How to Identify a Cyber Adversary: Standards of Proof

We Keep you Connected

How to Identify a Cyber Adversary: Standards of Proof

Identifying the who, what, and how behind a cyberattack is crucial for preventing future strikes.
March 12, 2024
COMMENTARY
Part one of a two-part article.
In cybersecurity, attribution refers to identifying an adversary (not just the persona) likely responsible for malicious activity. It is typically derived from collating many types of information, including tactical or finished intelligence, evidence from forensic examinations, and data from technical or human sources. It is the conclusion of an intensive, potentially multiyear investigation and analysis. Investigators must apply stringent technical and analytical rigor along with soft sciences, as behavioral analysis tends to win the day.
Attribution and the public disclosure of attribution are not the same thing. Attribution is the identification of a potential adversary organization, affiliation, and actor. The decision to disclose that attribution publicly — through indictments, sanctions, embargos, or other foreign policy actions — is a desired outcome and instrument of national power.
One example is Mandiant's APT1 report in 2013, which attributed the attack to the Chinese government, followed by Department of Justice (DoJ) indictments of the APT1 actors and the US State Department's foreign policy maneuvers against the Chinese government. These public disclosures were highly effective in helping the world realize the dangers of cyber espionage by the Chinese Communist Party. Attribution of those activities was years in the making. The indictments and political maneuvers — the public disclosure — were instruments of national power.
When attributing a cyber incident to a threat actor, there are several standards of proof mechanisms at play. One element of attribution — and particularly when deciding how to act upon the results of your analysis — is understanding the importance of confidence levels and probability statements.
In the intelligence community, Intelligence Community Directive 203 (ICD 203) provides a standard process for assigning confidence levels and incorporating probability statements into judgements. ICD 203's probability statements are:
Almost no chance (remote)
Very unlikely (highly improbable)
Roughly even chance (roughly even odds)
Likely (probable)
Very likely (highly probable)
Almost certainly (nearly certain)
Confidence levels in ICD 203 are expressed as Low, Medium (Moderate), and High. To avoid confusion, probability statements and confidence levels must not be combined in the same sentence. There is a lot of debate about using these statements to estimate the likelihood of an event happening, as opposed to assigning responsibility for an event that has already occurred (i.e., attribution).
Another factor is that intelligence assessments do not use the same standard of proof as the rules of evidence in judicial process. Therefore, the work streams leading to indictment are different. In judicial terms, there are three standards:
Preponderance of evidence
Clear and convincing proof
Beyond a reasonable doubt
The type of court system (civil or criminal) determines the level of proof you need to support your case. The FBI, being both an intelligence agency and a law enforcement agency, may have to use intelligence standards, the judicial system, or both. If a national security case results in an indictment, the DoJ must convert intelligence judgments to judicial standards of proof (no easy task).
There are also technical indicators related to attribution. Indicators must be assessed and constantly evaluated for relevancy (curated) as they have a half-life; otherwise, you will spend most of your time hunting down false positives. Even worse, if they are not implemented properly, indicators can produce false-negative mindsets ("no indicators found, we must be OK"). Consequently, an indicator without context is often useless, as an indicator in one environment may not be found in another.
A good formula is: 1) an investigation produces artifacts, 2) artifacts produce indicators, 3) context is indicators accompanied by reporting, 4) the totality of the indicators can highlight tactics, techniques, and procedures (TTPs), and 5) multiple TTPs show threat patterning over time (campaigns). When possible, attack information should be shared quickly.
Recently, a friend asked me why attribution matters. Well, if your house was broken into randomly, that's one thing, but if it was your neighbor, that's completely different! How I protect my home or network will change depending on who broke in.
Organizations that don't care who is responsible for a cyber incident and just want to get back online are more likely to become frequent victims. Any mature organization with sophisticated processes, a survival instinct, and that cares about their employees will go the extra step to create shared situational awareness, especially if the adversary returns repeatedly. A company can better defend itself from future aggression if they know 1) why they were attacked, 2) the likelihood of the attacker returning, 3) the goals of the attacker, and 4) the attacker's TTPs. Knowing who perpetrated an attack can also help remove uncertainty and help you come to terms with why it happened.
In the second part of this article, coming later this week, I will discuss the key methods involved in attributing an event to a threat actor.

Charles A. Garzoni
Deputy CISO, Centene Corporation
Charles Garzoni is Deputy CISO, Centene Corporation, and is responsible for cyber defense operations. His career spanned multiple industries, law enforcement, and the military specializing in building teams to investigate, analyze, and attribute both nation-state and criminal cyber attacks.  Over his career he has worked hundreds of high-profile incidents (such as Sony, OPM, Anthem, NASDAQ) and helped design and execute cyber operations against adversaries.
He has held several significant positions within the government including, Incident Response Director and Cyber Incident Coordinator for the FBI Cyber Division, and Chief of Threat Analysis for the (NCIJTF). He was also appointed as the Director of Defensive Strategy for the US Cyberspace Solarium Commission and retired as a senior leader with the Air Force Office of Special Investigations (OSI) where he focused on cyber investigations, operations, and cyber strategy.
You May Also Like
Assessing Your Critical Applications’ Cyber Defenses
Unleash the Power of Gen AI for Application Development, Securely
The Anatomy of a Ransomware Attack, Revealed
How To Optimize and Accelerate Cybersecurity Initiatives for Your Business
Building a Modern Endpoint Strategy for 2024 and Beyond
Cybersecurity’s Hottest New Technologies – Dark Reading March 21 Event
Black Hat Asia – April 16-19 – Learn More
Black Hat Spring Trainings – March 12-15 – Learn More
Industrial Networks in the Age of Digitalization
Zero-Trust Adoption Driven by Data Protection
How Enterprises Assess Their Cyber-Risk
2021 Data Breach Investigations Report (DBIR)
Incident Readiness and Building Response Playbook
Cheat Sheet – 5 Strategic Security Checkpoints
FortiSASE Customer Success Stories – The Benefits of Single Vendor SASE
Zero Trust Access For Dummies, 2nd Fortinet Special Edition
Global Perspectives on Threat Intelligence
Migrations Playbook for Saving Money with Snyk + AWS
Cybersecurity’s Hottest New Technologies – Dark Reading March 21 Event
Black Hat Asia – April 16-19 – Learn More
Black Hat Spring Trainings – March 12-15 – Learn More
Copyright © 2024 Informa PLC Informa UK Limited is a company registered in England and Wales with company number 1072954 whose registered office is 5 Howick Place, London, SW1P 1WG.

source

TNC

LET US MANAGE YOUR SYSTEM
SO YOU CAN RUN YOUR BUSINESS

GET THE LATEST UPDATES, OFFERS, INFORMATION & MORE