http://www.zdnet.com/article/hunting-the-hackers-tough-and-getting-tougher-but-more-important-than-ever/?tag=nl.e539&s_cid=e539&ttag=e539&ftag=TRE17cfd61


Hunting the hackers: Tough and getting tougher, but more important than ever

Summary:ZDNet's Monday Morning Opener: Working out who is really behind
hacking attacks is already painful and tricky -- but the consequences of
not acting are far worse.



By Steve Ranger <http://www.zdnet.com/meet-the-team/uk/steve-ranger/> |
January 4, 2015 -- 23:06 GMT (15:06 PST)

Events such as the massive attack on Sony Pictures
<http://www.zdnet.com/article/sony-hack-how-cybercrime-just-got-even-more-complicated/>
have emphasised yet again how anyone with a grudge and a certain amount of
technical knowledge can undermine the digital systems on which modern
internet-connected economies rely.

A timely paper, *Attributing Cyber Attacks*
<http://www.tandfonline.com/doi/full/10.1080/01402390.2014.977382#tabModule>,
published by Thomas Rid and Ben Buchanan of the Department of War Studies
at King's College London, sets out the problems investigators face when
trying to work out exactly who is behind these kinds of cyber attacks. It
points out that even now there are no easy answers -- and that it's only
going to get harder.

"That process of attribution is not binary, but measured in uneven degrees,
it is not black-and-white, yes-or-no, but appears in shades. As a result,
it is also a team sport -- successful attribution requires more skills and
resources than any single mind can offer," the paper, published in the *Journal
of Strategic Studies,* warns.

As such we shouldn't necessarily expect a 'Colonel Mustard in the library
with a lead pipe' type of identification when it comes to these kinds of
crimes -- although the paper does note that because of the way hacking is
done, by individuals with particular quirks and habits, the way digital
forensics work it may sometimes be easier to identify individual
perpetrators and then 'zoom back out' to the bigger organisational or
military unit involved, rather than the other way around.

Rid and Buchanan highlight a number of areas that analysts can fruitfully
investigate.
Cybercrime scene investigation

For example, the target can shed light on the type of breach or the type of
intruder: credit card information and other easily monetised targets point
to organised criminals; digital attacks aimed at product designs may point
to economic espionage; hacks focused on military strategy can point to
intelligence agencies.

How the attackers cover their tracks may be an indication of identity, or
as the paper notes: "Stealth, ironically, can also be revealing."
Anti-forensic activity -- steps designed to evade detection and later
investigation -- is tricky and time-consuming, so using it can reveal
hackers intentions, their fear of reprisal, and level of sophistication.
Similarly, the resources the attacker brought to bear in the effort may be
an indicator for how highly the attacker valued the target: the zero-day
vulnerabilities used in something like Stuxnet would have been expensive
and hard to acquire.

One way attackers can give themselves away is by the hacking infrastructure
they use -- relying on one particular botnet, for example, or one
command-and-control setup, although as the authors note: "As a result, some
shrewd actors are taking steps to try to better hide their infrastructure."

Other factors in identifying attackers can come from language indicators
and the broader geopolitical context, and the type of damage they do:
"Sabotage, as a rule of thumb, tries to maximise direct costs, either
openly or clandestinely, whereas collection tries to avoid direct costs for
the victim, in order to avoid detection and enable more collection in the
future," say Rid and Buchanan.

The paper also notes that how attackers respond to publicity can be
instructive -- some attackers may cease operations immediately, while
others may continue regardless (the first response could be that of an
intelligence agency that doesn't want to be embarrassed, the second that of
a crime gang that doesn't care).

For governments and law enforcement the good news is that it's possible to
identify individuals and organisations behind digital crimes.

"Sophisticated adversaries are likely to have elaborate operational
security in place to minimise and obfuscate the forensic traces they leave
behind. This makes uncovering evidence from multiple sources, and therefore
attribution, harder. The silver lining is that adversaries reliably make
mistakes. The perfect cyber attack is as elusive as the perfect crime."
The cybersecurity hall of mirrors

Rid and Buchanan have set out a framework for analysing cyber attacks, but
that doesn't mean we can expect easy or unambiguous answers.

