Security news that informs and inspires

Q&A: Timo Steffens

Timo Steffens, private security researcher and author of Attribution of Advanced Persistent Threats, discusses some of the top roadblocks that researchers face during attribution.

Lindsey O'Donnell-Welch: What are the biggest challenges today that impact how attribution plays out?

Timo Steffens: There are three big challenges: data, group definitions, and generic attack techniques. [For data,] solid attribution does need a variety of analysis skills, ranging from malware analysis, forensic log analysis, infrastructure tracking, to language skills, and geopolitical analysis. However, most of these skills are useless if you do not have access to substantial and large amounts of data. The quantity of data is important for two reasons: First of all, the more data about attacker activity you have, the higher the probability that the attackers made a mistake in the activity covered by the data. And secondly, you can also do attribution without attackers making mistakes, but then you need enough data to identify patterns. A simple example for these patterns are timestamps of attacker activity. Two timestamps alone do not make a pattern, but if you have lots of timestamps, you might be able to identify a timezone that points to the origin or at least workplace of the attackers (of course, a timezone will be only a small piece of the overall puzzle that attribution analysis needs to solve). Furthermore, most data that can help in attribution is hard to get access to, because of confidentiality, GDPR, or EULAs. For example, as an academic researcher you might find it challenging to get detailed data (like internal logfiles) from a company that was a victim of a cyber attack. Also, it is hard to get access to a copy of a control server that was used by the attackers. Usually, only law enforcement has the mandate to request such data.

[For group definitons,] most public and political attention is given to the last step of attribution, which is the identification of the country of origin. But it is important to remember that attribution consists of several phases. I call this the "4C model:" collect, cluster, charge, and communicate. First you have to collect data of various types from different sources. Then you have to group together attacks that are technically and strategically similar, assuming these were conducted by the same actors. This step is called "clustering" as it puts all data points and artefacts that might belong to the same culprits into a fancy bucket like "APT28" or "PutterPanda" etc. Then you can work through all this data to "charge" and try to identify the country, organization, agency or even individuals behind the attacks. And finally, you can decide whether and how you want to communicate your results. The point here is: The real magic happens in the clustering phase. That's really the hardest part to get right. If you look closely into threat reports of different security companies you will notice that they usually do not disagree about the likely country of origin. But they all disagree fervently about how exactly a group is defined: Does this control server belong to group A or to group B? Is this malware family used exclusively by one group (so that all attacks with this malware family can be attributed to the same group), or is the malware shared? Even more so, this problem of group definitons (i.e. clustering) gets harder over time, because groups are not static and monolithic. Malware developers and operators may change their jobs and affiliations, may be promoted and moved to another team, may decide to found their own company and work as a contractor. In all these cases, they are likely to take some tools, source code, or only a few ideas and habits with them, that will later lead security analysts to attribute them to their old attacker group. Threat Intelligence is full of attacker groups that are alleged to be active for ten or more years. It's hard to decide when these group definitions should be discarded and redefined.

[For generic attack techniques,] clustering (linking an attack to a group definition) is straight-forward if the attackers use their own idiosyncratic malware or techniques. Unfortunately, many attackers decide to use tools and techniques that are freely available and are thus not specific to certain groups. Examples of this are freely available penetration test frameworks like Empire or Mimikatz or even copies of Cobalt Strike.

"Good attribution should cover all aspects of an attack."

Lindsey O'Donnell-Welch: What different factors go into attribution? What would you say are the strongest and weakest factors when it comes to attributing malicious activity to various actors?

Timo Steffens: Good attribution should cover all aspects of an attack. And attacks usually require malware, infrastructure like domain names, control servers, manual activity of operators inside the target network, and some tasking from a customer or sponsor. In all of these aspects there can be artefacts and evidence pieces. In order to systematically cover all these different aspects and evidence types, I describe the MICTIC framework in my book. MICTIC stands for the data sources that analysts should cover: malware, infrastructure, control severs, telemetry, intelligence and cui bono.

