Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cyberattacks: Do Motives and Attribution Matter?

Posted by Soulskill on from the yes,-except-when-they-don't dept.

An anonymous reader writes: Whenever people think of APTs and targeted attacks, they ask: who did it? What did they want? While those questions may well be of some interest, a potentially more useful question to ask is: what information about the attacker can help organizations protect themselves better? Let's look at things from the perspective of a network administrator trying to defend an organization. If someone wants to determine who was behind an attack, maybe the first thing they'll do is use IP address locations to try and determine the location of an attacker. However, say an attack was traced to a web server in Korea. What's not to say that whoever was responsible for the attack also compromised that server? What makes you think that site's owner will cooperate with your investigation?

44 comments

  1. Why bother? by SuricouRaven · · Score: 4, Interesting

    A while ago my employer came under DoS attack. We weren't the actual target - following a recent router replacement** the copying of configuration had been done wrong and left us with an open DNS resolver, we were just being used as an amplifier to attack some Russian websites. All the source IPs came from China, but many different organisations within China - a university, a factory, a local government office, and so on. Obviously a botnet, probably based on a Chinese-language trojan as that would explain the geographic clustering.

    I identified every source address, blocked it at our firewall, looked up whois on the IP, found the abuse email, and informed the responsible party with tcpdump output to show what was going on.

    Almost every email I sent came back as undeliverable. I had to muddle through Chinese customer service pages to find someone to contact on those, and not one of them ever got a reply. The packets kept on coming too until they all ceased together suddenly, probably at the point the responsible party realized I'd fixed the open resolver problem.

    So why bother? You can dance around waving flags and shouting 'you've been hacked!' and a lot of organizations just don't want to know.

    **If you ever upgrade a Smoothwall appliance, watch out for this!

    1. Re:Why bother? by Anonymous Coward · · Score: 1

      But this anecdote ties in neatly with "who did it? What did they want?"

      Most of the case the answer will be a botnet that is out fishing for known vulnerabilities.
      For most companies there is no risk of a targeted attack. In the vast majority of the cases the competitors aren't willing to break the law to bring you down.
      The attacks you will see on daily basis are script kiddies that don't know who you are and your security holes will consists of badly written third party libraries or tools that "gets the job done".

  2. Difficult jump by vikingpower · · Score: 1

    The jump from "what" and "wherefrom" - e.g. an ip address, Korea - to the "whom" and "why" seems hardly to be feasible in a purely machine-based way. IMHO, you're pretty soon going to hit the limits of what a sysadmin can do, both technically and professionally. There are corporations and individuals specialized in this kind of work, which has many traits of the criminal investigator's.

    Then again, to the sysadmin or the CTO, does the "why" really matter ?

    --
    Religous speak to God. Insane are spoken to by God. When all shut up, one can finally hear Shostakovich in peace
  3. Of course motives matter by msobkow · · Score: 3, Insightful

    If it's some script-kiddie, you have the little bastard locked up.

    If it's a "professional" foreign intelligence agency, you sigh a heavy sigh and realize there is bugger all you can do about it.

    --
    I do not fail; I succeed at finding out what does not work.
    1. Re:Of course motives matter by Anonymous Coward · · Score: 0

      What if it's a foreign script-kiddie hired by a professional domestic intelligence agency?

    2. Re:Of course motives matter by Anonymous Coward · · Score: 0

      You jest, but that is precisely what the majority of people in intelligence agencies are: script kiddies. One group builds the software (or just downloads it), another analyzes information and assigns targets, and the operations group hits the button and monitors results. Separation of duties in itsec just means a group of designated script kiddies will be required.

  4. apt? by Anonymous Coward · · Score: 0

    What's an APT?

    1. Re:apt? by tlambert · · Score: 2

      1337-speak for "Advanced Persistent Threat".

      In plain English, it means "someone trying to hack you who won't go away".

    2. Re: apt? by Anonymous Coward · · Score: 0

      Thanks mate.

  5. "What makes you think that site's owner ..." by tlambert · · Score: 4, Interesting

    "What makes you think that site's owner will cooperate with your investigation?"

    To be very clear: we are talking about an intermediate site that has themselves been hacked, rather than the origin of the attacks.

    In the absolute freaking limit? No holds barred?

    Because, if they are in Korea, they are extraterritorial to everyone but Koreans, and I will just hire Russians or some other third party to take them down more or less permanently if they choose not to cooperate. Or even better: I will pay the third party to cause their site to host illegal-in-Korea content, and then wait several weeks before having them reported to Korean authorities for their content through a side channel, and then the site's owner gets arrested.

