Attribution + Russia = Misdirection
When the trees move, the enemy is coming; when there are many blinds in the undergrowth, it is misdirection. — Sun Tzu
My first story on Medium will not be data driven. It will not be repeating the well thought out posts by Lee and Jeffrey Carr where observations are shared whereby they argue that there were Analytical Leaps and Wild Speculation in Recent Reports of Industrial Cyber Attacks; that the FBI/DHS Joint Analysis Report: [is] A Fatally Flawed Effort; and Graham’s rant about the inadequacy of the DHS provided IOCs. These links were shared with trusted social friends, political leaders, and with other intellectuals who focus on emerging challenges in matters of NATSEC and politics. What follows is the bilateral stream of thought that resulted from those discussions.
First Public Release of Cyber Threat Intelligence “Goes Viral”
Feb 19, 2013: Mandiant releases APT1 report, exposing Chinese state-sponsored “APT1” and their multi-year, enterprise-scale computer espionage campaign. Result: mainstream media becomes aware in a manner in which was unprecedented of this topic called “attribution”, beginning the public disclosure of threat intelligence race in the cyber security industry. The result of which is captured in jest on a mug in our office.
DNC Hack Investigation Detail Released Publicly
Fast forward to 2016. June 14th, 2016. News breaks of a report by Crowdstrike that they identified who hacked the DNC. In this case, “news breaks” meant “unprecedented public release of detailed findings during an on-going investigation by the endpoint protection company conducting the forensics investigation on behalf of the DNC”. The vast majority of the information security community jumped on-board at the whiff of “Indicators of Compromise” (IOC’s), simplified to be “digital evidence relating to a potential or verified compromise of a computer system”.
How Infosec Messes Up with IOC’s
IOC’s are like “hacker fingerprints”… only not. They’re more like the gun. Or the shell casing from a round. IOC’s are not a fingerprint, and certainly not DNA. Yet some members of the informations security Digital Forensics and Incident Response (DFIR) community of ninjafied cyber investigators seem to regard them as such.
After being challenged by claims from a few in the infosec community as well as reports from “a person claiming to be guccifer 2.0”,
Crowdstrike stated that “CrowdStrike stands fully by its analysis and findings identifying two separate Russian intelligence-affiliated adversaries.”
To believe this statement based on the data in the CrowdStrike report as of the date of the report and the statement, one would need to think that at a minimum:
a) CrowdStrike can prove the link between the code recovered in their investigation, the digital assets from which the code originated (usually IP address + computer), the person who used the computer, and the individual is a member of the group “cozy bear” and / or “fancy bear”;
b) publicly available code reportedly used by “cozy bear” and /or “fancy bear” was only used by people in those groups.
I should stop there. CrowdStrike has not — even to the date of this article- proven “a”, nor have they proven “b”. Therefore, they have not substantiated their asserted attribution. Neither can anyone else without access to the capabilities of our intelligence community.
The “Industry” Rushes to Support CrowdStrike
June 20th. Industry leaders voiced their opinions in support of the CrowdStrike report.
Mandiant, a cyber-forensics firm owned by FireEye, based its analysis on five DNC malware samples. In a statement to The Washington Post, Mandiant researcher Marshall Heilman said that the malware and associated servers are consistent with those previously used by “APT 28 and APT 29,’’ which are Mandiant’s names for Fancy Bear and Cozy Bear, respectively.
Followed by
“Based on our comparative analysis, we agree with CrowdStrike and believe that the Cozy Bear and Fancy Bear . . . groups were involved in successful intrusions at the DNC,” Michael Buratowski, a senior executive at Fidelis, said.
Both stated that they believe the work to be conducted by Fancy Bear and Cozy Bear based on malware analysis. That does not satisfy “a” or “b” above. Malware is the weapon or the bullet (depending on metaphor strategy). Let’s assume its the weapon. Malware would be like an AK-47.
In July, I noted:
Just because AK-47s were made in Russia doesn’t mean that when a crime is conducted using an AK-47, that the Kalashnikov Concern (Russian arms factory) was the culprit. If you’re in the camp that thinks that its the gun manufacturer’s fault, they are likely to believe Crowdstrike’s argument that the malware (the gun) was fired by the manufacturer (coder).
Its critical for executives to overlay threat intelligence sources with operational experience so valuable threat intelligence isn’t used to reach errant conclusions, especially when dealing with NATSEC.
Whether or not you believe the metaphor to be properly worded, the point stands. The issue is that anyone could have accessed, repackaged, and used the publicly available malcode that was believed to be attributed to “cozy bear” or “fancy bear” (as groups, let alone the individuals comprising those groups). This would be like picking up an AK47 on the street. Or buying it used. And then when its left behind at a crime scene, trying to claim that the (pick a gang) did it. Because they commonly use AK47s. Good enough. You get the point.