Some evidence types can be faked easily, like language strings in a malware, or registration details in the domain registration. Other evidence types need more effort for faking: When an attacker moves within a target network, he cannot control all the system clocks and log files. So there will be a pattern of life: At which times of day do they work? Do they observe some particular bank holidays? There is the saying that a hacker can work whenever he or she wants, but for most professional attacker teams, it is a normal day job and in the evening they go back to their families or meet friends. So it would be unattractive to shift their life patterns. Also, many attacker groups have been observed to fake one or more evidence types, like planting a string of a foreign language in their malware. But there are no documented cases of attacker groups that took the effort to plant false flags consistently in all aspects of their attacks and in all evidence types.

Lindsey O'Donnell-Welch: How does today’s attribution framework take the complex cybercriminal landscape into account?

Timo Steffens: That's one of the topics that needs more research and analysis ideas. Most threat reports and analysis processes seem to assume that attacker groups are monolithic teams that work together over extended periods of time. But there are many documented cases where malware developers, infrastructure teams, and operators work together very loosely and flexibly. That makes the clustering phase very challenging and is likely one of the reasons why the group definitions of security companies and agencies differ often. In my book I propose to establish certain templates for different group setups, like malware developers or access teams. If such concepts are established they can guide analysis and break the unconscious assumption that groups are monolithic, stable teams. But it requires a lot of good data to fill these different concepts with evidence. So a lot more research and experience needs to be done and gathered.

Lindsey O'Donnell-Welch: What is the average timeline it takes to carry out attribution? What’s the lengthiest part?

Timo Steffens: That's really hard to answer, because most attribution analysis is not done in a project-like manner with a starting point and continuous analysis. Rather, in most cases - especially at security companies - attribution is a by-product of the day-to-day work of analysts whose job it is to improve the detection quality of some security products. Only every now and then they stumble across a piece of evidence that can be used for attribution. So, attribution (outside of dedicated law enforcement investigations) should not be regarded as a process with a specific start and end time.

Lindsey O'Donnell-Welch: How has attribution changed or evolved over time? Where do you see it going in the future?

Timo Steffens: The most important development is that attribution usually does not start from scratch anymore. There is a large corpus of previous research that attributes certain malware families, or groups, or strategic patterns. Often, this is used to do short-cuts: You link an attack to a group like APT28, and then you can just refer to previous attribution statements and can skip the later phases of attribution. That's also why it is important to consider that attacker groups may not be stable over time. So the analysis community needs to find some heuristics when to discard group definitions and redefine attacker groups based on more recent data.

"Most attackers certainly avoid mistakes that were rather common ten years ago."

Lindsey O'Donnell-Welch: Are cybercriminals and APTs getting better at making attribution more difficult or dropping false flags?

Timo Steffens: Most attackers certainly avoid mistakes that were rather common ten years ago. Some seem to follow the reporting about their activities and then change their approaches if a systematic mistake was pointed out. But surprisingly there are enough groups that continue their attacks regardless of analysis reports that describe their blunders. Luckily, security analysts also find new data sources and analysis techniques that remain unpublished for some time.

Lindsey O'Donnell-Welch: How do research teams and the private sector (versus government agencies) work through attribution differently?

Timo Steffens: One of the main differences is the kind of data that the private and government sector can use. Security companies have learnt to utilize telemetry, that is, feedback from their security products, very effectively. So they have hundreds of thousands of sensors on machines all over the world. Some security companies also offer incident handling, that is, analysts that help to analyze and remediate a compromise on-site in the victim's network. That can be a treasure trove of useful data. In contrast, government agencies have the mandate to seize control servers in their country or cooperate with law enforcement in other countries if control servers are located abroad. Some agencies may even utilize SIGINT (signal intelligence), giving them visibility into internet traffic. Another difference is that usually for security companies, attribution is a byproduct of other types of analysis. I call this continuous attribution. Law enforcement on the other hand typically starts an investigation and the analysts then work more or less full-time on this attribution task and have a clear goal, which is identifying individuals. This is different from the private sector, which usually contends with identifying the country of origin.

Lindsey O'Donnell-Welch: How big of a role does information sharing between security researchers play in attribution right now? Do you see that changing at all in the future?

Timo Steffens: Information sharing plays different roles in different phases of the attribution process. For clustering, that is, defining groups, information sharing is common, at least in the private sector. When it comes to the later phases of attribution, nowadays this often requires data types that cannot be shared for various reasons like NDAs, formal classifications, EULAs, or GDPR.