Cybersecurity, hacking, industrial control systems

Finding the Origins of a Hacker

She added that intention is important because it can offer hints about what organization is behind a cyberassault. Intention also plays a role in assessing the threat risk, since the motivation behind an attack can help determine how likely the assailant is to try again or to give up.

In addition to information gleaned about the “why,” INL analysts also look at how. In shows on TV, the methods used in committing a crime are used to track down criminals. Something similar happens in cybersecurity, where perpetrators will have favorite techniques. In general, avenues of attack are either network-based, human-enabled or supply-chain-based.

Within these broad categories, there may be preferred approaches that provide other clues. An attacker, for instance, may often use a certain type of malware. The delivery may be via third parties, such as contractors. A particular attacker may favor the use of malicious code written onto a maintenance laptop. An unsuspecting contractor then may inject the code into the industrial control system by using the infected laptop for everyday system support.

In such a third-party or supply-chain scenario, the contractor may have undergone an attack with the sole purpose of planting the malware. But that intention and ultimate target may be hidden because the attack on the contractor seems to involve extortion. This makes it seem as though the attack is explained by the desire for a financial payoff.

Freeman noted that working through these possibilities is difficult, in part because it must be assumed that no one may be telling the truth or revealing actual motives. Freeman’s research is aimed at making such a forensic analysis of an attack more thorough.

“A lot of it is focused on formalizing the process of analysis so that pieces of information are not left on the table,” she said.

Some attackers, she added, tend to use the same methods over and over. In that case, the tendency may be to leap to a conclusion, such as it must be this army intelligence unit “X” from county “Y” because of the use of the malware code named “Hidden Cobra.” However, that can be misleading for several reasons, Freeman cautioned. One is that people and organizations tend to copy what works. Being the first to develop a new technique is difficult. Being the tenth to use it is not nearly as hard. Another issue is that actor “A” may copy methods from actor “B” to hide themselves and deflect blame – or a response.

Freeman has presented some of her research on the challenges of cyber attribution at conferences and elsewhere. Her work in this area is ongoing, partly because knowing who perpetrated a cyberattack can help formulate a response that will discourage such action in the future. For that to happen, though, figuring out the “who” behind a cyberattack is critical.

As Freeman said. “Where are your incentives to discourage these kinds of attacks? Your ability as a government to respond to a nation-state cyberattack is limited if you can’t prove which nation-state did it.”

Share |