This blog, the second of three parts, is a preliminary look at Day 2 of the Internet Governance Project’s (IGP) 5th Annual Workshop on “Building transnational cyber-attribution”. The workshop virtually brought together more than two dozen international researchers and practitioners in May to explore making attributions based on facts and scientific methods rather than politics and strategy. While Day 1 focused on the rationale and “big picture” of attribution, Day 2 got into how it works operationally.

The challenge of collecting and sharing data

Day 2 began with discussion of how an independent attribution process could obtain and disseminate threat intelligence and other data. Panel organizer Brenden Kuerbis (Georgia Tech) opened the panel noting that different models of data sharing and how data is treated exist across cybersecurity activities and that they can shift over time. E.g., vulnerability information has been shared under hierarchical (e.g., MITRE CVE), networked (e.g., VULN DB, Cyber Threat Alliance) and market (e.g., Hacker One) governance structures, with data being treated as a public, club or private good. The takeaway is that data sharing arrangements can change as we understand more clearly and acknowledge various stakeholders’ incentives. 

Kaspersky’s Brian Bartholomew suggested some basic parameters of informal “trust groups” widely used within the threat intelligence industry sector, describing who, what, when, and why data is shared. While present in every problem that needs to be solved, trust groups are a good starting point to establish who the stakeholders are in an attribution process and what data needs to be shared. Smaller groups with less visibility foster more trust and offer better, more relevant data. Typically these are less than 40 people, with 1-2 from each of the biggest tech companies, govts, etc., who have access to data that isn’t public.  Every organization has a unique view of data and ideally that data gets shared. But the reality is that far less is shared. Differing laws and regulations, corporate internal policies and intellectual property concerns, and client privacy issues prevent sharing of data. Often, in lieu of actual data, it boils down to “trust me” with collaborators believing one another’s claims about data they’ve observed.  

When data is shared, the decision to do so is influenced by factors like whether the data has business value and whether sharing can impact other actors’ operations (e.g., a government investigation). Threat intel providers struggle with the latter, trying to cooperate with government investigations but also needing to protect their own customers and stay relevant in the market. The typical timeline of activities runs from 1) discovery of the incident, to 2) vendor private threat intel report for the impacted client, then 3) public threat intel report(s), then 4) gov’t attribution. This highlights the different motivations at play from threat intel providers wanting to establish expertise and generate revenue, to governments using data to bolster their own agenda, and academia using data to build knowledge. There is an expectation of reciprocity in data sharing; it is done to fill intelligence gaps, confirm hypotheses.

Ben Read (FireEye) expressed concern over what data is selected to be shared and the delays that occur, and that biases may be introduced to analysis. The value of and trust in the data being shared is fundamentally dependent on the underlying rigor (correct analysis, appropriate pivots) of the contributor. Data sharing among trusted threat intel providers reaching the same conclusions adds value to the attribution. Any new effort should not lose sight of the significant investment threat intel providers have made in analytic capability. FireEye’s acquisition of iSight brought intelligence capability, including ~200 people developing intel data and substantial revenue generation.  Attribution is most valuable (by some definition) when it is not public and companies monetize the data they collect. How do threat intel providers evaluate others’ claims? E.g., sideloading techniques are readily associated with APT10, but how do we know? There is a need for some higher analytical evaluation capability (e.g., can we assess the validity and reliability of claims being made). Sharing and publishing of data can depend on getting law enforcement approval (alluded to above) and always creates risk that threat actors learn how they are being tracked, and will modify behavior, thus burning threat intel methods/infrastructure used for observation. However, threat intel providers counter this by mimicking methods to obfuscate their surveillance.

Shifting gears from threat intel practitioners, Xander Bouwman (TU Delft) spoke about research on the scale and formalization of data sharing arrangements, as well as empirical work looking at data visibility and consistency between threat intel vendors.  There are two dimensions for understanding data sharing arrangements, open vs. closed and ad-hoc vs. institutionalized. Each dimension has presumed implications. Sharing can benefit from the network effects associated with open arrangements with more diverse contributors/data, while as hinted earlier, closed arrangements based on quid pro quo facilitate higher trust and data quality. Ad-hoc arrangements can be opportunistic around novel incidents, while institutionalized arrangements have structural advantages to facilitate long-term sharing (e.g., sectoral). The public policy question is: how do we move from trust-based to institutionalized sharing of data? Commercial threat intel endpoint detection and response systems have forced the sharing of data. Studying indicators collected by vendors ostensibly about the same threat actor, Bouwman found little overlap in data. This leads to preliminary conclusions that vendor visibility is modest and/or the total universe of indicators of malicious activity may be very large.   

