tashatuvango - Fotolia
DerbyCon session tackles cyber attribution, false flag attacks
One expert showed the crowd at DerbyCon that proper attribution of a cyberattack requires multiple indicators in order to avoid being fooled by a false flag attempt.
LOUSIVILLE, KY -- A nearly hour-long talk at DerbyCon merely "scratched the surface" of various indicators that need to be studied in order to perform accurate cyber attribution after an attack.
The conceit of the talk by Jake Williams, founder and president of Rendition Infosec in Augusta, Ga., was to demonstrate how threat actors can manipulate indicators used in cyber attribution, and how much work must be done to properly attribute an attack. He told us afterward that it's valuable for red teams to "get a chance to exercise detections for specific attacker tools," but admitted "the bigger point of the talk was to not jump to attribution conclusions based on a single indicator."
Williams ran through cyber attribution mistakes of the past, including attacks by the Cyber Caliphate being attributed to ISIS or the Olympic Destroyer malware being attributed to North Korea when deeper investigations found Russia to be the more likely threat actor in both cases.
With the Olympic Destroyer malware, Williams said confirmation bias took over because it was a cyberattack in South Korea and information in the portable executable (PE) header "tied it back to other North Korean malware."
Williams said, "Roll forward though and researchers noticed as you dive deeper than the header there are some coding similarities to Russian malware. Nothing conclusive, but the problem here is that [Russia] sucks at tradecraft. Researchers noticed that the malware had been uploaded two weeks before to a scanning service in Eastern Europe … to make sure it wasn't going to get caught by antivirus."
Williams said the Olympic Destroyer malware had been uploaded under the name "olymp.exe" and the PE header -- more specifically the rich header -- "100% aligned with Russian malware."
Beyond manipulating header information, Williams described other ways investigators could be misled in cyber attribution and noted that all of the tactics are already known by attackers.
"I have no doubt that after we talk about this, we'll see more of this in the wild. But, the fact that we see more in the wild that more is happening in the wild, let's be very clear about that," Williams said. "What it means is we're seeing more of it and, in many cases, that's because our eyes are open to it."
Williams said using IP addresses can be tricky with cyber attribution, because, on one hand, even nation state threat actors have been known to run attacks from their home country. But on the other, it is very easy to rent virtual private server space from other countries to mask an attack's true origin and attackers have been known to use the same infrastructure or tools intentionally and unintentionally.
Other ways threat actors can mislead cyber attribution investigations is by creating false infrastructure via multiple online "supporter personas" that are used to "prop up" a specific group or "lookalike" email accounts.
Williams said because investigators want to find connections, they can be fooled by false personas, tracking the general times attackers are active to determine the original time zone, focusing on a specific type of event log, and much more.
Additionally, he warned that using encryption keys recovered from PowerShell or from compiled malware for attribution depends on if the keys are symmetric or asymmetric.
"Symmetric keys are trivial to reuse because the same key encrypts and decrypts. So, I can use a key the attacker has used previously, so you want to be very careful there," Williams added. "With asymmetric, you only have one side of the key pair. When we evaluate evidence for attribution, we value symmetric keys far more highly if it hasn't been published in a [cyber threat intelligence, or CTI] report because are the attackers really going to fake it? How well-known is it? But on the false flag side, I do want that published in the CTI report. I want it to be obvious for the investigator to make the connection."
Given all of the evidence and ways to attempt to determine cyber attribution, Williams noted that as an attacker, "You can do a few things well, but doing everything well is pretty impossible."
Williams told the DerbyCon crowd, "If you're doing good wholesome forensics, you're likely to uncover the false flag. If you're relying on one or two indicators in isolation, this is where you're likely to trip up. We're hard-wired for cognitive biases and logical fallacies. We're hard-wired to like a good conspiracy."