Attribution Delivers Questionable Security Value

The argument for gathering intelligence on attackers goes something like this: If companies can distinguish between opportunistic probes and the early signs of an attack by a nation-state or industrial spy, then they can marshal limited resources to focus on the greater threat.

Internet content and security provider Akamai, for example, has created a security intelligence platform and is currently gathering and analyzing data to help the company get to that ideal, says John Summers, vice president of security products for Akamai Technologies. The company's plans are still more on the drawing board than delivered, but it hopes to start rolling out some capabilities later this year.

"This is something that we have built; it's in place, and we are collecting all the security events that we see across the platform," Summers says. "We will turn it into better security analytics to get closer to that [attribution] Nirvana."

On Tuesday, incident-response firm Mandiant outed the Chinese military as the shadowy puppeteer behind a large campaign of espionage attacks stretching back to 2006. The company identified the People's Liberation Army group, Unit 61398, operating out of a building near Shanghai, as the source of more than 140 attacks aimed at a broad swath of industries, from information technology and aerospace to government and energy. The company even described what is thought to be three individuals or "personas" behind different facets of the attacks.

"We wanted to move the conversation away from theoretical Chinese hackers who could be anybody to one of reality -- this specific group with this mission and this location -- and we felt like we could do that with this group," says Richard Bejtlich, chief security officer for Mandiant. "This group is so prolific and so active that they leave so much evidence behind, and it all points in the same direction."

[Identifying the groups behind attacks is still a dicey proposition, but security firms are collecting more information on attackers' techniques and their infrastructure. See More Data On Attackers, But Attribution Still Dodgy.]

Mandiant's analysis does make a compelling case for the U.S. government to increase pressure on China, rather than focus -- as it has been doing -- on information sharing, says Steven Chabinsky, senior vice president for legal affairs at incident response firm CrowdStrike.

"This report to the President and the U.S. Congress; this is the private sector saying, 'Now what?'" Chabinsky says. "The private sector will be a little bit at a loss if the government's response to this is to ask for more information."

Yet, for enterprises looking to protect their business, the benefits of attribution are less certain. Companies that are the target of nation-states and other persistent adversaries can benefit from discerning which attackers will stop at the perimeter and which ones will seek other ways to compromise their networks, Chabinsky says.

"It is helpful because then you get to play better defense in two realms: You know what to defend because you know what they are after, and you can develop patterns on the attackers so you can anticipate them," he says.

To that end, Mandiant has provided a large appendix to its report covering thousands of indicators of compromise that could tip off companies that they have been targeted or already infiltrated. Security teams can block requests from certain domains, blacklist certain MD5 hashes or signed code, and look for signs of infections.

Yet attribution can also get in the way of good defense, says John Prisco, CEO of attack-detection firm Triumfant. When a nation-state has been identified as the source of an attack, it almost seems to become a badge of honor, he says. Companies are increasingly reporting that they have been compromised, finding little shame in their security shortfall because they are part of a crowd of other companies. Earlier this month, The New York Times, The Wall Street Journal, and The Washington Post acknowledged that their networks had been breached. This week, Facebook and Apple both detailed attacks on their own systems that infected employee laptops.

Instead, the companies should be striving for clean networks and hardened systems, Prisco says.

"At the end of the day, so what? The Chinese did it," he says. "Someone has exfiltrated data for four months, and you know who it is. How does that help you? It's only academically interesting that you can attribute the attacks to China."

Companies should instead look to catch the breach right away. Triumfant focuses on integrity and change detection, especially in volatile memory, to detect malicious and unwanted code.

Yet attribution does not have to just be about technology, says Mandiant's Bejtlich. A business that partners with, competes against, or buys from China can expect to be attacked. Knowing for certain that the government is targeting its business could allow company management to make hard choices, he says.

"Companies may have to ask, 'Is this really worth it? Can I protect my information, if I go into this business deal?'" Bejtlich says. "If you combine it with other problems in China, such as labor rights abuses, it may not necessarily be the best place for your business."

In the end, attribution and better security intelligence could lead to more appropriate defenses, but the technology to help the average enterprise is not yet there.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.