Investigators have struggled to prove attribution for years, forcing them to consider taking a new approach to investigations.
The alleged hacking of the recent US election put a spotlight on an important but often
misunderstood element of cybersecurity—attribution. While government sources have not released information about how the alleged attacks were tied to the Russian government, the fact remains that definitive attribution is a tremendously difficult thing to achieve.
It is easy to take for granted that a person is behind the digital evidence created by computers or mobile devices. However, it takes a considerable amount of work to tie digital events to the actions of a specific person beyond the shadow of a doubt. This is because the evidence used to attribute a malicious actor’s origination point—things like IP addresses and types of characters used in malware—are relatively easy to manipulate (commonly referred to as spoofing). As a result, investigators have struggled to prove attribution for years, forcing them to consider taking a new approach to investigations.
Tying up loose ends
Spoofing is comparable to framing someone else for a murder. You steal a couple of their possessions—ideally some cigarette butts, or some hair from a brush—plant some of their DNA at the crime scene, and ensure nothing of yours is there to contradict the “evidence” you’ve left to throw the police off your trail. Similarly, hackers can forge security certificates, spoof IP addresses, or even use jump boxes—computers on a network typically used to manage devices in a separate security zone—to keep investigators at bay.
While President Obama’s administration could very well have had compelling evidence to point to Russia as the culprit, it could have been mistaken about the source of the hack, or it could be following a political agenda devoid of technical evidence. Whatever the reason for its allegations, we can learn a lot from this simply by examining the situation from afar and applying some much-needed common sense to the scenario.
Within the realm of cybersecurity and investigations, this is the classic example of context, evidence, and intelligence. Without reliable information, a corpus of evidence is meaningless since it is completely devoid of context. The ethics and effectiveness of retaliation and legal action against malicious actors aside, you want to be certain of your facts before you take any steps in response to something this important.
A new way of looking at investigations
Any cybercrime investigation—whether related to an insider threat, fraud, counter terrorism, espionage, email harassment or computer policy misuse—involves one or more actual people in conjunction with data from the electronic devices they use. Each person represents a huge intelligence source, which investigators often ignore due to lack of time or resources, or to lack of a suitable solution to harness and use this intelligence. You can overcome this challenge by framing investigations differently and focusing on four key areas, referred to as POLE:
- People: Including suspects, victims, associates, colleagues, employers, family members and role models
- Objects: Ranging from electronic devices—PCs, mobile devices, USBs—and email addresses, to social media handles, mobile numbers, tickets and even weapons
- Locations: Home addresses, public buildings, landmarks, travel origins and destinations, and place of employment
- Events: Transmission of data, email, DoS (Denial of Service), physical meetings with other people, crimes committed, arrests and destruction of data
POLE relationships are a catalyst in almost every investigation and therefore form the basis of a comprehensive and robust intelligence framework that works in almost any situation. Every event, every object, every person and every location has the potential to be a valuable source of intelligence. For example, an employee’s social media accounts might allow investigators to identify events of relevance they would have previously been blind to. Consider a financial analyst who leaves his former job abruptly and immediately posts details about a new position with a different company on social media. It’s vital to have a system in place to not only identify all of these different activities, but also to tie them together in a meaningful way.
Using context and intelligence when pointing fingers
Due to the lack of systems capable of rebuilding networks of relationships, investigators can find it difficult to link data together, as it is often held in hard copy format, stored electronically on isolated systems or is simply unsearchable. What’s more, for years investigators have been fighting against a rising tide of information overload. They need a different approach to close the widening gap between the data they are asked to handle and their capacity to do so.
Fortunately, new technologies are enabling analyst teams to grow in capability and sophistication, so that they can identify relationships across POLE elements to greater detail than ever before. This means they can now treat context and intelligence as their new best friends. They can seek connections where they would logically expect them, without overlooking the signs that might invalidate their initial hypothesis—and take the utmost care before pointing fingers. In other words, by properly considering context and intelligence, they can now formulate theories based on an unbiased analysis of the evidence.
Investigators’ decisions and recommendations can produce a real impact on real people. They should therefore make use of all of the information at hand to build an informed, intelligent and accurate hypothesis that cannot be reasonably disproven. Then (and only then) they will be in a position to attribute cybercrimes to their perpetrators.