I love the scepticism, this is an excellent attitude to have with cyber claims
of attribution! So lets apply some analytic processes to the problem, I’m sure
they can help illuminate the situation.
What I’d love to see, from anyone, is an actual ACH matrix with some options
and the available data we have mapped out. Lets see what hypothetical threat
actors match against the available data. What are the alternatives here? I’ve
heard:
TA-1. a kid, or kids, in it for the lulz
TA-2. a false flag op by another FIS
TA-3. a FIS badly attributed by CrowdStrike
TA-4. the Russian intelligence services
TA-5. a Russian intelligence sub contractor for cyber ops gone rogue
Any others I’ve missed? There are a lot of variants of TA-1, so I’m including
all non-FIS autonomous threat actors (but please, if there is a variant that
merits special consideration, lets add them as a separate possibility.)
There are three distinct operations that need to be covered by the actor. Lets
map those out:
Op-1. the DNC breach and exfil
a. at least two threat actors on the network
b. used tools, techniques and procedures associated with Russian APTs
c. focused on political data exfil, not monetisation
- no ransomware, exploitation of PII, banking/CC fraud, etc.
* I’d bet the DNC would pay a _lot_ to a ransomware operator
Op-2. the "covert action" against the Democratic campaign
a. analysis of “thousands” of documents
- requires access to the take from Op-1
b. requires some political savvy wrt document selection
- political savvy requirement goes up if the documents were altered
c. at least minimal planning wrt the release channel and the timing
- wikileaks? the intercept? MSM? the pirate bay? dedicated website?
- after Trump nomination, but before the election (obviously)
* on the network for months, yet no docs leaked before WaPo article
Op-3. the guccifer2 claim of responsibility
a. the supporting evidence
- requires access to the take from Op-1
- requires analytic and political skills from Op-2.a & Op-2.b
b. subtle notes of Russian (too subtle for media to notice, but not for
pros)
- maybe deliberately inserted (threat actor is proficient in Russian)
- or, “mistakes were made” (threat actor happens to be Russian speaking)
c. deployed w/in < 24hrs of the WaPo story
- complete absence of evidence of g2 before the WaPo article
d. why guccifer2? another eastern european hacker’s name
- other threat actor’s have used unique names for claims of
responsibility (e.g. the Sony hack, hackers seeking fame, etc)
With the data that we have available to us, what are some potential actors, or
series of events w/ different actors, who would have the capability, the intent
and the opportunity to execute the above three operations?
Can someone show that Op-2 didn’t actually exist? Maybe no documents were
passed to wikileaks, and the selection of evidence for Op-3.a was basically
random? Would there be another way of providing evidence other than stolen
documents?
I am very honestly interested in hearing what suggestions people have.
As Mara pointed out, Op-2 would be an extremely risky move by Russia
particularly at a politically sensitive time. That might be a motivation for
some entity who wants to damage (a subset of) Russian interests by implicating
them (see: TA-2, TA-5). Conversely, aiding Trump is inline with (a subset of)
Russian interests (see: TA-4, TA-5), although it is also inline with other
possible threat actors, e.g. 4chan’s alt-right community (see: TA-1). There are
a lot of possibilities here!
Lets apply some analytic rigour to our speculation and see what we can come up
with.
* Can we use the available data to eliminate any of the threat actors?
* What additional data would help eliminate any, and can we get it?
Intelligence analysts frequently have to work with a patchwork of data of
various levels of reliability. Which is precisely why these analytic processes
were developed. Now is the perfect time to use them to help sift through what
we know.
This is very exciting! Intelligence and cyber, making history, right before our
eyes!
—gq
ps. Maybe someone wants to start a Google Docs spreadsheet we can build an ACH
matrix on? Probably columns for threat actors, and rows for operations and
evidence would be most manageable.
> On 17 Jun 2016, at 23:39, Jeffrey Carr <[email protected]> wrote:
>
> I agree entirely, Allen. The market incentives are huge for a company to
> discover and report an attack attributed to a nation state, the bar for
> evidence is negligible, and there's really no way to disprove a claim. Even
> when someone involved in the attack pops up and says I did it, here's proof,
> and you're an idiot, that becomes a "disinformation operation" and again,
> there's no way to disprove that.
>
> Jeff
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 16 Jun 2016 21:28:42 -0400
> From: Allen <[email protected]>
> To: Adam Shostack <[email protected]>
> Cc: "[email protected]"
> <[email protected]>
> Subject: Re: [Dailydave] "When you shoot at the king, you best not
> miss."
> Message-ID:
> <cadwykiy5ryj5s61qxlf+hc7zrgd1lcnbccxt5qusn8hv6c8...@mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> | It's entirely possible that this is a disinformation campaign, or that
> attribution is hard, and Crowdstrike made a mistake
> |
>
> I'm inclined to believe that while attribution may be hard there are
> entirely too many market incentives to brand any given attack with one of
> the nation state animal totems.
>
> The fact that attribution is frequently derived from prior intelligence
> blended with the fact that all of the source data is confidential only
> lends itself to confirmation bias. A small attribution mistake by one
> vendor can really snowball.
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> <https://lists.immunityinc.com/pipermail/dailydave/attachments/20160616/55ad132a/attachment-0001.html>
>
> ------------------------------
>
> _______________________________________________
> Dailydave mailing list
> [email protected]
> https://lists.immunityinc.com/mailman/listinfo/dailydave
>
>
> End of Dailydave Digest, Vol 55, Issue 12
> *****************************************
>
>
>
> --
> Jeffrey Carr (jeffreycarr.com)
> CEO, Taia Global, Inc. (taiaglobal.com)
> Founder, Suits and Spooks (suitsandspooks.com)
> Author, "Inside Cyber Warfare: Mapping the Cyber Underworld" (O'Reilly Media,
> 2009, 2011)
>
>
> THE CONTENTS OF THIS EMAIL ARE FOR THE RECIPIENT'S EYES ONLY AND MAY NOT BE
> DUPLICATED OR DISTRIBUTED WITHOUT PRIOR PERMISSION.
> _______________________________________________
> Dailydave mailing list
> [email protected]
> https://lists.immunityinc.com/mailman/listinfo/dailydave
_______________________________________________
Dailydave mailing list
[email protected]
https://lists.immunityinc.com/mailman/listinfo/dailydave