    Or did you think "active defense" or "strike-back" doesn't happen?

    1. Re:"What makes you think that site's owner ..." by Anonymous Coward · · Score: 0

      "Or even better: I will pay the third party to cause their site to"

      You end up spending ressources to undo what someone did with an automated script

      you spend ressources per host, they spend ressources per exploit/technique

      This kind of mitigation is more harmful to you, then to the ebil haxxor, in the long run.
      Not to mention it fuels the same shadow economy/ecosystem, cos its probably the "same" informal group of russian guys doing both things...

      There is no defence.

    2. Re:"What makes you think that site's owner ..." by Antique+Geekmeister · · Score: 2

      > To be very clear: we are talking about an intermediate site that has themselves been hacked, rather than the origin of the attacks.

      And they _will not_ cooperate. Even if their technical staff wish to, I'm afraid that if any manager or corporate attorney gets involved, the investigation will be sealed off and no more information shared. They may request a subpoena to to turn over information, but those subpoenas are very difficult to obtain, especially in a timely fashion while the attack is ongoing and the data most valuable.

    3. Re:"What makes you think that site's owner ..." by tlambert · · Score: 2

      "Or even better: I will pay the third party to cause their site to"

      You end up spending ressources to undo what someone did with an automated script

      You are presuming that I do not hire them to implement an automated script to go on a seek-and-destroy for *ALL* the compromised systems attacking mine. I'm well aware of amplification techniques. Doing that, however, risks attacking intermediary systems in the same jurisdiction as yourself, which tends to be more legally dangerous, if a connection is ever proven. But if the government isn't willing to go after the perpetrators of a botnet, they are even more unlikely to go after a company engaging in this type of tactic. If the government couldn't/wouldn't stop the original when a large company was complaining, they are much less likely to go after the company.

      Either way, we appear to be on the verge of legislation which authorizes such things, in which case doing that would no longer be illegal. The competing idea is a new national law enforcement unit whose purpose is to do it on behalf of complaining U.S. companies. We will likely end of on one of these paths, sooner, rather than later, should another attack on the order of the OPM hack occur. If that happens, it could come together rather quickly, up to and including requiring broadband providers to include government use DDOS tools in Comcast routers (for example).

      There is no defence.

      Back up. That's only true if we are talking intermediaries.

      I know a number of executives at multinational corporations that, should the original perpetrators of an attack on their companies be identified, they'd have one of their "corporate fixers" go and "handle it". So there *is* a defense, it's just rather extreme, and generally pretty extralegal, up to and including *very* extralegal. As long as it wasn't someone who was government related, or prominent in some way, governments generally look the other way when multinationals do stuff like this, and I expect that it happens even more frequently when banks are involved.

      This has already happened, in extremis, several times in Russia already.

    4. Re:"What makes you think that site's owner ..." by fulldecent · · Score: 1

      GitHub or it didn't happen

      --

      -- I was raised on the command line, bitch

    5. Re:"What makes you think that site's owner ..." by Anonymous Coward · · Score: 0

      GitHub or it didn't happen

      See his reply to the AC above.

      What's an APT?

      1337-speak for "Advanced Persistent Threat".

      In plain English, it means "someone trying to hack you who won't go away".

      He thinks APT is leetspeak. It didn't happen.

    6. Re:"What makes you think that site's owner ..." by tlambert · · Score: 1

      Gareth Williams.

      Unless you actually believe he accidentally locked himself in the North Face bag, which was padlocked from the outside?

    7. Re:"What makes you think that site's owner ..." by Anonymous Coward · · Score: 0

      He thinks APT is leetspeak. It didn't happen.

      It's not leetspeek, it's jargon used by pompous pseudo-security windbags to make themselves sound important and the attacks scarier than they actually are, so they can charge more

  6. The root cause of computer insecurity by ka9dgx · · Score: 0

    The deep root cause of all of this is that we trust our code to do what it says on the tin... we need to fork everything to invert this assumption and trust nothing (except the OS kernel)... it's a lot of work, but it can be done.

