Around four years ago, Shin Bet specialists had caught on to a carefully planned cyber offensive against Israel by one of the country’s most sophisticated adversaries (usually a euphemism for Iran, though Hezbollah and Hamas sometimes make trouble too).
The enemy had been “deployed” at several sensitive nodes of Israel’s communications layout – possibly in order to wait for an opportune moment to disrupt a range of television and radio broadcasts. Rather than immediately flushing out the cyberattackers, the Shin Bet let them continue to operate while counter-spying until they learned their identities and even hours of work. During a prolonged holiday, they eliminated the threat and activated a counterattack, revealing the attackers’ details to communities of hackers.
This incident was reported for the first time in the Cybertech online magazine about a year ago, but recently the Shin Bet told The Jerusalem Post Magazine
, “Even years ago we knew how to combine cyber defense and offense… which multiplies its power.”
The Shin Bet said it “has many years of experience in defending critical infrastructure,” having started as early as 1994 and “in the last year we established a new division that combines cyber and technology.”
In June, The Jerusalem Post
reported Shin Bet director Nadav Argaman’s statements at a conference that cyberattackers “can expect real-world surprises” if they go after Israel, since “we do not just wait to get hacked. We go aggressively after hackers to get them before they attack… our defense does not recognize any borders… We follow threats everywhere… We connect the cyber and the physical world.”
If around a decade ago 4% of the Shin Bet’s work force was in the virtual realm, now that number has jumped to 25% and Argaman said the agency has identified 2,000 potential lone wolf threats in 2016 alone.
What are the tactics available to Israel and other states to identify, frustrate and go after cyberattackers? And what are other countries doing in this realm? The UK is considered one of the top five cyber powers in the world. Yet its parliament was hacked last summer. Following a diagnosis of the attack, the UK initially pointed the finger at Russia. Such public finger-pointing is no small thing.
There are many potential downsides to the move as a country never wants to make such an attribution unless it is certain.
That is why the UK made its diagnosis of the attack more confusing when in October it publicly charged that it was not Russia but Iran that was behind the hack.
If it is such a big deal to openly attribute a cyberattack, how could they have gotten it wrong the first time? And if a cyber power like the UK got it wrong, how accurate is it to attribute cyber attacks? These are two specific incidents, but there is a much wider picture to explore.
Obama administration cyber chief Michael Daniel recently sat down with the Magazine, discussing some of the big dilemmas in dealing with cyber attacks.
The first question, Daniel says, is “a technical forensics issue: Do you have sufficient technical data to make a judgment about who was responsible for an incident? This process involves looking at logs, tracing IP addresses, and reviewing the cyber tools used.”
IP (Internet Protocol) addresses are a numerical label assigned to each device connected to a computer network and the Internet. Logs record the computer’s actions.
Explaining what this all means, Daniel, who is now president of the Cyber Threat Alliance, says, “Like any investigation, and there are many parallels to how you would do a law enforcement investigation… you pull on a number of different sources… about what happened.
“You make copies of the hard drives from the computers which you think the bad guys accessed. You look at where they looked at network logs and where they used tools… to come in and out of the network… If you found malware [malicious computer virus programs], you analyze it and see what kind it is. You try to trace it using information from the network. What activities did the bad guys do and why?”
When you pull up the malware, he adds, “you might find a remote access tool [RAT, or computer tactic for using a remote device to take over or observe what is going on in another device] – and there are various kinds of remote access tools. But is it the kind that a nation-state tends to use or the kind that criminal organizations tend to use?” he asks rhetorically.
“A good example of a RAT is ‘poison ivy.’ So you found poison ivy on a network or on computers getting data,” then you connect “that technical piece with information from law enforcement and intelligence… you see who typically uses poison ivy as a RAT,” he said.
