Watch this episode on YouTube.
Reasonably Accurate 馃馃 Transcript
Morning everybody. How are you doing today? Another episode of mornings with Mark. Thanks again for joining today and every day it is very much appreciated. We are gonna continue along with the cybersecurity basics theme. Today we're tackling attack attribution.
Now I am probably going to be face palming the vast majority of this episode because this is a frustrating point. This is a pet peeve. I hope that I can shed some light on the subject for you all. Attack attribution simply put is figuring out who is behind a specific cyber attack.
So attack a happens. It was person or entity b totally easy, super easy term to define. We're done. Have a great day. Of course, it's more complicated than that. The desire, the sort of very human nature to find out who, who drives the story.
So anytime there's a cyber attack, people are always wondering who it is and that's totally natural. I'm not trying to dissuade people from figuring that out. The challenge is, is that it's extremely difficult to make a strong attribution with a high level of confidence.
You're going to see a variety of statements in the media. I myself do a lot of media work, so deal with this question all time. And in fact, I don't normally call this out, but my background is as a forensic scientist, done a number of investigations, a number of years doing investigations.
Um, I've dealt with this question at a legal level, um, at a public sentiment level and just at a useful, you know, defensive level. So the challenge here is how do you say that it was Mar sitting behind the keyboard that launched a specific cyber attack?
And the answer is it's really hard to do that. Um You can normally find little pieces of evidence the way I kind of um normally use it a couple of analogies to relate. This is that when you're dealing with a cyber attack, there's a whole bunch of pieces strewn across the internet that you need to pull together to assemble the puzzle.
The goal is sort of, you know, to get as much information as you can to sift through it in order to get these pieces of a puzzle. And you can normally find different properties or attributes of an attack that will point to an entity, but you won't be able to tie that to people unless they make a massive mistake.
Um And even then it's really hard to figure out um whether there's a false lead or not, I'll walk you through this with AAA Real World example because I think it's easier. Um So let's use Wanna Cry.
Wanna Cry was a massive malware outbreak um in 2017 in the spring, um where uh it shut down systems uh around the world, especially in Europe and it purported to be ransomware. It just wasn't really effective at it.
Um There's a lot of debate as to who was behind it. So here you've got malware that's infecting a bunch of systems. So one of the attribution phases is collecting this malware and making sure that you know, each infection is in fact from the strain strain of malware or that these strains are related.
So you find, you know, system A, OK, you get the malware off of it and you look at it and go, OK? Here's what it looks like. You pull it off system B and you go, oh It's the same thing.
System C oh It's same thing. System D it's not the same thing, but it's close enough that it might be related. It might be just a mutation or an extra change. So we're going to say that all the four of these systems A through D were attacked by the same campaign or the same entity.
Now, you start to look for attributes as far as OK, it talks back to a certain server on the back end to get the ransom key and to update that back end system to let the criminal know. OK?
What do we know about that back end system? There's a little bit of pieces here and there we know this IP has been used in different attacks before we know that this IP is also tax system. E OK. Well, now we've got more pieces of the puzzle, but at no point does that relate to mark behind a keyboard typing and attacking people for that?
You need to information on the server or you need a confession from me or you need something else. The point is even with a deep dive investigation into an attack, from your perspective as a victim, it's really hard to figure out the entity behind it, let alone who's behind that entity.
And that's why attack attribution. A it isn't that useful for most people unless you're in law enforcement or nation state politics, figure out who attacked you. Isn't that useful? Figure out the category of attacker is extremely useful.
So being able to attribute the attack to a specific category is this just sort of a script kitty, a random drive by? It was an intentional, it's not directly related to a revenue generating stream. OK? I can set up automated defenses.
Is this sort of mainstream cyber criminal or somebody is trying to make money off of me and I'm just an unintended victim because they're just launching and scanning the internet for vulnerable systems or is this a targeted attack?
If somebody picked out me? And are they coming after me? Those three categories are really all you need to know from an attribution perspective. And I'm sure it's interesting who attacks the cyber criminals behind it. And there's a lot of work going on from security companies like Trend Micro where I work with law enforcement, with nations, you know, with governments trying to figure out who these cyber criminals are.
But for day to day it's really not that useful and of course, you know, it doesn't help that Hollywood is all about the who when you see TV, shows, when you see movies, they are trying to figure out who and they make it ridiculously easy.
It's extremely hard to figure out who's behind an attack at attribution is exactly that far more effective is figuring out the category of attacker that will actually help you take steps to protect yourself. And that's really what this is all about.
What do you think? Uh let me know, hit me up online at marknca for those of you on the blogs in the comments down below as always by email me@markn.ca for everybody, including the podcast listeners.
Hope you're set up for a fantastic day. I will talk to you online and uh I will see you on the show tomorrow.
