Scribd
Upload
206 views11 pages

Cyber Attack Attribution: in The Context of Cyberwar

Attribution is a complex issue with no simple answers. Both technical challenges and policy/legal issues must be considered.

Uploaded by

Han-wei Kantzer
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
206 views11 pages

Cyber Attack Attribution: in The Context of Cyberwar

Attribution is a complex issue with no simple answers. Both technical challenges and policy/legal issues must be considered.

Uploaded by

Han-wei Kantzer
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 11

Cyber Attack Attribution

In the Context of Cyberwar


Definition
• Attribution: “determining the identity or location of
an attacker or an attacker’s intermediary.” (Wheeler,
2003)
– Identity: name, alias, country
– Location: geographic, IP/Ethernet address
– Question 1: How much effort will it take?
– Question 2: Determine to what degree of certainty?
Threat Models
(from the attacker’s perspective)

• Global passive adversary


– Observes all network links
– Adversary controls fraction of network nodes
• Non-global adversary
– Controls only a fraction of total network nodes
– A smart non-global adversary can approximate
global passive adversary
Anti-Attribution (anonymity)
• Two methods
– stepping-stones (multi-stage attacks)
– routing through anonymization networks
• Low-latency
– Mix-based (ex. Mixmaster)
• High-latency
– Onion-routing (ex. Tor)
– Peer-to-peer (Torks/NISAN)
• In-house network with a botnet
Stepping Stones
• Attacker X compromises computer Y, which
routes traffic through computer Z…

Source: Wheeler, 2003


Stepping Stones (cont’d)
• Worm origin identification (Xie et al., 2005)
– Use traffic logs to create attack trees

– Requirement: full access to traffic logs across


networks
Anonymization Networks
• Low-latency, onion-routing (Tor)
– Onion Routing
• Anonymizes network flows by providing
unlinkability
• Weaknesses
– Malicious exit/entry nodes destroys anonymity
– Traffic analysis (Murdoch, Danezis 2005 )
» Allows discovery of all routing nodes (but not
identity of sender)
Anonymization Networks (cont’d)
• P2P (Torks/NISAN) (Wang et. al 2010)
– Tor has a big problem: scalability
– P2P networks solve this problem by using
distributed hash tables
– This introduces a weakness:
• More lookups makes it easier
for an observer to detect communications
Passive vs. Active Timing-based Approach
• Passive timing-based approach
– Observe packets and correlate flows
– Takes longer
• Active Timing-based Approach (watermarking)
– Inject patterns into network flow and try to detect pattern at exit
routers
– Quicker
– Observer must be able to control communication

Requirement: access to routers at all key points of observation.


Not a requirement: inspection of packet contents.
Botnet Takeover
• Stone-Gross et. al (2009)
– Torpig size: ~180,000 bots ( at least 17 Gbps bandwidth)
– Took advantage of Torpig’s use of domain flux
• Deterministic algorithm for connecting to C&C server
– Advantage: when one C&C server gets knocked offline, bots move on to the
next server
– Disadvantage: allows defender “hijacking” of C&C servers to take over the
botnet
– Lasted 10 days before Torpig’s controllers regained control
– During that time, 70GB of data was intercepted, including
300,000 username/password pairs.
Comments
• Attribution is hard, but possible
– Not feasible for domestic crime
– Feasible for national security issues
• Hack-back is a requirement
– Luckily, even good hackers make serious mistakes
• The more control over networks the better

You might also like