October 12, 2016. Infragard INFRASEC Conference Talk on Inductive Fallacy
Tom Gorup and I gave a talk on Inductive Fallacy based on this and other cases. As of this date, the group was mixed on opinions about whether or not Russia was to blame for the DNC hack. It was clear the industry was still divided.
Election Night— Election Monitoring, Indianapolis
An exceptionally skilled group of people from different higher education institutions, government agencies, law enforcement, and intelligence, convened to utilize their expertise to monitor state reporting sites, digital voting system vendor IP space and terms, and other locations for evidence of election hacks, DDoS attempts, etc.
Even as of the night of the election, “a” or “b” had not been substantiated, yet the topic of Russian interference in the election was at the forefront of discussions. The quiet night left me uneasy. Too quiet.
That night, questions poured in from friends who were anticipating cyber attacks. Questions inevitably turned back to “did Russia do it?”.
December 30, 2016. FBI/DHS Joint Analysis Report Released.
Result? The infosec community on twitter was exceptionally vocal about their opinions of the report. I found it interesting that the community was ok with looking past the aforementioned attribution issues. Predictably, questions came in. What now? What do you think? Does it change your opinion? I sent them links to what Lee and Carr have written.
A Few Hours Later, Story Leaked that The Grid Was Hacked
The Washington Post publishes a story stating that an east coast utility reported to DHS that they had a hit on the IOC’s released in the JAR.
News of the supposed hack had set off a firestorm of recriminations, with Vermont leaders calling Russian President Vladimir Putin “a thug” earlier Saturday, after one of the state’s electric utilities found a virus on a laptop computer.
Infosec practitioners lit up twitter. Politicians prepared for unrest and black-outs.
January 1st, 2017. Washington Post Retracts Vermont Utility Hack Story
The “story that never was” shows us how dangerous this is. How scared people are. Our profession is supposed to be full of sheepdogs. We’re supposed to be the defenders of the digital space. The ones who can be ambassadors of truth and provide a foundation of calm, analytical, fact-based methodical decision making in the face of digital terror. Too much? not if you ask the political leaders who were terrified that the grid had been hacked and that power would be shut down. People don’t understand “the cyber”. Its terrifying to them. So they turn to people who they trust. Those people need to be believable, and trustworthy. Or they’ll turn to people who tell them what they want to hear. And then act on bad information.
You Have the Football. Make the Call.
If you were President Obama or President-elect Trump, what would you think at this point? What would you do? How would you find your foundation of truth? You think my analysis, absent of facts is wrong? Ok. Lets look at what others have said.
CrowdStike’s Alperovitch says malware was used by Cozy Bear and Fancy Bear to hack the DNC, sponsored by Russia.
Mandiant and Fidelis “verified” the “attribution”. June 2016.
Schindler asserts that Wikileaks sharing the DNC emails is a clear attack by Putin on Clinton’s potential success. July 2016.
Lee states that Russia hacked the dnc.
Carr states that there is also ZERO technical evidence to connect those Russian-speaking hackers to the GRU, FSB, SVR, or any other Russian government department. December 2016.
Assange:
CIA Director Brennan says ”Earlier this week, I met separately with (Director) FBI James Comey and DNI Jim Clapper, and there is strong consensus among us on the scope, nature, and intent of Russian interference in our presidential election.”
Russia Has Won This Battle.
Regardless of what the intelligence agencies have from source intelligence. Regardless of what detailed technical evidence emerges that brings finality to the technical argument of fact. Regardless of how any of us feel about it. Russia won this battle. No evidence has been presented that they “hacked the election” (I’m taking a bit of liberty here). No evidence has been presented that shows that they hacked the grid. The “evidence” provided that shows that they tampered with the election by manipulating the minds of Americans by hacking the DNC doesn’t matter. People think that they did. Therefore they did. When policymakers get together, they have already been conditioned to believe that not only is it possible, it happened. Russia won. Millions believe that the reason our new President will take office in inauguration day is because of Putin. That Putin has minions that can hack the DNC, the RNC, the election, the grid, Ukrainian Artillery… You name it, Putin can hack it. Or so “we” believe.
If every time we look into the bushes, we see Russian cyber adversaries, even if they aren’t there, what will that become?
Here’s what needs to happen.
- We need to fix the Director of National Intelligence (DNI) role. And / or create a new Director of National Cyber Security (DNCS) cabinet role. We cannot operate as effectively as needed without enhancing the cyber intelligence roles within our agencies.
- We need a common standard and US based group for attribution verification. This needs to be extended to an international group for attribution.
- The infosec industry needs to be careful with the knowledge and trust bestowed upon us. We need to be the foundation of truth and trust. Not purveyors of half answers and fear. Say what we know. Say what we don’t know. Share what needs to be done to come to an answer. Execute.
They cannot win the war.
Misdirection — Success.
The whole secret lies in confusing the enemy, so that he cannot fathom our real intent. — Sun Tzu.
Was it Russia? China? Someone else? Regardless, they have succeeded.
