Amid the connections being made between the Russian government and the attack on the Democratic National Committee (DNC), researchers on Tuesday reminded us of the challenges security experts have in correctly attributing advanced attacks.
In a wide-ranging Reddit AMA, members of Kaspersky Lab’s Global Research and Analysis Team shared some insight into their day-to-day investigations of APT groups and how attackers manipulate some of the markers many use to tie nation states to attacks.
The conversation also pivoted to an array of timely topics, such as the shortage of capable security researchers, threats to critical infrastructure, the government’s role in protecting crucial assets, researcher and attacker tradecraft, and Edward Snowden.
Attribution, however, remains a difficult discussion. Researcher Brian Bartholomew said that some of the indicators used to attribute attacks beyond IP addresses, languages used in code, and malware compile times are rarely shared in order to keep adversaries from manipulating those data points.
“There is really little that can’t be faked or manipulated and this is why the industry has such heated debates sometimes over attribution,” he said during the AMA.
Kaspersky Lab’s researchers steer clear of attribution by policy. The group has published dozens of reports on the activities of government-sponsored attack groups, starting with Stuxnet at the beginning of the decade, and later this year at Virus Bulletin, Kaspersky researchers are expected to deliver a paper on the false flags used by attackers to hamper attribution.
By consensus, most attacks are attributed to the U.S., U.K., China, Russia and others in the Middle East, but the researchers cautioned that cyber capabilities don’t run in parallel to kinetic abilities.
“It would make sense [that] countries with more resources to spend in such operations would be the most active, which would reflect the list…,” said researcher Vicente Diaz. “That does not mean that developing countries don’t participate in such operations, however many times they use external resources as it is cheaper than developing major ‘cyber-capabilities.’ That, among other things, makes attribution more difficult (is not the same as developing an advanced and unique weapon rather than using a common one).”
The researchers were asked about the U.S. government’s reaction to such attacks, in particular of public-private sector cooperation and President Obama signing yesterday of Presidential Policy Directive 441 which explains the country’s response and incident coordination.
“There’s definitely a big role for government to play in tackling this issue. More importantly, in a way it has to be the government doing some of these things,” said researcher Juan Andres Guerrero-Saade. “For example, the debate on ‘hacking back’ is one that I’d rather not extend beyond the powers of the public sector (as what you might call an extension of the government’s ‘monopoly on the legitimate use of violence’). At a time when attribution is artisanal and reliable attribution is nearly impossible, I’d much rather certain government agencies handle the recourse to hacking back entirely.”
Attacks against critical infrastructure, ranging from Stuxnet to Black Energy were discussed as well, with particular focus on the ongoing vulnerable nature of industrial control and SCADA systems and the potential for real-world damage and loss of life from an attack on a utility or other critical system.
Vitaly Kamluk, one of the researchers deeply involved in the investigation of the Equation Group, shared his concerns about malware crossing over between virtual and physical worlds and the lack of complete control operators may have over their systems.
“This is what wakes me up at night, because this illusion of control we have over computer systems opens infinite possibilities to create tragedies by people who use their power against others,” Kamluk said. “From my point of view, this is what makes human race primitive.”
As for going behind the curtain and gaining insight into an APT investigation, the researchers shared some of their backgrounds and experiences learning reverse engineering and binary analysis for example, and the importance of practical experience.
“For me personally, experience worked best. I’d recommend you apply for an internship at a security company and start learning security from the real world,” said Costin Raiu, head of the Kaspersky research team. “Unfortunately, too many of the formal education systems nowadays are well behind what is happening in the real world. I’ve seen people finish university with computer science degree, however, they didn’t know any practical security, only 5-10 year old theory.”
Guerrero-Saade said practical experience is essential in a field that changes almost daily.
“One thing I found really striking as I got to know people in GReAT and other researchers doing great work in the industry, a lot of them are not [computer science] grads, nor engineers. I happen to know a brilliant researcher who is a PhD in Physics. Some who never graduated high school,” he said. “It was Philosophy and Logic for me. You get the sense that the more identifying feature here (apart from a love for technology) is the drive to learn new things all the time and leverage that knowledge in cool ways. The security landscape evolves quickly and drastically and it takes constant work to stay on top of it.”