ICIT attacks shoddy attribution skills of APT-focused security vendors

News by Roi Perez

The Institute for Critical Infrastructure Technology's senior fellow James Scott has claimed that "Faux experts look to garner credibility by attributing every cyber-attack to whichever Chinese or Russian APT group dominates the spotlight."

“Allegations of cyber-incidents, IP theft, and cyber-attack have significant tangible results and seismic geopolitical implications,” warns the Institute for Critical Infrastructure Technology (ICIT), claiming that competing vendors cause these and complicate attribution efforts.

The ICIT says typical attribution is based on the scraps of evidence that the adversary intentionally (as a diversion or demonstration of skill) decided or carelessly left behind. Because sophisticated attack kits are increasingly accessible and available to less sophisticated attackers, it is increasingly more difficult to retroactively distinguish one attacker from another.

This coupled with the fact that competing vendors complicate attribution efforts by foregoing a systemic nomenclature and by storing information away into silos, where its relevance fades in the weeks or months necessary to develop “unique” content.

“Faux experts and the ill-informed attempt to garner credibility by rapidly attributing every cyber-attack to whichever Chinese or Russian advanced persistent threat (APT) group dominates the spotlight at that moment,” said the ICIT.

It explains: “[Faux experts] fail to realise that accurate attribution depends on reliable analysis of the indicators of compromise (IoCs); the adversarial tools, techniques, and procedures (TTP) utilised; and on a holistic attacker profile generated from the systematic aggregation of past adversary behaviour, target demographics, unique operational procedures, and many, many other characteristics.”

According to the ICIT, estern critical infrastructure is subjected to cyber-assaults from nation-state adversaries, cyber-mercenaries, Hail-Mary threat actors, cyber-terrorists and cyber-criminal gangs from China, Russia, North Korea, the Middle East, South America and nearly every other global region.

The ICIT recognises that the threats are vast, and attribution is intentionally clouded through shared malware, infrastructure, and target demographics. Approximately 100 Chinese APTs have targeted US critical infrastructure over the past few years. If the swath of Chinese cyber-assaults is not stymied, then targeted critical infrastructure will be crippled, targeted geopolitical systems will be undermined, and the PRC will continue to accelerate cyber havoc on western critical infrastructure.

“China and Russia are by far the most active and they sponsor the most prevalent and the most sophisticated adversaries.” China maintains its geopolitical and economic status by conducting cyber-operations on western organisations and critical infrastructure.

China leverages its significant resources and vast population in an inexorable barrage of APT campaigns intent on advancing China's 13th Five-Year Plan by stealing valuable intellectual property and geopolitical data from US companies and critical infrastructure organisations.

Sophisticated cyber-espionage groups conduct extensive campaigns, such as the Deep Panda assault on the Office of Personnel Management (OPM), in order to develop robust espionage databases that can be integrated with demographic and psychographic Big Data analytics applications for decades to come.

Russia, in this cyber-war, is America's singular technological peer, possessing a unique stealth and sophistication that continuously and effortlessly crashes through the layers of most critical infrastructure organisation's cyber-defences.

Recently, Russia has been deemed the culprit in everything from election tampering and information warfare to CIA leaks channeled through WikiLeaks. Attribution has been based on third party hearsay and flimsy forensic analysis only to be convoluted even further by political agenda driven talking points of government officials and faux experts and then reported on by a ready media.

When a government official uses the broad stroke attribution of “It's the Russians,” the immediate response should be: Which Russian APT is responsible? How do you know?, What imitators have been analysed, that could impede forensic analysis efficiency?, What tools were used in the breach? How long have those tools been available on Deep Web markets and forums?

“More often than not, in-depth investigation will reveal that the tools used in the breach have been available for free download for several months, the IP address leap frogs globally to obfuscate the actual location of the attacker,” said the ICIT, adding, “at the end of the day the entire attribution was based on convenient, but ultimately inconclusive evidence and little more.”

Concluding, it said, “Now, more than ever, accurate attribution is crucial and must be based on the systematic profiling of nation states, cyber-mercenaries, Hail-Mary threat actors and cyber-criminal gangs, based on the holistic aggregation of reliable intelligence that was collected via a combination of academic research and dark web monitoring.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews