Chris Pogue, pictured, Chief Information Security Officer at product company Nuix, discusses how to determine attribution in cybersecurity investigations.
An important outcome for any digital forensic and incident response case is to try – wherever possible – to accurately associate activity on computer devices to an actual person. It is easy to take for granted that someone is behind the digital evidence created by computers or mobile devices. However, it takes a considerable amount of work to tie digital events to the actions of a specific person beyond the shadow of a doubt.
The importance of attribution recently came to light during the US election, when President Obama’s reaction to alleged Russian hacking captured the media’s interest and the attention of many within the security industry. We don’t have any inside information about how the supposed hacks were attributed to Russia, but any experienced investigator will tell you that definitive attribution (who’s fingers were on the keyboard at the other end of the attack) is a tremendously difficult thing. This is mainly due to the fact that the evidence used to attribute a malicious actor’s origination point—things like IP addresses and types of characters used in malware—are relatively easy to manipulate (commonly referred to as spoofing).
Proving ties to cybercrimes beyond all reasonable doubt is a challenge that forensic investigators have struggled with for years now. It’s time to revisit the traditional approach to investigations.
Framing 101
Think of spoofing as being very similar to framing someone else for a murder. You get your hands on a couple of their possessions—a couple of cigarette butts, or some hair from a brush— and plant their DNA at the crime scene, while ensuring none of yours is left behind. In a similar fashion, hackers can easily falsify security certificates, spoof IP addresses, or even use jump boxes—computers on a separate network, typically with no intrinsic value—to keep investigators off their trail.
While President Obama’s administration could very well have had compelling evidence to point to Russia as the culprit, it could have been mistaken about the source of the hack, or it could have been following a political agenda devoid of technical evidence. Whatever the reason for its allegations, we can learn a lot by examining the situation from afar and applying some much-needed common sense to the scenario.
Within the investigative cybersecurity sphere, this is a classic example of context, evidence, and intelligence. Without reliable information to back up evidence, it becomes devoid of context. The ethics and effectiveness of retaliation and legal action against malicious actors aside, you want to be certain of your facts before you take any steps in response to something this important. It is the mantra of every investigator everywhere – follow the evidence.
POLE: Taking a four-dimensional view
Take any one of these scenarios: an insider threat, fraudulent trading, email harassment, or computer policy misuse. All of these forms of cybercrime involve one or more actual people in conjunction with information from the electronic devices they use. Every single person brings with them a mass of data, which investigators are unable to analyse due to time or resource restraints, or the lack of a suitable solution to harness and make sense of the relevant myriad of data. You can overcome this challenge by framing investigations differently and focusing on four key areas, referred to as POLE:
•People – suspects, victims, associates, colleagues, employers, family members.
•Objects – Ranging devices—PCs, mobile devices, USBs—and email addresses, to social media handles, mobile numbers, tickets and even weapons
•Locations – Home addresses, public buildings, landmarks, travel origins and destinations, and place of employment
•Events – Transmission of data, email, DoS (Denial of Service), physical meetings with other people, crimes committed, arrests and destruction of data.
POLE relationships are the driving force in almost every investigation and should therefore form the basis of a comprehensive and robust intelligence framework that can be applied to almost any situation. Every event, object, person and location has the potential to be a valuable asset to investigators. For example, an employee’s social media accounts might give investigators insight into relevant events they would have previously not had access to. Consider the implications of a financial analyst who leaves his former job abruptly, and immediately begins to post details about their new position at their new company on their social media accounts. It is imperative for investigators to have a system in place to not only identify these potentially problematic activities, but also to tie them together in a meaningful way.
Align intelligence and context
Investigators’ decisions have the potential to have a very real impact on real people. Therefore, in order to have more informed, intelligent and accurate findings, they need access to all of the information available to them. However, for years, analysts have been fighting against a rising tide of information overload. They are facing such a mass of data that it can be very difficult to decipher what is relevant and what is merely background noise. Four-dimensional investigations enable analyst teams to grow in capability and in sophistication. POLE also presents opportunities for data to be normalised and captured in a standard format, which facilitates sharing on a local, national, and international level.
New integrated technologies enable incident response teams to identify relationships across POLE elements to a greater degree of certainty than ever before. As a result, they can actively seek connections where they would logically expect them to be, without overlooking the signs that might invalidate their initial hypothesis. In other words, through considering context and intelligence, teams can now formulate theories based on an unbiased analysis of the evidence rather than speculation – and unequivocally assign blame on an individual or group.
