Cyber Attribution

June 8, 2023 Dave McMahon

CYBER ATTRIBUTION

Cyberspace has clearly emerged as a strategic centre-of-gravity for renewed great power struggle, prompting adversaries to conduct a range of malicious cyber activities aimed at achieving competitive advantage, influencing and harming Canadian interests. They do so under the protection of anonymity.

“Attribution within cyberspace is difficult to prove and therefore provides actors with anonymity or plausible deniability.” - Canadian Armed Forces

Attribution will likely remain the hardest problem for cyber defence, but it is also the most necessary for effective deterrence, active cyber defence, and as a legal imperative for any effective countermeasure. For example, persistent engagement is a grand strategic approach to cyberspace intended to counter and contest adversary gains through agreed competitive interaction in cyberspace short of armed conflict, as opposed to spiraling escalation. This strategy requires attribution at its core.

There are two sides of the attribution argument:

Some would contend that attribution requires highly-sophisticated capabilities beyond the means of most organizations. It costs too much up-front and has a low-likelihood of prosecution. It is therefore more expedient to just block, repair the damage, move on and hope for the best; or
Others say that, failing to attribute, deter and counter the threat will eventually end up costing the organization far more and invite persistent attacks. Canada is at risk of becoming a permissive victim.

Attribution definitions

Technical attribution pertains to resolving the network activity to a threat actor by: identifying black-listed Internet Protocol (IP) addresses or domains, malware signatures or recognizing known Tactics, Techniques, and Procedures (TTP) of one’s adversaries. This level-of-attribution is often adequate to block potential risky communications, manage vulnerabilities or launch incident response activities. However, it does not affect the threat actor’s ability to pursue another line-of-attack. It is insufficient for effective cyber defence or threat reduction.

End-attribution identifies the real entity (human/organization) and motive behind the attack. This requires active threat hunting, pursuing the adversary through deep investigation across multiple domains (physical, cyber, cognitive) using deep cover.

Challenges

It is hard to connect the dots, when it comes to attribution, when these dots are extra-jurisdictional and scattered across-domains. Agility, obfuscation and misdirection by the threat actors, pose a number of challenges to attribution:

Fast fluxing (ephemeral) network connections across cyberspace (computers, networks, social platforms, botnets, mobile devices, and machines or devices)
Encrypted 6th generation malware, processes, command and control channels;
Hiding in memory or living off the land (commandeering legitimate programs or apps);
Using intelligent agents, proxies, avatars, cutouts or victim machines; and
Operating from safe-havens overseas.

Furthermore, tactics like cognitive warfare leaves only traces of toxic narratives, which can be laundered through organic online followings thus allowing the originator to withdraw into the shadows without a trace.

Closing the attribution chain

In order to close the attribution chain, one needs to hunt the adversary through cyber space and cognitive domains into the real world. Everyone leaves digital exhaust and a physical footprint, including the attacker. They make operational security mistakes like: reusing infrastructure, code or a predictable modus operandi, or cross contaminating network operations, social media presence and real-life identities. The detection and attribution Advanced Persistent Threats (APT) with enhanced precision, speed, and fidelity requires advanced technology, talent and tradecraft.

Intelligence-led

Cyber attribution is necessary for active cyber defence, deterrence, prosecution, but foreign intelligence (FI) operations are required for end-attribution and targeting.

Cyber threat intelligence (CTI) can provide technical attribution, as we have discussed, but it is only good enough for a limited cyber response. All-source intelligence sources and methods including FI are essential for the attribution and targeting of Advanced Persistent Threats (APT). End-attribution also requires highly-specialized products and services such as: containerized investigative platforms, managed non-attribution systems, deception networks and a willingness forward-deployed intelligence operations into contested space and on the adversaries territory.

Taking action

Knowing your enemy is an important tenet for warfare. So, in this context, attribution is enormously helpful. There are some pragmatic actions one can take from attribution:

Name and shame the perpetrator – drawing them into the light;
Share the intelligence and contribute to global blacklists;
Prosecute the actors in civil court;
Seek a criminal inditement of individuals;
The administrative action unilaterally or with partners to seize domains - ‘shun and stun.’
Execution of warrants to dismantle infrastructure;
Strike-back using active cyber ;
Persistent engagement; or
Launch preemptive proactive operations.

Cyber threat reduction does not limit options to the cyber domain. Legal action, diplomatic measures, financial sanctions, further intelligence collection and military targeting are valid choices.

Responsibility

So who has the accountability, responsibility, means and authority for attribution and subsequent actions, effects and fires?

Clearly, the government, as the national guarantor of Peace, Order and Good Government (POGG), has a mandate to address threats to national security and prosperity, and a role in protecting citizens by identifying and prosecuting actors through law enforcement, active cyber defence or conducting military-style persistent engagement.

Notwithstanding, the intelligence and security industry, service providers and platform owner-operators of cyber space are in unique position to detect malicious activity at scale, identify bad actors and take quick and effective action. Commercial intelligence services can hunt and pursue actors anywhere on the planet.

Commercial Intel advantage

The private sector owns global cyber and financial networks, and has unprecedented visibility on to the data. Industry can often connect the dots for the purposes of attribution quite effectively. It is also easy for industry to cooperate across industrial partners and form new ones, cultivate sources and provide data proximity-at-scale, share sensitive intelligence at the speed-of-cyber, and agree to take collective action. It should be no surprise that plenty of cyber attribution is done by industry.

The challenge is that there is not a huge market for attribution services. Most victims just want to move on from the problem, not press charges or investigate further. To feel this gap, we have seen remarkable collaboration between US intelligence agencies and industry for both precise attribution and decisive action.

Cyber Defence Futures

The most exciting work on cyber attribution in Canada appears to be coming out of the Department of National Defence’s Innovation for Defence Excellence and Security (IDEaS) program. The program is developing and deploying innovative approaches that access, interpret, and compare evidence using technical and all-source intelligence to attribute advanced persistent threats in defence of Canada.

Conclusion

Cyber defence is a team sport. Response actions and offensive operations, particularly involving attribution and targeting of nation-state actors, will require equitable partnerships with industry and the development of a Canadian sovereign capability. Attribution relies on foreign intelligence collaboration. As is playing out in Ukraine, the implications of attribution, deterrence, persistent engagement and de-escalation will require renewed attention given rapid evolution of the threat and warfare in cyber space and the cognitive domain.

Back to blog