Tuesday, February 10, 2015

We need to talk about attribution.

One of the InfoSec community’s greatest distractions lately has been attribution, both specifically and generically.
Let’s start with the Sony fiasco and the FBI’s pinning the attribution tail on the North Korean donkey.  Many people have beaten this to death, there has even been name calling over it.  And I don’t care.  There are certainly questions unanswered, but I’m not opposed to the idea that it was North Korea, I’m just not convinced “beyond a reasonable doubt”.  The argument is lost in the greater public, everyone believes it, just like they believe “hackers” are all bad.  In InfoSec many of us refuse to blindly believe the government for a variety of reasons- political, factual, conspiratorial, and probably even astrological.  Here’s my take- if the FBI came out and said something like:

“Hey, remember those Snowden docs?  Well then you won’t be surprised to hear that we’re all up in North Korea’s stuff and have been for years.  The NSA saw things come and go which prove to us that they are responsible, but we can’t show you the sensitive bits for obvious reasons.”

we would have grumbled about facts and proof and stuff, but I think many of us would have bought the story more than we did with the approach they took.  I’m not sure how Sony would have felt about that revelation, but they’ve probably figured it out by now.  The feds told us they had proof, then released some data, some of which was refutable or inconclusive- and being skeptics, several folks in InfoSec took the data apart and poked holes in some details and raised questions about others.  Being skeptical is what we do.  Gullibility is not a great trait for a career in InfoSec.  Even if the feds had released what they did with the disclaimer “this is imperfect, but it is all we can release because: reasons” it would have been better. But most folks bought the story blindly, so I guess they don’t need PR lessons from me.
If you want some good reading material on attribution, Marcus Ranum recently wrote “Attribution is Hard” Part 1 and Part 2, a good look at the challenges of attribution.  If you want more visceral posts on attribution, head over to Krypt3ia’s blog for some great rants and content.
As for me, when I feel like getting all wound up over attribution I update and patch systems in my home and lab environments- it is more productive than pinning the attribution tail anywhere other than on my own butt.
The fundamental flaw with most attribution stories I see is that they are based on forensic evidence alone.  That means evidence the attackers were willing to let us see.  That’s a problem for me, it means that if the apparent attacker is the real attacker I’ve been beaten by a lazy or incompetent attacker, and otherwise I’m unlikely to find the real culprit with my limited resources.  Either way, I would be better served making backups, checking configurations, and typing “yum –y update” or “apt get update” into SSH sessions.
Don’t get me wrong, for some folks attribution is important, and for many of us it is an amusing diversion.  If you are trying to prosecute criminals, you need solid attribution.  If you are doing serious threat intelligence then attribution matters (whatever the hell “threat intelligence” means- it’s become yet another InfoSec term that means so many different things that it means nothing).
If you have the choice between spending your limited post-breach resources on chasing attribution or fixing stuff, I suggest you fix stuff.  If you have truly secured your environments well and have the resources, maybe post-breach attribution will be valuable.  I think those situations are rare.  Note that I resisted the temptation to say “if you’ve secured your environment you wouldn’t need attribution because you wouldn’t get breached”, I think we all know those days are long gone (if they ever existed).

Jack (as far as you can tell)