How Experts Determine the Source of a Cyber Attack

So much is in the popular news these days about cyber attack attribution. And so little is in the news about how this task is actually performed. My guess is that ten out of ten Americans could barely begin to explain how our country would go about determining the source and origin of a cyber attack. Maybe they would guess that it is done using Twitter.

Well, as an expert in this area, I’d like to provide a brief non-technical summary of exactly how this process is performed at the national level. I first wrote about this in a textbook I published back in 1999 with the ominous title: “Intrusion Detection: An Introduction to Internet Surveillance, Correlation, Traceback, Traps, and Response.” Below is a summary of what I wrote then – and my belief is that these nine methods are still representative of how advanced cyber attribution is performed today:

Method 1: Embedded Insiders. Nation states plant spies in the cyber operations of their adversaries. Over long periods of time, these individuals earn local trust, and the value of their intelligence increases accordingly. CISOs try to manage this risk through least privilege-based insider protection programs that segregate duties.

Method 2: Human Intelligence. Motivated snitches are usually available to help explain the origin of cyber offensive activity. Most Americans are familiar with this snitching phenomenon in the hacking community. By way of analogy: Who better than you to snitch on that annoying cousin who brags about cheating on his taxes?

Method 3: Signals Intelligence. When communication signals are intercepted and processed, the potential exists that detailed conversations will reference a specific cyber attack, including attribution, details, and other useful information. This familiar approach has been used by law enforcement for many decades to catch criminals.

Method 4: Network Monitoring. Using collected network metadata, cyber analysts can try to piece together traffic activity, networks probes, and other information to trace hacks from their target to the original source. This is not an easy task, because the "protocol language" of the Internet makes it so easy to lie about one's identity.

Method 5: Attack Forensics. This process involves hacker-types analyzing malware and reading code to reveal methods and sources. All identified clues must be viewed with great suspicion, because a capable adversary will try to plant false evidence. Nevertheless, forensic analysis yields excellent insights into skill levels and techniques.

Method 6: Traps and Traces. Good defenses include trickery aimed at identifying the source of an attack. This can include fake content, honey pots, and other lures that might create sufficient confusion to help expose an adversary’s identity. Deception has always been a staple in traditional warfare, and it continues to play a role today.

Method 7: Offensive Discovery. This involves breaking into, or observing, your adversary’s apple cart to see if any of your apples might be in there. If they are, then this provides strong evidence that your adversary has been up to no good. The image of JFK carefully inspecting collected surveillance of Cuba in October, 1962 comes to mind.

Method 8: Basic Investigatory Methods. Even in cyber security, investigators look for motives, purposes, and outcomes of a given crime. And just like on Columbo, this information must be thoroughly examined in the context of the facts. An entirely new field known as cyber hunting is currently organizing around this technique.

Method 9: Partner Sharing. While one nation state is doing all of the above methods for advanced cyber attribution, their allies are almost certainly doing the same sort of thing. And in most cases, the resulting intelligence can be shared to increase the odds that good conclusions are being drawn.

The bottom line is that cyber attack attribution has developed into a reasonably accurate and repeatable science that provides excellent intelligence for decision-makers. I would also say that the cyber operations professionals in government and industry who are engaged in this activity at the national level are significantly better trained and have more powerful tools than would have been found when I first started doing this sort of work two decades ago.

So I hope that you will conclude, as I have long ago, that when the senior leadership of our country scoffs at such professionally derived cyber intelligence, they do so at their own serious peril.

And perhaps ours as well.