Nikolaos Alexopoulos (TU Darmstadt) next shared some results of work modeling threat intel data sharing among network defenders. Their game-theoretic model of peer-to-peer data sharing was based on a limited number of defenders and attackers. They found that free-riding (i.e., not contributing data, yet benefiting from data contributed by others) was avoided by introducing a mechanism that allowed payments between defenders. Data sharing happened continuously as long as there were restrictions (on what?) and the cost of data remained low.

Joe Hall (Internet Society) spoke to the Internet Society’s experience in supporting a new institution that responded to a challenging problem – namely, its Mutually Agreed Norms for Routing Security (MANRS) initiative. MANRS combines a normative campaign for network operators to implement best routing security practices with an Internet-wide observatory of routing behavior at the AS level to gather data on the implementation (or not) of these practices. In effect, the observatory acts as an enforcement mechanism. It gathers data to provide general statistics on overall Internet routing security (e.g., the percentage of AS’s that are enforcing anti-spoofing practices, or involved in a routing incident). It does not point the finger publicly at specific AS’s, although they can be contacted privately. In Hall’s view, a neutral attribution group should prioritize getting information to defenders and balance information that needs to be public and what needs to be kept secret.

Some other observations and clarifications: 

  • The proposed effort may not need access to current data that has high commercial value, but could use older datasets. 
  • Data used in attribution is qualitatively different from data used in intrusion detection/prevention, being less about specific indicators of compromise (IoCs).  

Determination of state-sponsorship

This panel discussed the process of and issues raised by attributing (or refusing to attribute) an incident to a state actor, such as the evidentiary standard, interaction with political actors and processes, or the assessment of state responsibility.

Juan Andreas Guerrero-Saade (formerly with Kaspersky, now teaching at Johns Hopkins) kicked off the discussions by drawing attention to the challenges of existing attribution processes. The use of the term ‘state-sponsored’ stems from analysis of operations where the targets appear to be those that a state would be interested in, the term does not capture the complex dynamics between attackers and victims that occur across different operations. Given the limited practical value of attribution for defenders, an independent attribution network should not be limited to basing their views on technical indicators. Technical indicators are incredibly fungible, open to manipulation, and sometimes are programmatically stomped out or manipulated to push analysts in the wrong direction. By embracing technical indicators this group would be replicating the private sector’s approach and would face the limitations of private sector processes and practices. The value of attribution lies in viewing it as a historical, academic, or international relations exercise. This approach would allow researchers to differentiate between actual state sponsorship and things that appear like state sponsorship, a distinction that is missing in the private sector for complicated reasons. 

Similarly, it is important to distinguish between clustering a set of activities into a ‘threat actor’ and distinguishing it from attributing it down based on a cascade of scope to a single individual, organization or nation-state, or group of countries. Such distinctions have important implications for defining the scope and nature of the work of an independent attribution network and defining the data access needed to determine the different state sponsorship. Thinking about the granularity of attribution is an important factor when we consider examples like the Project CameraShy report which identified an individual operator working for the Chinese military, which was a fantastic level of attribution but also raised questions about the ethics of the attribution process. Moreover, SIGNIT giants and alt-source agencies have access to the best sources of information, they are also the Cassandras of the modern age where their claims are least likely to be believed leading to a complex situation in the attribution process. 

On the issue of government attribution statements as a state exercise of soft power, Guerrero-Saade pointed out that often government agencies are the only actors in the position to know that false flagging is going on in the case of fourth-party collection. In this context disclosures by government security agencies provide classified information that can prevent analysts from making a series of mistakes, or initiating a series of tertiary effects by misreporting. As the joint announcement from NSA and GCHQ about TURLA highlights it is important to acknowledge the good signaling coming from government organizations and it would be remiss to characterize everything that they do as a nefarious exercise of soft power. 

In conclusion, an independent attribution body would do well to avoid the potholes of technical challenges and as a body should shoot for undermining the political challenges to attribution. These political challenges arise due to control over money and data sources or if there is a dominance of certain actors in the group. E.g., if western actors dominate there tend to be certain limitations to what folks are willing to do, or if we are worried about funding/getting fired then that constrains activities in this space. Guerrero-Saade sees value in creating an independent network for attribution where attribution was within reach but private companies did not make that leap because of the political challenges. He pointed to some interesting cases of altsource operations including Regin malware, Equation group associated with the NSA, Lamberts APT group or Longhorn associated with the CIA, Animal Farm linked to the French DGSC, and the Hades group which encompasses APT28 and a lot Russian organizations under military intelligence. 

