Attribution is hard. It’s as much art as it is science. It’s also very misunderstood.
So, as part of my public service initiative, I created and then unintentionally crowdsourced the most definitive collection of reality-based constructs reflecting the current state of this term of art.
Here you go:
Faptribution => The process of trying to reach PR climax on naming an adversary before anyone else does
Pattribution => The art of self-congratulatory back patting that goes along with attributing an actor(s) to a specific campaign or breach.
Flacktribution => The process of dedicating your next press release to the concept that, had the victim only used $our_software, none of this would have happened. (Per Nick Selby)
Maptribution => when you really just have no fucking idea and play “pin the tail on the donkey” with a world map. (Per Sam Johnston)
Craptribution => The collective negative social media and PR feedback associated with Snaptribution (Per Gunter Ollmann)
Masturbution => When you feel awesome about it, but nobody else gives a flying f$ck (Per Paul Stamp, but ‘betterized’ by me)
Snaptribution => naming the threat actor so quickly you can’t possibly be right but you are first. Also known as premature faptribution. (Chris Wysopal)
May you go forth with the confidence to assess the quality, scope and impact of any attribution using these more specific definitions.
At the 2015 Kaspersky Security Analyst Summit, I kicked off the event with a keynote titled: “Active Defense and the A.R.T. of W.A.R.”
The A.R.T. of W.A.R. stands for “Active Response Techniques of Weaponization and Resilience.”
You can read about some of what I discussed here. I will post the presentation shortly and Kaspersky will release the video also. The video of my talk is here (I am walking out, hoodie up, like I’m in a fight per the show thematic):
While thematically I used the evolution of threat actors, defensive security practices, operations and technology against the backdrop of the evolution of modern mixed martial arts (the theme of the conference,) the main point was really the following:
If we now face threat actors who have access to the TTPs of nation states, but themselves are not, and they are attacking enterprises who do not/cannot utilize these TTPs, and our only current “best practices” references against said actors are framed within the context of “cyberwar,” and only able to be acted upon by representatives of a nation state, it will be impossible for anyone outside of that circle to actively defend our interests, intellectual property and business with an appropriate and contextualized framing of the use of force.
It is extremely easy to take what I just mentioned above and start picking it apart without the very context to which I referenced.
The notion of “Active Defense” is shrouded in interpretive nuance — and usually immediately escalates to the most extreme use case of “hacking back” or “counter-hacking.” As I laid out in the talk — leaning heavily on the work of Dave Dittrich in this area — there are levels of intrusion as well as levels of response, and the Rubik’s Cube of choices allows for ways or responding that includes more than filing a breach report and re-imaging endpoints.
While the notion of “active” and “passive” are loaded terms without context, I think it’s important that we — as the technical community — be allowed to specifically map those combinations of intrusion and response and propose methodologies against which air cover of legal frameworks and sovereignty can be laid. Not having this conversation is unacceptable.
Likewise unacceptable is the disingenuous representation that organizations (in the private sector) who specialize in one of the most important areas of discussion here — attribution — magically find all their information by accident on Pastebin. Intelligence — threat, signals, human, etc. — is a very specialized and delicate practice, but as it stands today, there 4-5 companies who operate in this space with ties to the public sector/DoD/IC and are locked in their own “arms race” to be the first to attribute a name, logo and theme song around every attack.
It’s fair to suggest they operate in spaces along to continuum that others do not. But these are things we really don’t talk about because it exists in the grey fringe.
Much of that information and sources are proprietary and while we see executive orders and governmental offices being spun up to exchange “threat intelligence,” the reality is that even if we nail attribution, there’s nothing most of us can do about it…and I mean that technologically and operationally.
We have documents such as the Tallin Manual and the Army Cyber Command Field Manual for Electromagnetic Warfare that govern these discussion in their realms — yet in the Enterprise space, we have only things like the CFAA.
This conversation needs to move forward. It’s difficult, it’s hairy and it’s going to take a concerted effort…but it needs a light shone upon it.