Indirect Attribution in Cyberspace

Indirect Attribution in Cyberspace

Robert Layton (Federation University, Australia) and Paul A. Watters (Massey University, New Zealand)
DOI: 10.4018/978-1-4666-6324-4.ch016


We are now in an era of cyberconflict, where nation states, in addition to private entities and individual actors, are attacking each other through Internet-based mechanisms. This incorporates cyberespionage, cybercrime, and malware attacks, with the end goal being intellectual property, state secrets, identity information, and monetary gain. Methods of deterring cybercrime ultimately require effective attribution; otherwise, the threat of consequences for malicious online behaviour will be diminished. This chapter reviews the state of the art in attribution in cyberspace, arguing that due to increases in the technical capability of the most recent advances in cyberconflict, models of attribution using network traceback and explicit identifiers (i.e. direct models) are insufficient build trustworthy models. The main cause of this is the ability of adversaries to obfuscate information and anonymise their attacks from direct attribution. Indirect models, in which models of attacks are built based on feature types and not explicit features, are more difficult to obfuscate and can lead to more reliable methods. There are some issues to overcome with indirect models, such as the complexity of models and the variations in effectiveness, which present an interesting and active field of research.
Chapter Preview


In 2012, U.S. President Obama officially recognised that the Stuxnet virus, which targeted SCADA controllers operating Iranian nuclear facilities, was a state based attack that originated from the USA and Israel (Sanger, 2012). In that recognition, the world moved towards an era where state sponsored cyberconflict is no longer a conspiracy theory (or probable scenario of the world), but an accepted fact. Recent reports by industry and ex-government officials have pointed to other countries like China also being responsible for other attacks, with one allegation being the theft of confidential trading information that led to millions in losses in negotiation potential (Fowler & Cronau 2013). Both the US and China are organising a treaty on “cyber-arms” (Arimatsu, 2012), with a view to recognizing acceptable limits on this fifth domain of war (the first four being land, sea, air and space). However a fundamental component to the enforcement and effectiveness of such a treaty is missing. Without the adequate attribution of cyberattacks, treaties are worth little at best and can be used for the deliberate misdirection of blame at worse (Watters et al. 2013).

In the rush to uptake technology as a core component of critical infrastructure, nations have now found that many of the systems they rely upon are open to potential attack. This includes water systems, intelligence networks and trading information. To protect this critical infrastructure, investment into defences against cyberattacks has increased dramatically over recent years. Governments across the world are increasing their capability and capacity in both defensive and offensive cyber-based programs. While offensive capabilities are increasing, deterrence of cyberattacks has not caught up, as Guitton (2013) notes: “if the adversary knows that the likeliness for a threat of retaliation is low due to the uncertainty of attribution, deterrence is unlikely to function” (p96).

Attribution can be absolute, in that it identifies an actor responsible for a given attack, or relative in that it can tell us that two attacks have the same origin. As noted by Sigholm and Bang (2013) of cyberattack attribution, “the process of attaining positive attribution is perceived as being ineffective” (p. 167). A number of reasons are cited for this, including a lack of access to data, but also the lack of a process that facilitates effective attribution in cyberattacks. In cases where data is available, Sigholm and Bang notes that “the inability to define adequate filters, to make sense of the collected data, and to understand what is important and not, that constitutes the main problem (of attribution of cyberattacks)” (p. 167).

In most recent cases where a cyberattack has been attributed, there has often been a critical mistake on the part of the attacker. In a recent Mandiant APT1 report, the attackers left their name within the attacking programs, linking their attacks to a long online history (Mandiant, 2013). Such mistakes cannot be relied upon, nor expected to be uncovered in a timely fashion to determine if a country is breaking a treaty through a cyberattack.

Such mistakes, where they exist and the information can be trusted to be accurate, are highly effective pieces of evidence. One example is the use of an atypical and consistent misspelling by an author, which is one of the most effective forms of attribution for a written document (Juola, 2006). However such mistakes cannot be relied upon to exist. Therefore, they cannot form the basis of an effective attribution strategy that needs to be robust, trusted and timely to be used effectively. In addition, relying on commonly known features may open the risk of the attacker inserting deliberately misleading evidence to cause attribution to another actor. Modelling the vector of attack, content of the attack and other meta-data may not be as conclusive as a significant error on behalf of the attacker, but can be applied in more cases.

Key Terms in this Chapter

Cyberattack: An attack over a computer network, usually over the internet.

Intelligent Adversary: An adversary that is knowledgeable about the processes, systems and techniques used to attack and identify the attacker. It can be assumed that an intelligent adversary would take steps to mitigate such identification processes.

Profiling: Obtaining intelligence about an actor or attack.

Direct Attribution: Linking an attack to the attacker using direct pieces of evidence.

Indirect Attribution: Linking an attack to the attacker using a model representing the attacker's style and behaviour.

Cybercrime: A crime, in the legal sense, using the internet or computer network.

Authorship Analysis: A field of study investigating attributing text documents using the contents.

Cyberespionage: An espionage activity, such as the collection of data, over the internet, usually involving one state based actor obtaining information against another state.

Complete Chapter List

Search this Book: