessment with that piece of data. You cannot just simply look for Hermes malware to pop up and go “yup that’s Lazarus Group”. Further, links of Hermes to other malware families like Ryuk and thus attacks where Ryuk show up further complicate the issue. The more analytical leaps you make the less likely your assessment is going to be sound.

This doesn’t mean that the attack wasn’t done by North Korea. If it was knowing their intention would be an entirely different and especially difficult assessment to make. But at this point, no actual assessments have been done. The only thing being highlighted in certain media outlets is transitive attribution because of links observed in different malware families. This is sloppy and will lead to numerous inaccuracies. Additionally, there can be political issues if high profile targets like the New York Times and Wall Street Journal (luckily they haven’t) come out and attribute the attack to North Korea. That puts pressure on the US government as well as the North Korea government. There are real impacts to attribution claims between states.

In summary, as an analyst you should be aware that assessments do not often have a transitive property. Understand your collection biases and what goes into the assessments you make. From there, if you need to make a new assessment, then you need to go through the process of collecting data and analyzing and producing an assessment, short cuts such as transitive analysis will not be better than a low confidence assessment. Do not strive for perfection where you have analysis paralysis (sometimes it’s ok to make gut calls as an analyst) but understand when something is a guess, a hypothesis that’s missing plenty of data sources and other hypotheses are also equally possible (low confidence), or when you’ve done structured analysis across multiple data sources to achieve a higher level of confidence (moderate or high).

Russian Election Meddling, GRIZZLYSTEPPE, and Bananas

August 17, 2017

It’s been awhile since I’ve been able to post to my blog (as it turns out doing a Series A raise for my company Dragos has been time consuming so I apologize for the absence in writing).  But it is fitting that my first blog post in awhile has something to do with the GRIZZLYSTEPPE report. I almost got sucked back into writing when I saw the Defense Intelligence Agency (DIA) tweet out the Norse cyber attack map.

Matt jumped on it pretty quickly though which was great.

I tried to attempt to fill the person in running the account just in case they didn’t understand why folks were less than excited about their presentation.

But in their responses to me it seemed they didn’t fully understand. They articulated that they use unclassified data for the conference but use classified data at work. Of course the problem wasn’t the data (even though it’s not just unclassified but completely bad/fake data) it’s the idea that a cyber attack map aka “pew pew map” is not a good way to communicate to any audience as its simply a marketing ploy. However, it’s not worth a full blog post so I’ll just instead request everyone to do their homework (should only be a quick Google search) on why pew pew maps are stupid and everyone serious in the discussion should stop using them.

On To the Main Discussion

But on to the main topic. What does Russian election meddling, the GRIZZLYSTEPPE report, and bananas all have in common? Absolutely nothing. Each are individually completely unrelated to each other and people should stop putting any of them together as it ultimately just makes people look silly (to be fair no one’s associated bananas with the election interference yet but it might be a better correlation than the GRIZZLYSTEPPE report).

This discussion was all spawned by an article that the New York Times released on August 16th, 2017 titled “In Ukraine, a Malware Expert Who Could Blow the Whistle on Russian Hacking“. Spoiler alert: he can’t. I went on a bit of a Twitter rant to explain why the article wasn’t good, it can be found here, but I felt it was a complex and an important enough topic to cover in a blog.

The NYT piece posits that a hacker known by his alias “Profexer” was responsible for writing the P.A.S. tool and is now a witness for the FBI after coming forward to Ukrainian police. The P.A.S. tool, the article puts forward, was leveraged by Russia’s intelligence services without his knowledge (not sure how he can be a “witness” then but I digress). The authors of the article previously explicitly stated P.A.S. was used in the break-in of the Democratic National Committee  (DNC) but they had to issue a correction to that (to their credit, folks from NYT reached out to me after I critiqued it on Twitter to try to get the story correct after it was published; I asked for the correction as I’m sure others did but in reading the updated article the correction doesn’t actually address the larger issues so I wanted to cover them here in the blog).


Figure 1: Correction Related to P.A.S. and the DNC

Where did they get this assertion that P.A.S. was used in the DNC breach? By tying the GRIZZLYSTEPPE report (which does note that P.A.S. has been used by Russian security service members before) to the DNC breach. The GRIZZLYSTEPPE report has nothing to do with the DNC breach though and was a collection of technical indicators the government compiled from multiple agencies all working different Russian related threat groups. The threat group that compromised the DNC was Russian but not all Russian groups broke into the DNC. The GRIZZLYSTEPPE report was also highly criticized for its lack of accuracy and lack of a clear message and purpose. I covered it here on my blog but that was also picked up by numerous journalists and covered elsewhere. In other words, there’s no excuse for not knowing how widely criticized the GRIZZLYSTEPPE report was before citing it as good evidence in a NYT piece. Interestingly, the journalists didn’t even link to the “Enhanced Analysis” version of the GRIZZLYSTEPPE report which was published afterwards (and is actually much better) as a response to the critiques of the first one.

A major issue exists though with the correction to the NYT article. It changes the entire point of the story. If Profexer isn’t actually a “witness” to the case because P.A.S. wasn’t used in DNC then what’s the message the journalists are trying to get across? Someone who wasn’t working with the Russians, developed a tool that the Russians didn’t use in the DNC case, and didn’t have any insight into any of the Russian threat groups or campaigns cannot be a good witness.

Even after the correction though the journalists draw the readers attention to the breach early and often to continue to reinforce that this gives new insight into that case.

Figure 2: Snippet from NYT Article Referencing DNC Breach and Profexer

And again the journalists explicitly state that Profexer is somehow a witness to what occurred and reference him back again to the election hacking.

Figure 3: Snippet from NYT Article Claiming Profexer is a Witness

The article goes on to note how this changes our thoughts on the Russian groups (APT28 / APT29 or COZYBEAR / FANCYBEAR) and how they operate; the journalists state that using publicly available tools or outsourcing tool development to cyber criminals is against the modus operandi (MO) of the Russian security services. I do not know where the journalists get this claim but they do not source it; I disagree with the claim but I’ll note the burden of proof here is on them with regards to showing where they’re claiming the previous MO and I’ll simply state that there have been numerous publications and reports showcasing Russian threat groups including the security services using other groups and people’s tools and exploits. This isn’t new information and it’s fairly common for many threat groups to operate in this way.

The attribution on APT28 and APT29 is some of the most solid attribution the community has ever done. Numerous cybersecurity firms have covered this group including FireEye, CrowdStrike, Kaspersky, TrendMicro, and F-Secure but we’ve also had government attribution before by the German intelligence services on a breach into their government that pre-dates the DNC breach. A cursory look will reveal that organizations have been tracking this Russian threat group for about a decade now. Yet none of the people who’ve actually covered these groups were cited in the NYT article. Instead the journalists chose to cite Jeffrey Carr and his quote is confusing to most readers because he is trying to detract from the attribution where he states: “there is not now and never has been a single piece of technical evidence produced that connects the malware used in the D.N.C. attack to the G.R.U., F.S.B. or any agency of the Russian government.” It’s almost as the journalists just wanted a contrarian view to look balanced but what an odd selection if not just set up their witness to be even more important.

I want to be very clear on my next critique: I actually don’t think Jeffrey Carr is a bad person. I know he ruffles the feathers of a lot of folks in the community (mine included at times) but on the two occasions I’ve met him in person he’s been an absolutely nice person to me and was civil and well articulated. That being said, he is not an expert on attribution, not an expert on these groups, nor has any reason to be cited in conjunction with them. He’s often widely criticized in the community when he tries to do attribution and it’s often painfully full of 101 intelligence analysis failures. The NYT didn’t do him any favors by including him in this article and seriously detracted from the idea that they understood enough about this topic to cover it. Simply stated: “cyber” is not an expertise, if you are covering a niche topic like attribution or a further niche topic like Russian group attribution you need to use folks who have experience in that subject matter.