    1. Re:The root cause of computer insecurity by Anonymous Coward · · Score: 0

      The Italian Who Went to Malta

      One day an Italian Man went to a restaurant in Malta and wanted two pieces of toast, and the waiter gives him one, and the Italian man says "I want two piece" The waiter said "go to the toilet" The Man says "You no understand I want two piece on my plate" then the waiter says "You better not piss on the plate you son of a bitch!" The man says "I did not even know her and she calls me a Son of a Beach?" Then he goes to a bigger restaurant and finds himself with a spoon and a knife but no fork, he says "I want a fock" the waiter says "Everybody wants to fuck" and he says "You no understand I want to fock on the table" and the waiter says "You better not fuck on the table you son of a bitch!" Then later he goes to a hotel and in bed he doesn't have a sheet "Call the manager im telle him i wanna sheet!" says the Italian man, then the other guy says "Go to the toliet" and the Italian man say "You no understand I wanna sheet in my bed!" and the other guy says you better not shit in the bed you son of a bitch!" and the Italian man goes to the check out corner and the check out says "Peace on you" and the Italian man says "PISS ON YOU TOO, YOU SON OF A BEACH! I'M GOING BACK TO ITALY!"

  7. Articles. by Hognoxious · · Score: 4, Insightful

    Articles: should they have some actual content, or just a load of speculative waffle that two guys sipping beer could come up with?

    --
    Confucius say, "Find worm in apple - bad. Find half a worm - worse."
  8. Attribution matters by bytesex · · Score: 2

    When you have the capability to drop bombs.

    --
    Religion is what happens when nature strikes and groupthink goes wrong.
    1. Re:Attribution matters by DarkOx · · Score: 1

      When you have the capability to drop bombs.

      Only if justice matters to you. Dropping bombs, virtual or physical on the most immediate source of the attack will certainly solve the immediate problem.

      Will the attackers find another victim to try and use against you, sure probably and likely sooner rather than later but if you haven't got the ability to locate the real source but have the ability to swat down the intermediaries, unwitting though they may be, what should you do?

      --
      Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
    2. Re:Attribution matters by MyAlternateID · · Score: 1

      When you have the capability to drop bombs.

      Only if justice matters to you. Dropping bombs, virtual or physical on the most immediate source of the attack will certainly solve the immediate problem.

      Will the attackers find another victim to try and use against you, sure probably and likely sooner rather than later but if you haven't got the ability to locate the real source but have the ability to swat down the intermediaries, unwitting though they may be, what should you do?

      It would teach the intermediaries the virtue of not going cheap on their IT budgets.

  9. History has the answer by Anonymous Coward · · Score: 0

    How would this have worked at the time of the American revolution?

    When an attack took place, what if the British didn't care who did it
    or what they wanted? Should they have only focused on protecting
    themselves better?

    History shows this was their predominant strategy, and it didn't serve
    their interests very well.

  10. Emotional security. by wbr1 · · Score: 1

    Finding out who or why is often driven by vindictive emotional reasons. You should always find out how first, patch, then look to answering who and why.

    --
    Silence is a state of mime.
  11. Motives matter. by jellomizer · · Score: 2

    I have to say the motives do matter. A DDOS vs. a targeted attack to collect data. Then what is the motivation behind the data, stolen. Is it just to sell off to make money, or will it be used for blackmail, perhaps they are trying to search for abuse in the system. Is the system attacking you just an unwilling system, probably due to the server under the desk, type of setup, where an outside IT guy is called only when there is a noticeable problem. Or is it from a location where there is a large IT Staff running a full time network. Then if there is a target to your hack vs. a general find any system open.
    Say you choose to attack a Hospital, with the intent of getting PHI so you can sell it off for Identity Theft and/or blackmail individuals with embarrassing medical issues that may affect their electability or position in society. Now this is the digital equivalent of a targeted bombing of a hospital where the health and safety of the people are at risk, all for a petty motive of making some money.
    In justice motives do matter, That is why our legal system differentiates Murder, Manslaughter, Wrongful death and Self defence. The outcome is the same, however it is the motives which determine the outcome and the degree of punishment.
    In term of protecting your institution the motives are not necessarily important, however if you know your organization has data that may make it more vulnerable to a targeted attack you may need to put more effort into protecting the information.

    --
    If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    1. Re:Motives matter. by TimSSG · · Score: 1

      Yes, Motives matter. They matter a lot when it becomes time to sentence the guilty. Tim S.

  12. Mod story down. by Anonymous Coward · · Score: 2, Insightful

    Mod parent up! And mod entire story down. This is so much a Trend researcher making an MBO or cash payout for blogging, with some marketing person checking that the wording is correct, but having no context to know if the content is blog-worthy.

    I still think that moderators, en-masse, ought to be able to mod an entire story down.

  13. Mod story down. by vpness · · Score: 1

    Mod parent up! And mod entire story down. This is so much a Trend researcher making an MBO or cash payout for blogging, with some marketing person checking that the wording is correct, but having no context to know if the content is blog-worthy. I still think that moderators, en-masse, ought to be able to mod an entire story down.

