Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

ABTV

12/21/2017
10:35 AM
Larry Loeb
Larry Loeb
Larry Loeb
50%
50%

The Hard Work of Pointing Fingers

Pointing the finger at a perpetrator is difficult. Pointing it at the right perpetrator is even harder. That doesn't stop many organizations from trying.

Joining the initial call by the government of the UK as well as the US, the governments of Australia, Canada, New Zealand and Japan have all said this week that North Korea is behind the activities of the hacking group called Lazarus. This Advanced Persistent Threat (APT) actor has been determined to be behind the WannaCry malware that affected computers that were running Windows.

Microsoft announced the attribution on their blog, saying that they had worked with Facebook to disrupt the malware that the group relied on, as well as cleaning their customers' infected computers and strengthened the defenses inside of Windows to prevent reinfection. Specifics of how they did all of this were not given, but it was reported in a tweet that it had disrupted accounts that were being used by the group.

Microsoft also said that, "We are pleased to see these governments making this strong statement of attribution. If the rising tide of nation-state attacks on civilians is to be stopped, governments must be prepared to call out the countries that launch them."

This is something that sounds great as a ringing statement, calling on governments to protect innocents from n'er-do-wells preying on them. But knowing who the actual threat actor is can be very complex in execution, and not always simple.

In fact, part of the threat actor game is to disguise who is the actual threat actor. Part of the Vault series of leaks included a tool that automated that kind of thing. Attribution requires judgements be made by people about the code that is eventually discovered and those judgements may be inaccurate or ill-informed.

An attribution chorus
In this case, Kaspersky Lab, Symantec and BAE Systems all called out Lazarus (and hence North Korea) as the source just after WannaCry made its appearance. The exact data used by them to do this has not been publicly released. But the recent fingerpointing by the governments against North Korea is given additional credibility because the claim has some factual basis; these technical firms and their specialists made their call early and in unison.

The point for the rest of us here is that attribution of who wrote what code can be deeply flawed. It may be that a villain of some stripe may be an easy target for attribution of an attack. That doesn't mean that particular bad guy actually did it. Simple and quick reactions can be most misleading, unless backed up by hard data.

When governments get involved in making attributions like this, skepticism must be invoked. The governments will need to prove their accusations, not just make them. Politicization of cybersecurity will neither solve the problem, nor provide a defense. In this particular case, the attributions seem to be based on data rather than desire. But there is no guarantee that the next situation will be as fact-based. It is up to the community to require data be shown in such an attribution so that it cannot be used to just serve political ambitions.

Related posts:

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Latest Comment: Exactly
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7734
PUBLISHED: 2020-09-22
All versions of package cabot are vulnerable to Cross-site Scripting (XSS) via the Endpoint column.
CVE-2020-6564
PUBLISHED: 2020-09-21
Inappropriate implementation in permissions in Google Chrome prior to 85.0.4183.83 allowed a remote attacker to spoof the contents of a permission dialog via a crafted HTML page.
CVE-2020-6565
PUBLISHED: 2020-09-21
Inappropriate implementation in Omnibox in Google Chrome on iOS prior to 85.0.4183.83 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page.
CVE-2020-6566
PUBLISHED: 2020-09-21
Insufficient policy enforcement in media in Google Chrome prior to 85.0.4183.83 allowed a remote attacker to leak cross-origin data via a crafted HTML page.
CVE-2020-6567
PUBLISHED: 2020-09-21
Insufficient validation of untrusted input in command line handling in Google Chrome on Windows prior to 85.0.4183.83 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page.