Please Stop Arguing About Attribution Without Expertise In It

This is a bit of a big request but it’d be very useful if people stop taking a stance on why attribution is difficult or not and whether or not attribution is right or not if they have never had experience in doing attribution. This is important because the journalists in this article seem to want to help bolster the case against the Russian intelligence services yet make it more confusing. At one point they try to set up their witness as some new smoking gun to be added to the case as a push back to people like President Trump.

Figure 4: Snippet from NYT Article Setting Up the Importance of the “Witness”

Attribution is not about having a smoking gun. Attribution is a good example of doing true intelligence analysis; there are no certainties and you only can come to an assessment such as low, moderate, or high confidence. Almost every single piece of data put forward in that assessment can and should have counters to it. Very reasonable counters as well. It’s why when anyone arguing for attribution argues a single piece of evidence they almost always lose the argument or look silly. It’s simply very rarely about one piece of evidence and is instead the analysis over the total data set. The attribution levied towards Russia for meddling in the U.S. elections is solid. The reason President Trump and others don’t want to accept that has nothing to do with the fact that there hasn’t been a witness or a “single piece of technical evidence produced that connects the malware used in the D.N.C. attack to the G.R.U.” it is because they do not want to accept the conclusion or the reality it presents. There’s nothing that’s going to change this. I’m convinced that if President Putin came out and said “yea it was us” we’d have critics coming forward saying how it’s a false flag operation and it’s actually not true.

But what’s the problem with people arguing these points? It detracts from the already solid assessment. It’s similar to when the FBI wanted to release IP addresses and some technical indicators during the Sony hack to talk about how they knew it was North Korea. I critiqued that approach when it happened here. The basis of my argument was that the FBI’s attribution to North Korea was likely correct but their presentation of evidence as proof was highly misleading. Obviously the FBI didn’t just use those technical indicators to do the attribution, so how could anyone be expected to look at those and be convinced?  And rightfully so people came out and argued against those technical indicators noting they could easily be wrong and that adversaries of any origin could have leveraged the IP addresses for their operations. And the critiques were correct. The technical evidence in isolation was not good. The totality of the data set though was very sound and the analysis on top of it though were very sound.

I often think of this like climate change arguments. You can have 100 scientists with a career in climate studies posit forth an assessment and then two people with absolutely no experience argue on the subject. One of the people arguing for the climate scientists’ position could grab out a single data point to argue and now the person arguing against that first person is arguing against an uninformed opinion on a single data point instead of the combined analysis and work of the scientists. The two people arguing both leave understandably feeling like they won the argument: the original assessment by the scientists was likely right but the person arguing against the data point was also probably right about their argument against that data point. The only people who lost in this debate were the scientists who weren’t involved in the argument and who’s research wasn’t properly presented.

Closing Thoughts

I never like to just rant about things, I try to use these opportunities as things to learn from. All of this is actually extremely relevant to my SANS FOR578 – Cyber Threat Intelligence course so a lot of times I write these blog posts and reference them in class. So with that theme in mind here’s the things I want you to extract from this blog as learning moments (to my students, to the journalists, and to whomever else finds it valuable).

  • If you are doing research/writing on niche topics please find people with expertise in that niche topic (Jeffrey Carr is not an expert on attribution)
  • If you are going to posit that the entire public understanding of a nation-state group’s MO has changed because a single piece of evidence you’re likely wrong (do more homework)
  • If you are going to posit that there is a witness that can change the narrative about a case please talk to people familiar on the case (determine if that type of evidence is even important)
  • If you are going to write on a topic that is highly controversial research the previous controversy first (GRIZZLYSTEPPE was entirely unrelated to the DNC case)
  • Attribution is not done with single pieces of evidence or a smoking gun it is done as analysis on complex data sets most of which is not even technical (attribution is hard but doable)
  • The most interesting data for attribution isn’t highly classified but instead just hard work/analysis on complex scenarios (classification standards don’t imply accuracy or relevancy)
  • Just because someone’s code was used by an adversary does not imply the author knows anything about how it was used or by whom (the threat is the human not the malware)
  • Stop using pew pew maps (seriously just stop; it makes you look like an idiot)


The Problems with Seeking and Avoiding True Attribution to Cyber Attacks

March 4, 2016

Attribution to cyber attacks means different things to different audiences. In some cases analysts only care about grouping multiple intrusions together to identify an adversary group or their campaign. This helps analysts identify and search for patterns. In this case analysts often use made up names such as “Sandworm” just to group activity together. To others, attribution means determining the person, organization, or nation-state behind the successful intrusion or attack; this latter type of attribution I will refer to as true attribution. There are many issues with true attribution that I want to explore here. However, there are also those that have pushed back on analysts exploring motives to an attack that I also want to call attention to. When dealing with attribution analysts should avoid the extremes: using true attribution inappropriately or being too hypersensitive to perform analysis and explore motives. Good analysts know when to seek true attribution and when to avoid it.

To explore these concepts I will look at true attribution at the tactical, operational, and strategic level of threat intelligence. While these levels should not be seen as a static category it will help shape the discussion. Tactical threat intelligence often deals with those folks who do the day-to-day security such as performing incident response and hunting for threats in the environment, operational threat intelligence refers to those personnel who work to identify adversary campaigns and often focus on aspects such as information sharing and working through organization knowledge gaps, and the strategic threat intelligence category I’ll use to refer to those personnel that sit at senior decision making levels whether it be executives or board of directors members at companies or national government officials and policy makers.

True Attribution at the Tactical Threat Intelligence Level

In my opinion, true attribution at the tactical threat intelligence level is only harmful to good security practices. Trying to identify who was responsible for the attack seems like a good idea to help shape security practices. As an example, an analyst who thinks that China is in their network might begin looking for intellectual property theft and try to shortcut their effort to identify the adversary. But think about that for a moment. Because our hypothetical analyst thought China was in the network, they have begun to look at the data in front of them differently. In this case, attribution has led our analyst to the land of cognitive bias. Cognitive biases are especially dangerous when performing analysis as they bias the way you think – and analysis leans so heavily on the human thought processes that it can lead us to inappropriate conclusions. Now, instead of keeping an open mind and searching for the threat in the network our analyst is falling prey to confirmation bias where the analyst is looking at the data differently based on their original hypothesis that China is in the network.

This begs the question though, if the analyst has nothing else to go off of shouldn’t they look for the tactics, techniques, and procedures of China in the network as a starting place? In my opinion that is the role of those often funky sounding made up campaign names or intrusion set names; this is what others sometimes call attribution but not true attribution. An analyst that thinks they know what “China” looks like really only knows previously observed activity. If I tell you to think about what China would be doing in a network you might think intellectual property theft. If I tell you the threat is Russia you might think of cybercrime or military pre-positioning. If I say Iran maybe you think about data destruction. The problem is, that thought process is tied to previously observed activity and it’s also going off of the assumption that previous true attribution you’ve heard is correct. Even if we assume all the previously true attribution was correct though analysts have only ever heard of or seen some of the campaigns by adversaries. Russia has teams that are interested in intellectual property theft just as China has teams that are interested in military pre-positioning. We are biased in how we view nation-state attribution based on campaigns we have seen before and it is difficult to take into consideration what is unknown. The better tactic is in identifying patterns of activity such as “Sandworm” and thinking to previous observed threats tactics, techniques, and procedures as a starting place in how we search the network for threats. Then tactical level threat intelligence analysts aren’t biased by true attribution but can use some element of attribution to learn from threats they’ve observed before while attempting to avoid cognitive biases.

True Attribution at the Operational Threat Intelligence Level

At the operational threat intelligence level the use of attribution needs to fit the audience. Operational level threat intelligence analysts should always attempt to serve as the bridge between the strategic level players and the tactical level analysts. When using the observations and information from the tactical level to translate to strategic level players there can be a role for true attribution, which we will explore later. When translating the observations at the strategic level and operational level to the tactical level though true attribution then again becomes dangerous. The way threat intelligence is positioned should be determined by the audience consuming it.

Consider this: an operational level threat intelligence analyst has been asked to take the campaigns observed in the community and translate that information for the tactical level folks to use. The indicators of compromise and security recommendations that the tactical level personnel should use are independent of attribution. The security recommendations and fixes are based off of the observed threat to the systems and vulnerabilities not the attribution; or said another way if you have to patch a vulnerability you don’t patch it differently if the exploit was Chinese or Russian based.

However, that same operational threat intelligence analyst has been asked to identify the threat landscape, the observed campaigns in the community that are relevant to the organization, and make recommendations for strategic level players that can influence organizational change. Here, the analyst may not be able to prove true attribution based off of observed adversary activity but it is in their best interest to identify patterns and motives to attacks. As an example, if there have been a number of campaigns recently that align with the motives of Chinese actors targeting the analysts’ company the recommendation from the operational level analyst to the strategic members might have them take into consideration how they interact with and do business with China. Here the analyst should use language to structure their assessment that the observed threats are Chinese based such as “high confidence”, “medium confidence”, and “low confidence.” Language such as “it is definitively China” should be avoided. Ultimately analysis is based on incomplete data sets (consider the difference between inductive and deductive reasoning) and the provided information is just an assessment.

At the operational level of threat intelligence analysts should be mindful of their audience and be open to putting forth good analysis based on observed activities, threats, and motives without being definitive on true attribution.

True Attribution at the Strategic Threat Intelligence Level

Strategic level audiences often heavily care about true attribution but not always with good reason. Government leaders and company executives want to know their threat landscape and how it might shape how they conduct business or policy. That is a good thing. However, strategic level players should be careful not to use true attribution when it’s not required.

As an example, if the organization is facing security challenges and is consistently having intellectual property stolen they need to look at the security culture of the organization and the resource investments needed to increase security and minimize risk. This inward look at the culture and security investments should usually be independent of true attribution. The tactical and operational level impacts are going to be the same whether the previous culprits were China, Iran, Russia, or the North Pole. However, if the organization is taking an outward approach to doing business or policy making they may need to consider true attribution. Because true attribution is usually based off of assessments and not usually definitive it should usually be approached as a continuum.

To look at true attribution especially for this level of threat intelligence I highly recommend two resources. First, a paper by Dr. Thomas Rid and (soon to be Dr. – congrats Ben!) Ben Buchanan titled Attributing Cyber Attacks. This paper will get you into the right mindset and understanding of attribution for the second paper I would recommend by Jason Healey titled Beyond Attribution. In Beyond Attribution, Jason Healey discusses the concept of responsibility as it applies to attribution. In short, a nation-state has responsibilities with regards to cyber operations especially if they might have been conducted from within its borders. At one side of the scale, a state can take an approach of prohibiting attacks and actually help other nations when an attack has begun. On the other side of the scale a state actually conducts the attack and integrates their attack with third-party proxies such as private companies for hire or hacktivists.

Analysts should be mindful of this spectrum of state responsibility, as Jason calls it, when considering true attribution and the nature of intelligence assessments. It is difficult to have true attribution and true attribution can be harmful to tactical level security. However, identifying motives in attacks and understanding the spectrum of state responsibility to attacks should be considered at the strategic level so that we are not so hypersensitive on the topic of attribution that every adversary gets to operate without consequence.

Case Study: Cyber Attack on the Ukrainian Power Grid

Let’s take these concepts and apply it to the cyber attack on the Ukrainian power grid. If you’re unfamiliar with the case you can read about it here. In this case, I have been very careful about my wording as I know there are multiple audiences that see my quotes in media or read my reports. On one hand, I teach a threat intelligence course and an ICS/SCADA active defense and incident response course at the SANS Institute. In this capacity most of my audience is tactical and operational level personnel. For those reasons I have often tried to reinforce that attribution in Ukraine doesn’t matter for them. Identifying indicators of compromise to hunt throughout the network, preparing the network to make it more defensible, and applying lessons learned from the Ukraine attack are all independent of true attribution. True attribution simply doesn’t matter for how we apply the lessons learned for security at those levels.

