So we recently went through another cyber-campaign, bringing down one of the primary Internet DNS providers. You may have heard of it?
Essentially, on the order of 100,000 small home-scale Internet of Things devices were compromised and used to execute a distributed denial of service attack against the DNS provider. Really, there's not much new about the approach, but three things are new in this campaign. First, this was an attack supported only by IoT devices. Second, this attack was executed at least in part using an open-source botnet platform. And finally, the security community immediately jumped to the wrong conclusions about who was behind the attack.
Plenty of people are discussing the first two points; I'd like to spend a few minutes on the last.
Attribution can be very difficult. If you look at malware reverse engineering results from firms like Symantec and Kaspersky, you'll see that while they can do relative attribution (e.g. this campaign shares code with this other one, so the actors are likely related), they are hesitant to do absolute attribution (e.g. Chris wrote this malware).
And for good reason. Although it has happened, I'm not likely to leave my email address in malware that I create if I can help it. Releasing malware into the wild is illegal just about everywhere, after all.
There are real consequences for attribution, too. People get arrested for this. And the consequences for cyberattacks are escalating too — not only against individuals, but also against nations. From a policy perspective, we're really not sure how to handle cyberattacks - are they acts of war? are they intelligence gathering? both? and how do we differentiate between the two? We don't know yet - those policies aren't really established yet. I suppose we hope we can tell when we see it.
Couple this with overattribution to nation-states and advanced persistent threat. If your company is compromised by a malware campaign, are you going to tell the press that it was executed by a 17-year old in his parent's basement? of course not. You have the most modern cyber-security defenses in place around your company, right? It must have been an advanced threat. Admitting otherwise implies that maybe you're not doing as good a job defending your company as you should, after all. And this can have significant negative results for you personally.
So, we end up where we are today - organizations are incentivized to claim advanced threats have compromised their systems, and when that happens, we really don't know the right level of response. This could be a very dangerous combination.
In the latest attack on DNS, the community immediately blamed Russia as the responsible actor. Today, many of those same people claim it's an independent group using free bot-ware. The simple fact is, we don't know who's responsible; all this attribution is essentially guesswork. Recent political events and an economic incentive structure rewarding fast and over-estimated attribution are to blame. Nothing significant came out of this particular mis-attribution - but we may not be so lucky next time.