  14. This would've worked vs. that by Anonymous Coward · · Score: 0

    When a router's hacked to use an Open DNS resolver make sure your IP stack settings point to a REAL one in your OS & then bypass DNS for your favorite sites you use MOST in hosts files hardcoded - this alleviates the need for DNS entirely & bypasses the router for it as well iirc.

    APK

    P.S.=> So, again: IF that happens again ever, try the above - it'll work to keep you safe... apk

    1. Re:This would've worked vs. that by SuricouRaven · · Score: 1

      We weren't hacked. We just made an error in configuration that let someone use us as an amplifier.

  15. Very weak administration by Taco+Cowboy · · Score: 1

    Most of the IT admin in China are poorly run, and many of their machines have been compromised - resulting in China IPs keep showing up in many cyberhacking incidents

    The problem is that most of the IT staffs in China do not prioritize security - to them as long as the things run they are happy

    It boils down to mindset - security / safety isn't something Chinese care too much about

    I know, I am a Chinese

    --
    Muchas Gracias, Señor Edward Snowden !
    1. Re:Very weak administration by Anonymous Coward · · Score: 0

      Most of the IT admin in China are poorly run, and many of their machines have been compromised - resulting in China IPs keep showing up in many cyberhacking incidents

      The problem is that most of the IT staffs in China do not prioritize security - to them as long as the things run they are happy

      It boils down to mindset - security / safety isn't something Chinese care too much about

      I know, I am a Chinese

      Not to mention the whole Great Firewall deal provides a strong incentive to use your own equipment with your own IP address(es) as little as possible. Should you stumble onto something the authorities don't like, you might want a layer of deniability. That could be the deniability of using a compromised machine. It could also be the deniability of running a compromised machine ("oh no that was not me, we got hacked, it was those evil hackers who were interested in Tiannamen Square...).

  16. The Art of War by Anonymous Coward · · Score: 0

    ... should be a mandatory textbook for anyone remotely involved with "security".

    "Know yourself and know your enemy" is the key to victory, and this AC asked does motive and attribution matter?! Might as well ask if knowing bits and bytes matter to a programmer as long as he can do .

    What does NOT matter is to try to find the attacker from the source of packets for an attack, which is as useful as tracing the location of the pizza deliveries when pranksters called to have 50 pizzas delivered to your home. Anyone halfway smart enough to cause trouble for you would be smart enough to hide their own location.

    However, your using a stupid approach to find the attack in no way makes knowing who and why the most important information in fighting your enemy, unless you can make yourself invincible against them.

  17. Right - but... by Anonymous Coward · · Score: 0

    I am PRETTY sure bypassing DNS as I described would've helped - & I'm sure you saw the DNS in your router settings wasn't what YOU wanted to use, correct (bet that cleared it up fast, eh?)

    * Curious here is all...

    APK

    P.S.=> Those types of attacks are becoming more prevalent, WHEN it's a "hack/crac"" type attack that is, in finding Open DNS resolvers to use in say, DNS amplifications attacks (DDoS type) being inserted into routers "surreptitiously" by malcontents.. apk

    1. Re:Right - but... by MyAlternateID · · Score: 1

      You do realize there is a difference between a DNS server which happens to be open, and the Open DNS service, right? Your usual psychotic capitalization calls into question whether you understand this distinction.

      (Psst... this is the point where a normal well-adjusted person would make a clarification, maybe even say something like "my mistake, I should have made that more clear". I know this is too much to expect from you, but that is what respectability would look like.)

  18. targets and collateral by PopeRatzo · · Score: 1

    Whenever people think of APTs and targeted attacks, they ask: who did it? What did they want? While those questions may well be of some interest, a potentially more useful question to ask is: what information about the attacker can help organizations protect themselves better?

    Motive and attribution definitely matter if the organization attacked deserves to be attacked.

    Not all "organizations" are blameless.

    --
    You are welcome on my lawn.
  19. Yes I do (I've stated it many times) by Anonymous Coward · · Score: 0

    I also realize You, MyAlternateID (obvious sockpuppet) = "Run, Forrest: RUN!!!" -> http://slashdot.org/comments.p... AND http://slashdot.org/comments.p...

    (Where "the best you got" was downmods due to your rather OBVIOUS sockpuppetry (look @ your registered 'luser' name, says it all for me better than I EVER could, since it gives your rather OBVIOUS game away, especially considering you've only been using that account since August of THIS year...)).