Kaja Ciglic  (Microsoft) noted that threat intel and platform providers may be consistent in their desire to identify and mitigate malicious behaviors, but their desire to attribute can diverge because of business models and strategic concerns. Objective attribution by the private sector is not possible in some cases because some sell threat indicator data while others don’t, and some fear offending governments who are often customers. The term attribution is interpreted differently and has different consequences at the technical, legal and political layers. At the technical level the attribution process is focused on bits and bytes, techniques and scope does not include outlining action outside what happened. Legal attribution focuses on data that is needed to take the case to court, and proof of how an actor is involved, whether associated with a nation-state or not. To an extent, at this stage, it is irrelevant if attribution can link to a nation-state because if the case proceeds to court then a bad actor is unable to continue with their operations and security agencies have achieved their objective of mitigating threats and risks. The political threshold is the most controversial as attribution in this layer is limited by considerations of political repercussions of states calling out each other, imposing sanctions or punishing bad behavior.  Ciglic suggested that attribution should be distilled into technical, legal and political components. An independent network for attribution would be most impactful in addressing attribution in the political domain by analysing evidence and state behaviour to apply pressure on governments to act or move in a particular direction. 

Florian Egloff (ETH-Zurich) focused on the differences and similarities between different actors undertaking attribution. Large technology & security companies enjoy more visibility than nation-states in assessing attributions. Although countries, where such private companies are located, may have an advantage in terms of seeking access to data and those particular countries may have more visibility than others. Attribution provides opportunities that are unique to state actors. For example, such processes may be used as a political tool by states to shape their operational space, to affect adversaries’ capability, or upgrade their defense posture. There are also advantages to states choosing not to attribute attacks such as sending signals to their adversaries, opening up the negotiation space between states, and defining what is permissible behavior in cyberspace. Another function that state attribution has in the political realm is that of enabling countries to set the rules of the game and different visions for how attribution should be done. Currently, different coalitions are vying to establish what these rules and norms for attribution should be. 

When countries do call out state sponsorship there are many nuances in how they form their claims.  The language used and framing, criminal offense, an offense against the international community, or an offense against particular treaties, create different pathways to international regime building. The absence of tailored goals prevents objective assessment of the effectiveness of and understanding of the strategy behind such public attributions. For example, in some cases, the actor against whom the attribution is being made is not the target of the effect rather the attribution is aimed at third parties, other adversaries, or the actions of a separate set of actors. Joint attributions could be seen as part of efforts of governments to build coalitions as a second order strategy to try and overcome the “credibility problem”, so that they can attribute, without having to publicly disclose sources/details about the operation. 

Cases where states are not doing attributions provide opportunities for private actors. E.g., where human rights defenders are targeted. In cases of human rights abuse, private sector-led attributions can help curb or act as checks against offensive state power and help stabilize state activity. In such cases very large, well-funded offensive actors are starting to create effects that go well beyond the actual targets and draw in domains and spaces that are not traditionally used to seeing effects deployed against them. Organizations making attributions have to be very clear about the ethics of publishing or choosing not to publish data. Long term credibility in working on public attribution comes from clear ethics and clearly layered out processes of selectivity. Similarly, the specificity of language also adds credibility for both public and private organizations (an example approaching such specificity would be NSA-GCHQ report on TURLA). 

There are several challenges associated with public attribution of state sponsorship. Few actors have the capability and the political will to take action against state power and there may be good reasons for not doing so. It is also important to recognize that this power is not equally distributed around the world. Non-state actors have few incentives to call out specific states and may choose not to do so for technical, economic, and political reasons. Addressing these challenges requires strategic thinking from state actors including clarity on what the desired end-state of doing public attribution is for governments. Evaluation of the impact of public attributions on improving accountability shaping cyberspace is also much needed. Non-state actors need to consider the ethical responsibility of choosing to publish or not publish information about alleged state activity, and the process of selecting which actors and activities to pursue for public attribution. Such considerations and ethical obligations are particularly important when building networks of mechanisms aimed at improving the accountability of public attributions.

Day 2 ended with a discussion of potential incidents for investigation by the research network, which will be covered in a future article.