However, I also deal with strategic level players in my role in academia as a PhD student at Kings College London and as a Non-Resident National Cyber Security Fellow at New America where I work with policy makers. For this audience, it is important for me to note that definitive true attribution has not been obtained in the Ukraine attack and may never be obtained. However, in considering Jason’s spectrum of state responsibility we have to look at the attack and realize the potential motives, the larger geo-political setting, and analyze if there are any courses of action strategic level personnel should take. In my opinion, I doubt the Russian government itself carried out the attack. However, the attack on the Ukrainian power grid did not fit any apparent financial motives and the motives aligned with various Russian based actors; whether those are private companies, hacktivists, or senior government officials. Therefore, it is in my opinion and in my analysis that strategic level players should look at the elements of attribution that link to Russian based teams and consider Jason’s spectrum of state responsibility. Even if Russia had nothing to do with the attack there should be an investigation into whether or not it occurred from within their borders. If the attack is state-ignored it sets a dangerous precedent. Senior policy makers in other nations should under no circumstance jump to blaming Russia for anything. However, they should look for international cooperation and potentially an investigation as this is a first-of-its-kind cyber attack on civilian infrastructure that led to a power outage. There is a line between espionage and offense; that line was crossed in Ukraine and we must be careful of the precedent it sets.


In conclusion, true attribution is highly abused in the information security community today. Many organizations want true attribution but do not know how to use it appropriately and many private companies are quick to assign definitive attribution to attacks where they simply do not have the appropriate data to support their conclusions. True attribution makes media headlines and the motives for companies to engage in this activity are significant for that reason. Claims of true attribution do increase international tension; not as significantly as some would assume but they are individual data points to policy makers and national level leaders. However, being hypersensitive about true attribution enforces a culture in this field where nation-states can ignore responsibility such as investigating attacks or policing their borders as is normal in international law and policy in any other domain other than “cyber.” There is a balance to be struck. Knowing how to strike that balance and when to use attribution in the form of group names with no state ties or true attribution in the form of an evolving assessment will help the threat intelligence community move to a more mature point where tactical, operational, and strategic level players can all benefit.


*Edit 3/6/2016*

I had a good discussion with some colleagues around this post and wanted to add two points.

  • Richard Bejtlich had a really good blog post on the value of attribution and breaks it down in a number of useful ways. His blog post pre-dates mine but I failed to reference it the first time. It can be found here. I would recommend it as it’s a great read and doesn’t take long to work through.
  • Two peers, Mark and Tim, made a case for tactical level true attribution that I think is actually an interesting one to consider. I would argue that most tactical folks shouldn’t consider true attribution and that it’s highly highly abused and resource intensive with little value in the wider community today. That being said, Mark made the point that in a resource constrained environment it might be a useful factor in prioritization. As an example, if you have a lot of phishing emails or malware samples to look at and you need a place to start, true attribution could be of value as that starting point as long as you try to defeat any biases later on. The reason this could be of value (credit to Mark and Tim on this point) over just attribution of groups is: if you have data that is of use to specific countries (think F-35 fighter aircraft intellectual property being of value to China and Russia more so than Niger) using that information as a starting point and prioritization of your searches could be useful. This also touches on the topic of crown jewel analysis combined with threat intelligence; for anyone interested in that subject check here.  This to me gets closer to the operational level than the tactical level and I would expect operational folks to translate these concepts into a usable form for tactical level analysts instead of expecting them to start this process – but I can see the case for why this would be useful at the tactical level and would agree that it’s an interesting one to consider.
  • (Thanks to the peers that took the time to discuss their thoughts with me. Discussions like these help all of us explore our understanding of a topic and I always find my own learning process enhanced by them).