    APK

    P.S.=> Have fun "running" there, 'Forrest', lol... apk

  20. It does if your by Anonymous Coward · · Score: 0

    a prosecutor out to make a name for yourself.

  21. Clarification for sockpuppet "MyAlternateID" by Anonymous Coward · · Score: 0

    Whenr I write about OpenDNS (note no space between Open & DNS)? I write it as above, no spaces. When I refer to Open DNS servers used maliciously?? I put in a space.

    * Got that, you pitiful little fuck? Good...

    APK

    P.S.=> Keep "running" there, 'Forrest' -> http://slashdot.org/comments.p... AND http://slashdot.org/comments.p... ... apk

    1. Re:Clarification for sockpuppet "MyAlternateID" by MyAlternateID · · Score: 1

      Whenr I write about OpenDNS (note no space between Open & DNS)? I write it as above, no spaces. When I refer to Open DNS servers used maliciously?? I put in a space.

      * Got that, you pitiful little fuck? Good...

      APK

      P.S.=> Keep "running" there, 'Forrest' -> http://slashdot.org/comments.p... AND http://slashdot.org/comments.p... ... apk

      See when you read books once in a while (rather than making Time Cube-style rants about hosts, hosts, oh yeah and more hosts) you realize certain nuances of the English language. One of those is the fact that "open" is not a proper noun when used that way. As such, it should not be capitalized unless of course you intended to refer to Cisco's Open DNS service, which, being a name, happens to be a proper noun. You're welcome!

      I'm sure you do so much better with the stricter nuances of things like programming languages. Hey, at least in the comments you can go crazy with the capital letters as much as you want! That must be such a relief for you. If you aren't too busy posting the same shit over and over again to make sure various users know they've succeeded in getting under your skin, that is. It's okay, I know you must be a busy man with a fulfilling life.

  22. If you can't determine the meaning... by Anonymous Coward · · Score: 0

    See my subject: ... of words or phrases from within the context of the framework in which they're used? You have the problem - NOT anyone else.

    * I guess remedial reading lessons for you then, as others I posted to understood me perfectly, unlike yourself, you trolling "ne'er-do-well" do nothing in computing DOLT!

    (Get on topic also moron - this isn't "english class" where your purely arbitrary bullshit matters...)

    APK

    P.S.=> Keep "running" from these 2 posts "Forrest" (as both show how LITTLE you've read regarding our subject matter here in computing) -> http://slashdot.org/comments.p... AND http://slashdot.org/comments.p...

  23. The benefits of handling attack. by dweller_below · · Score: 4, Interesting
    I do IT Security for a research university. For the last 10 years, we have attempted to handle all incoming attack. Some gets missed, but we make an attempt. It is good work for the interns/trainees. We document the incident, block the attacking IP for an appropriate amount of time, and notify the remote abuse contact. We have found that handling attack provides significant benefits:
    • * Our security team remains functional. Ignoring incidents creates bad habits in the security team.
    • * It creates memory of how we are attacked. We need to know how we are attacked, so our defenses are anchored in reality.
    • * It greatly reduces the amount of attack. The number of attacks drop off sharply a couple weeks after we begin religiously reporting attacking IPs. We have tested this effect several times. When we stop reporting, it ramps up. When we start, it drops to about 1/10th it's prior levels.
    • * It notifies the owner/ISP of the remote computer that they are attacking. Usually they are also innocent victims.
    • * In the last few years, the percentage of remote resolutions has been climbing. Currently, about 1/2 of the reported non-Chinese incidents appear to result in remote resolution.

    We utilize some automation to handle the load. We have a few honey-pots. We also monitor our dark IPs. We learned to distinguish DoS backscatter, and the various types of frequently spoofed attacks. We thought that an enterprising hacker would attempt to spoof an important Internet resource and cause us to auto-immune ourselves to death. So we whitelisted a bunch of critical external IPs and looked for critical spoofing. In the last 10 years the amount of spoofed attack has dropped drastically. We recently found an incident where an attacker spoofed a critical Google resource and tried to get us to block it. That is the only time we have detected that kind of spoofed attack.

    We have found that most attackers (even governments) don't like to have their attack methods documented and publicized. We have found that some ISPs turn evil and knowingly host attack, but they are quickly and easily blocked until they go broke or come to their senses.

    We have found many institutional scans. The best of these groups provide timely assistance to those who are making mistakes. In our view, the best groups include the ShadowServer Foundation, EFF, and the Chaos Computer Club. The worst of these groups are simply feeding on the mistakes of others. The worst groups provide no assistance to others. The worst groups actually have motivation to preserve or enhance the problems of others.

    More info is available here: