Attribution is widely regarded in information security circles as being an impossible task, or as some companies would say: "China". The talk around attribution is particularly frustrating because the conversations always end with "attribution is hard" and nothing of value being carried forward. I want to talk about my view of attribution and its usefulness as a byproduct of prevention.
In order to contextualize my view of attribution I need to start from the bottom. I believe that people matter and that preventing harm is the most important job we have as human beings. When preventing harm becomes your goal then all the systems you interact with change considerably. Namely, the justice system.
The justice system is designed to punish people, not protect people. Criminal cases are The State/The Crown v. Defendant. Victims are treated as witnesses to a crime, nothing more. The justice system does nothing to prevent crime and neither do laws. This problem is exasperated when crimes can be committed remotely from beyond jurisdictional lines. Attribution seems useless if you are relying on using that information only for prosecution or seeking 'justice'.
A concept in serial cases is that if there are enough similarities between cases, and details present that were never publicized, then one can say that the series of crimes were committed by the same entity. This is just a matter of finding patterns in past crimes. This is the kind of attribution that I am focusing on.
APT: Attributing Pterodactyl, The
Attribution is a tool. Attribution is our ability to say that one entity was responsible for a series of actions. Currently, attribution seems laser focused on the dreaded Advanced Persistent Threat (APT). This limits the usefulness of attribution as a concept because it makes attribution out to be a purely political act.
There are more criminals in the world than Advance Persistent Threat groups. The information security community loves to remind users and businesses that they should not worry about APTs, and that they should be more worried about regular criminals. So, it is odd that discussions about attribution always seem to end up being about national politics.
Divorcing attribution from both national politics and the pursuit of 'justice' leaves us with an odd beast. We want to consolidate data from multiple criminal campaigns and then use that to prevent harm. We have to understand a little about criminal logistics before we know what data is useful to us.
Crime pays. You're just bad at it.
Since we are not focusing on APTs then we can make an assumption about criminals. Criminals want money. The goal of criminal actions is to generate revenue, so the output of any criminal campaign is going to be money in one form or another. Established criminals understand that the flow of money can be traced and have built entire enterprises on disrupting that.
The ’Ndrangheta was so successful at laundering money that other criminals—from China, Nigeria, Russia, and elsewhere—paid the organization to do it on their behalf, providing huge sums to manage.
I find criminal logistics around money to be fascinating. Important to us is that money is also used at the start of a criminal campaign. Cyber criminals often use compromised web servers to host their phishing or malware campaigns. Compromising web servers can be done for free and it is relatively easy to hide from there.
So, where do cyber criminals spend money?
It isn't DNS. It was DNS. It's always DNS.
If you are running a phishing campaign then you need a convincing domain name. If you are running a malware campaign then you need to be able to direct your droppers to your latest compromised server. Domain names are the one piece of infrastructure that every criminal campaign is going to need.
Good operational security would dictate that every domain name was registered with new contact information and paid for using new fronts. Criminals are not good at operational security. Operational security, like all security, is a matter of diligence. Every company accepts risks in favor of profits and criminals have to do the same. With the constant pressure of detection and prevention by defenders, operational security naturally becomes an afterthought.
This means criminals will use the same information to start multiple campaigns, sometimes relying on the same fronts for payment. Domain registrars keep the contact information you give them even if they offer whois protection. Whois protection is a service wherein the registrar submits their own contact information to whois databases upon registering your domain.
This is important because if you can show that a domain registrant has broken the registrar's terms of service, the registrar will hand over the contact information. This gives you the ability to create links between criminal campaigns.
Prevention in Abstract
Nothing I have said here is new information to experienced professionals. Domain names are a known indicator of compromise (IoC) and whois databases are treasure troves of information. I am going to specifically talk about preventing harm.
Analyzing content is hard, but analyzing metadata is easy. Analyzing content typically requires human intervention which makes it slow. Analyzing metadata, like domain names, can largely be made automated and makes the process much faster.
A machine learning system trained to flag domains potentially being used in criminal campaigns could be very effective for reducing response times. As with most methods of detection the key is finding a balance point between false positives and negatives. This system would alert analysts to domains being registered that match patterns of previous criminal campaigns. Analysts can then follow-up on alerts and if it turns out to be malicious, the analyst's company can contact the domain registrar to sinkhole the domain and stop the campaign.
There is a relatively small window between prevention and reaction here. With a well tuned machine learning system monitoring domains as they are registered it is possible to operate entirely within 'prevention'. Once the threat of harm has been neutralized the resulting data can be analyzed and used for attribution and can be fed back into the machine learning system.
Machines Learn Weaknesses Too
On the list of things that I am not, a machine learning expert ranks highly. I recognize that machine learning models have significant weaknesses. My understanding is that many of these weaknesses are a byproduct of trusting the model to make decisions autonomously and with little oversight. If the data used to train the system is controlled and only verified data is fed back into the model, I believe that this system can be trustworthy and resistant to manipulation.
Attribution: A Byproduct of Prevention
If prevention is the primary goal, then attribution will follow. The information required to prevent malicious activity can also be used to bring them to 'justice'. All of the data used to train the machine learning model can be sold as a product to trusted parties, because even in the pursuit of a safer world we cannot escape capitalism. Despite my lack of trust in law enforcement this data would be of particular value to them, and I see very little potential for them to abuse it due to the specific nature of the data.
Support the Author
NotAwful is studying networking and information security. You can support their content and studies monthly via Patreon (USD), or directly via PayPal. If you found this post useful, feel free to leave a tip.
@SarahJamieLewis on analyzing metadata, https://twitter.com/SarahJamieLewis/status/900855142232322050 ↩︎
@SarahJamieLewis's thread on taking advantage of machine learning models, https://twitter.com/SarahJamieLewis/status/966161036444286976 ↩︎