The former Obama cyber chief asks, “What other kinds of activity are coming up in communications with the computers in question, which country is associated with these IP addresses, do we know something about these IP addresses… can we trace them? “You try to crack the shield the hackers used to cover up their IP address. Sometimes you cannot do it. To do it, you might need to get through multiple hoops. The hackers access the Internet… they may go through TOR [The Onion Router, a worldwide network with over 7,000 relays to conceal a user’s computer activities] to obscure their identity. They may make three or four more hops before they get to their target computer – going from one computer or server to another,” he said.
“It is a game of cat and mouse. Can the intruders move at a rate and take enough steps to keep their identity obscure or can investigators trace them back far enough? “The technical data we pulled included malware and logs about what sequences of software were used and how it was coded, we then compare it to what we know about other situations with malicious actors.”
Elaborating, he says, “A person using poison ivy might be doing several hops, some from Malaysia for example.” If a hacker used poison ivy and also did hops from Malaysia “then this is most likely the same actor.
“During World War II, there were lots of times that even if we could not understand the code,” referring to the one used by the Axis powers, we “could tell who was on the telegraph by their ‘stick’ – how they typed out the code. This is a similar idea. A bad guy may typically do things in a certain order… and leaves a modus operandi. You can often start to identify actors that way.”
After all of the above, Daniel cautions, “Sometimes you don’t get enough evidence. If the bad guys are good at erasing stuff” or, he explains, if you did not have enough cyber defenses you may be out of luck. “You cannot always arrive at a technical attribution.”
Joseph Krull is currently a security principal director at Accenture, one of the world’s leading cyber outfits, and has 19 years of experience in the US Defense Intelligence Agency with wide-ranging assignments from Israel, Egypt and Chad, to France.
Based at Accenture’s Israel office, he told the Magazine, “Attribution is not a science, it’s an art. It is hard,” since it is “trivial to hide behind different proxies, IP addresses and to obfuscate what you are doing.”
“What I see from work with Israeli researchers is that attackers like to do things based on a recipe – reusing certain tactics, recipes and codes – since it is in our nature to use what has been successful in the past. When you get to see the same attackers over and over… you get a pretty good clue of who is doing it and where it is coming from,” Krull says.
Eventually, he adds, “Attackers make mistakes, it is human nature. You find the mistakes with scrutiny – where they leave marks of code, change or modify the code, when they try to hide an IP address, but do not succeed.”
How might advanced hackers have initially fooled the UK into accusing Russia of perpetrating a cyberattack instead of Iran? Daniel speculates that the Iranians used Russian malware or launched the attack from servers inside Russia. “There are a range of typical tactics used to throw you off the scent. Nation- state actors may use criminal malware to make it look like they are engaged in criminal activities, to shield where they launched their cyberattack from,” he says.
The former US cyber chief continues, “Intelligence becomes critical to debunking the mislead tactics. A surface examination might lead in one direction, but when you go back and say, ‘Hey wait a minute’… and dig deeper, the evidence points you in another direction.”
Likewise, Krull says the UK could have been “led down a false path… by an initial analysis based on the origin and location of a list of IP addresses. Maybe the IP addresses could lead to attribution to a Russian entity.
“But when you go deeper and pull the logs and review issues on the server, you say ‘wait, we jumped to the wrong conclusion.’ Here is a code we’ve seen before attributable to Iran. It is easy to jump to an initial conclusion.”
“Doing attribution is one of the hardest things to do… Most nation states are slow and hide in a network for a long time before they get detected,” says Krull.
How can digging deeper fix the potentially incorrect conclusions that arise from a cyber investigation? Daniel says, “You can look at the syntax in the command structure of the logs and that the attacker isn’t using Russian syntax – that it is Farsi syntax. Then you ask: Why would a Russian be writing in… Farsi? You can look at the date and time stamps that do not make any sense, but would make sense for an actor in another country based on the time zone.
“Granted, people could go [perform cyberattacks] in the middle of the night to try to throw you off,” but these kinds of clues can tip you off to unwinding cyberattackers’ tricks to cover their tracks, he says.
Daniel adds that it is critical to compare the forensic data “to information your intelligence and law-enforcement agencies have.”
“Maybe you get corroborating intelligence from SIGINT [signals intelligence – eavesdropping on electronic communications] or from HUMINT [human intelligence or spying], or maybe you get additional data that changes your point of view. My experience was that it usually took at least a few weeks to arrive at a conclusion and often several months to reach high confidence.”
How much is time a factor in getting the attribution right? After a longer investigation, Daniel says it is more likely that they would catch unexpected mistakes by cyberattackers. In other words, earlier checks focus on more obvious and expected mistakes.
But Daniel says that with “one intrusion into the federal US government system,” cyber forensic experts discovered that “there is this whole set of files where bad guys tried to teach themselves about what our networks look like and for whatever reason they did not erase it.”
Maybe at an earlier stage of the investigation when cybersecurity experts checked obvious problems, “they looked like normal text files, but later we realize these are badguy action files.”
“It varies from case to case. I wish it was all skill, but sometimes it is just dumb luck. Did the bad guys make a mistake? Did they not clean up after themselves or get sloppy in the middle?” Other reasons for missing such less obvious evidence initially could be that it simply “takes a while for people to assemble intelligence. Maybe something comes up that cyber forensics was not previously aware of.”
Eventually, Daniel adds, the intelligence and law-enforcement community may put the picture together differently after gathering all the pieces – just like solving a highly complex puzzle.
This raises the broader issue of what role intelligence plays in making a cyber attribution above and beyond what can be gleaned from a cyber forensics investigation.
Daniel says, “Looking at SIGINT, do we draw on evidence from the intelligence community to also bolster this case from that specific time period? It could depend on the target.
He explains that if the attacker is a high-profile nation-state, the chances are higher that intelligence agencies will already have potentially helpful evidence from ongoing surveillance or spying activities.
What is the right balance of combining cyber forensics with intelligence to figure out who the attacker was and what they did? Is SIGINT or HUMINT more important to supplement the cyber forensics? “You always want different kinds of intelligence. It is good to have a certain volume. HUMINT will never match SIGINT just in terms of volume. But you also have a lot of garbage in your SIGINT – a lot of useless information,” he says.
Daniel explains that they are just different kinds of information.
“The most effective intelligence agencies combine the two and combine that with other things, with imagery intelligence, open source information and others… Technical information from networks alone is almost never enough to do solid attribution. You want to be marrying it with intelligence and law enforcement.”
Regarding the role of intelligence in making a cyber attribution, Krull explains that it is important to have knowledge of what new methods and tactics a cyberattacker is developing.
“If you know where they are training, how they are preparing cyber offensives, it will help you limit what you look at.”
On the other hand, he warns that nation-states do not have limited resources. They can spend whatever it takes.
How good is the ability of the world’s top powers to attribute cyber attacks? In June 2016, the Post reported that former Shin Bet director Yoram Cohen made waves at a conference when he said he wanted to “burst the myth of attribution,” explaining that Israel always eventually learns whom to hold responsible for a cyberattack.
Krull explains that perhaps the remarks Cohen made were regarding attacks that came from a subset of attackers they could quickly identify, a list of usual suspects. “Commercial companies, banks and commercial power plants do not have that finite a list of attackers. Everyone is trying to get you.”
The former Defense Intelligence Agency operative says, “In my personal experience from 42 years in the business, I don’t think anyone is even close to 100% attribution certainty. Even with big intelligence capabilities, I don’t think it is possible.”
He adds that there are “lots of good cyber platforms in Israel,” noting new developments in using artificial intelligence to identify cyberattackers. But, he concludes, “I do not think we have a silver bullet.”
As far as Krull is concerned, when it comes to cyber offense, defense and attribution, even for nation-states, “the arms race” is on.