How The US Will Likely Respond To Shadow Brokers Leak

blottsie writes: The NSA and FBI are both expected to investigate the leak of NSA-linked cyberweapons this week by an entity calling itself the Shadow Brokers, experts with knowledge of the process tell the Daily Dot. However, multiple experts say any retaliation by the U.S. will likely remain secret to keep the tactical advantage. Meanwhile, Motherboard reports that some former NSA staffers believe the leak is the work of a "rogue NSA insider." "First, the incident will be investigated by the National Security Agency as it tracks down exactly what went so wrong that top-secret offensive code and exploits ended up stolen and published for the world to see," reports Daily Dot. "An FBI counterintelligence investigation will likely follow, according to experts with knowledge of the process. [...] Following the investigation, the NSA and other entities within the United States government will have to decide on a response." The response will depend on a lot of things, such as whether or not an insider at the NSA is responsible for the breach -- a theory that is backed by a former NSA staffer and other experts. "The process is called an IGL: Intelligence Gain/Loss," reports Daily Dot. "Authorities suss out a pro and con list for various reactions, including directly and publicly blaming another country. [Chris Finan, a former director of cybersecurity legislation in the Obama administration and now CEO of the security firm Manifold Technology, said:] 'Some people think about responding in kind: A U.S. cyberattack. Doing that gives up the asymmetric response advantage you have in cyberspace.' Finan urged authorities to look at all tools, including economic sanctions against individuals, companies, groups, governments, or diplomatic constraints, to send a message through money rather than possibly burning a cyberwar advantage. Exactly if and how the U.S. responds to the Shadow Brokers incident will depend on the source of the attack. Attribution in cyberwar is tricky or even impossible much of the time. It quickly becomes a highly politicized process ripe with anonymous sources and little solid fact."

Good luck with investigation!

[sshir]

It was 3 years ago. Importance of this detail is this: in pre-Snowden era NSA did not have access logs or other internal audit tools. Those were considered risk to security of operations.
My speculation is that this is why the data dump is so old - to maximally complicate forensic team's job.

Re:Easy.

[wierd_w]

I have.

Note in citizen 4, the first phase of the nsa's activity against Snowden was in sussing out his aberrent behavior, and surveiling his girlfriend, family, and Hawaii place of residence. This is what happens in phase 1) of my short list. A list of persons of interest is produced using psych details, and active monitoring starts. Connections maps are created. Points of surveillance are established, and monitoring priority increases. Phase one ideally (for the nsa) ends with apprehension of their leak, but the process does not end there.

After sussing out the entry point of the leaker, the companion network is either dismantled, or subtly repurposed for cointel.
False intel is fed to the group. If the false intel causes the foriegn agency to suspect compromise, it sends the message to that foriegn agency that their action was detected, and that thier methods are not valid any longer. If the foriegn agency fails to change the operational behavior of the cell, then it may become beneficial to plant a double agent. This double agent can then cause the foriegn power to change its policies or public activities, through contaminated or misleading intelligence, created specifically for this purpose.

That they can conduct such a profoundly invasive phase one investigation using literally any internet connected, or broadcast capable device, along with your financial data, and the information about you provided by your so called friends on social media, is the primary thrust behind snowden's leaks. What the NSA will do, and why they will do it is not going to change. The leaks from snowden concerned the how and the what.

Re:Easy.

[TheRaven64]

am I correct in understanding that the NSA knew about security holes in important aspects of our cyber infrastructure, and rather than report them so they could be fixed, they sat on them so they could use them "to protect us"?

Yes. This is a big problem with the NSA and GCHQ, which have the dual missions of securing infrastructure and compromising enemy infrastructure. These missions come into direct conflict when the core of your and your enemy's infrastructure rely on the same components. Germany separates the two missions into separate institutions.

The same thing came up when Heartbleed was discovered. There were basically two options:

• The NSA had not found the vulnerability, in which case they were seriously failing in both missions as they'd either failed to notice that OpenSSL is core infrastructure (for the USA and for other countries) or they had failed to fuzz the protocol properly (part of the embarrassment about Heartbleed was that proper testing would have found it years ago). If this is the case, they are incompetent because there was evidence that the vulnerability had been exploited in the wild before the official disclosure.
• The NSA had found the vulnerability but had decided that being able to attack SSL connections was worth the cost of leaving all financial and a lot of secure government communications vulnerable to foreign intelligence and criminal organisations. If this is the case, then they are incompetent at risk analysis and should not be permitted to engage in risky behaviour.

There is no interpretation of events that makes them appear competent.