THE ATTRIBUTION PROCESS

POL370F

PROF.BENJAMINBARTLETT

MIAMI UNIVERSITY

THREE LEVELS

Tactical(technical)
Operational
Strategic

TACTICAL LEVEL

Involves looking at technical data to figure out how a cyberoperation worked.
Mainlytechnicalexpertiseisrequired.

But, can require various forms of technical expertise.

Example: if you want to understand an attack on a power plant, needcomputer experts, but also people who understand how power plantswork.

OPERATIONAL LEVEL

Need to understand how the cyber operation fits into a widercampaign, the attacker’s profile and immediate goals.
Similar to a “social science” problem:

Need competing hypotheses.
Can drawonnon-technical information.

Goal: identify country or organization responsible.

STRATEGIC LEVEL

Need to understand who is responsible, what is the “largerpurpose” that the cyber operation serves.

Involvesthinkingaboutthelargergeopoliticalsituation.

Needtodeterminean appropriate response.
Key point: at this level, it is no longer just about who did it, butwhat you want to do about it.

THE ATTRIBUTION PROCESS

Involves back-and-forth communication between these three levels,each asking different questions.
Canthink of it as an “attribution chain”, with technical people atthe bottom and then managers/decision-makers as you move up.
Thosehigherupcanrequestmoreinformationfromthosebelow.

QUESTIONS AT THE TACTICAL LEVEL(ABOUT A SINGLE OPERATION)

How did they break in? What kinds of vulnerabilities did they exploit?
Whatdidtheytarget? What was the payload?
What kind of infrastructures (i.e., command-and-control servers) do they use?
Dowerecognizepartsofthiscodefromotheroperations?
How sophisticated is the code? Is it off-the-shelf or custom?
Whatlanguagearethecomments?
What kind of schedule do they keep?

EXAMPLE: BREAK-IN AT LOCAL CREDIT UNION

Hackers mainly stole credentials from employees.
Usedaphishingemailcontainingmalware.
Somecomments written in Korean.
Hackers always connected at the same time, during “workinghours” in North Korea.

→Probably North Korean hackers.

QUESTIONS AT THE OPERATIONAL LEVEL(ABOUT MULTIPLE, RELATED OPERATIONS)

Can we connect this operation with other operations?

Ifso,howdoesthisoperationfitintotheoverallpattern?

Canweconnect this operation with any known actors, APTs?
Canweconnectthisoperationtoother,non-cyberincidents?

Or,topolitical events in the “real world”?

Whatgoalsistheactorlikelypursuingin their “cyber campaign”?

Cyber campaign = multiple, related cyber operations

EXAMPLE(CONTINUED)

Have seen similar break-ins at other local banks, always aiming foremployee credentials.
M.O. is similar to a well-known North Korean APT.
ThisAPThasstolencredentialsfromlocal banks in other countries,used those credentials to steal money from central banks.

→Probably same APT trying to steal from U.S. central bank.

QUESTIONS AT THE STRATEGIC LEVEL(HOW DO THE OPERATIONS FIT INTO THE BIGGERPICTURE?)

What larger goals is the actor trying to achieve with these cyber operations?
Dowewanttoreveal we have successfully attributed the actor, and if so, howmuch detail should we release?

Moredetailincreases credibility, improves attribution (because others can build on theanalysis), and enables better collective defenses, but could risk, for example, intelligencesources.

What should the response be (if any)?

The potential response helps determine how certain you want to be.

EXAMPLE (CONTINUED)

From other intelligence sources, know that North Korea has beentrying to find ways to fund its ongoing missile developmentprogram.

→Probably that is what they are doing with the stolen money.

Now,thehardpart:doyouleteveryone know North Korea isbehind these operations? How much do you reveal about how youknow? And how do you respond?

CONCLUSION

Attribution is onlyinpartatechnicalproblem;inpart,ittakes a good deal of social science, includingarea/country expertise.
Atthestrategic level, the question is as much about how torespond to a cyber operation as it is who was behind it.