Trying to apply the theory to the real world is where inevitably it gets
messy -- and with the Sony hack the messiness verges on *Inception*
<http://www.imdb.com/title/tt1375666/>-level ambiguity. The FBI has pointed
the finger at North Korea over the Sony hacks, but the publicly available
evidence remains extremely limited, which has left a number of security
experts unconvinced -- at least for now. And as the agendas and techniques
of cybercrime, hacktivism, economic espionage and cybewarfare overlap and
merge it's only going to be murkier
<http://www.zdnet.com/article/sony-hack-how-cybercrime-just-got-even-more-complicated/>
.

The bad news, as Rid and Buchanan note, is that identifying hackers is
getting harder as hackers learn from previous mistakes.
Read this

[image:
http://zdnet1.cbsistatic.com/hub/i/r/2014/12/17/29874398-9271-4526-b44c-2cee36ebca20/resize/220x165/f31b12bacf1571448bef909d7ffdecf5/nk.png]
<http://www.zdnet.com/article/bluster-bravado-and-breaches-todays-terrorist-players-in-cybersecurity/>

Bluster, bravado and breaches: Today's 'terrorist' players in cybersecurity
<http://www.zdnet.com/article/bluster-bravado-and-breaches-todays-terrorist-players-in-cybersecurity/>

·         Read More
<http://www.zdnet.com/article/bluster-bravado-and-breaches-todays-terrorist-players-in-cybersecurity/>

But just because cyber attribution is fraught with difficulty that doesn't
mean it shouldn't be attempted: the authors warn of what could happen if
there are no meaningful consequences once attackers are identified: "Absent
meaningful consequences, states and non-state actors may simply lose their
fear of getting caught, as a lax de-facto norm of negligible consequences
emerges. Ironically this could mean that non-democratic states become less
concerned about getting caught than publicly accountable liberal
democracies."

As such the decision by the US to impose sanctions on North Korea following
the Sony attack can be seen showing that there are consequences to this
kind of attack. But it also reflects how the rules of engagement for these
kinds of digital confrontations are still being written.

All of this means that working out who did what, when and why is tough and
getting tougher -- but working out how to respond to such attacks is going
to be harder still.




__._,_.___
 ------------------------------
Posted by: "beowulf" <[email protected]>
------------------------------


 Visit Your Group
<https://groups.yahoo.com/neo/groups/grendelreport/info;_ylc=X3oDMTJmbjhsNnV0BF9TAzk3MzU5NzE0BGdycElkAzIwMTk0ODA2BGdycHNwSWQDMTcwNTMyMzY2NwRzZWMDdnRsBHNsawN2Z2hwBHN0aW1lAzE0MjA0OTAxMDU->

   - New Members
   
<https://groups.yahoo.com/neo/groups/grendelreport/members/all;_ylc=X3oDMTJnMmd1am9yBF9TAzk3MzU5NzE0BGdycElkAzIwMTk0ODA2BGdycHNwSWQDMTcwNTMyMzY2NwRzZWMDdnRsBHNsawN2bWJycwRzdGltZQMxNDIwNDkwMTA1>
   1

 [image: Yahoo! Groups]
<https://groups.yahoo.com/neo;_ylc=X3oDMTJlZXV1cDcyBF9TAzk3NDc2NTkwBGdycElkAzIwMTk0ODA2BGdycHNwSWQDMTcwNTMyMzY2NwRzZWMDZnRyBHNsawNnZnAEc3RpbWUDMTQyMDQ5MDEwNQ-->
• Privacy <https://info.yahoo.com/privacy/us/yahoo/groups/details.html> •
Unsubscribe <[email protected]?subject=Unsubscribe>
• Terms of Use <https://info.yahoo.com/legal/us/yahoo/utos/terms/>

__,_._,___

-- 
-- 
Thanks for being part of "PoliticalForum" at Google Groups.
For options & help see http://groups.google.com/group/PoliticalForum

* Visit our other community at http://www.PoliticalForum.com/  
* It's active and moderated. Register and vote in our polls. 
* Read the latest breaking news, and more.

--- 
You received this message because you are subscribed to the Google Groups 
"PoliticalForum" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to