The Attribution Problem

P. G. Metzler The Attribution Problem 15 December 2008

“When you have eliminated the impossible, whatever remains, however improbable, must be the truth.” ~ Sherlock Holmes (The Sign of Four by Sir Arthur Conan Doyle)

Introduction

In December, 2008 a Colorado high school's administrative computers were

hacked. As a result, as many as 200 students had their grades changed. In the words of

one student, “everyone was being accused.” Students had to prove the grade in the

school's system was correct. The attackers have yet to be identified. (Nelson and

Garcia, 2008)

In 2000, FBI agents in a sting operation lured Russian hackers to the United

States and tricked them into providing their userids, passwords and server information.

The FBI then exploited their machines, downloaded evidence of criminal activity and

arrested them. Although the agents were successful in tracking down these criminals,

the Russian government charged the FBI agents with illegally hacking into computers,

creating an international incident. A US Federal Court judge ruled the agents had acted

in accordance with the 4th amendment (Denning, 2005).

Each of these incidents highlight a different aspect of challenges that are, in

information assurance circles, collectively referred to as the “attribution problem.” The

first instance is the classic “who stole my data” question. However, in the second,

successful attribution resulted in an international incident due to inadequate (read, non-

existent) cooperation. This paper is intended to provide the reader an overview of what

is meant by attribution, how attribution is categorized, associated challenges and

techniques for assigning attribution. Finally, a brief discussion of the trade-offs we have

1


yet to collectively decide upon regarding privacy, anonymity, attribution and non-

repudiation.

Attribution defined.

If you search the plethora of online IT dictionaries (e.g., SANS.org, ZDNet, etc.) you will

not find the term “attribution.” The term, formally defined, is more frequently associated

with law enforcement, the intelligence community or other disciplines where it is

desirable for a particular action to be traceable to the decisions or actions of a principal

for purposes of compensation (e.g., investment portfolio performance) or in cases

where pedigree significantly contributes to the perceived value of work (e.g., art, antique

or document appraisal).

Though lacking formal or at least codified definition, the term “attribution” is used

in information assurance circles (our specific area of concern) as a term of art referring

to the challenge of determining the identity of an actor in cyberspace- “the attribution

problem.” However, to look solely at identifying the actor is to oversimplify the problem.

We must also understand the nature of the action. Is it a cybercrime? Is it vandalism? Is

it hactivism? Is it an attack against critical infrastructure? Is it a diversion? Was this an

ad hoc attack or part of a larger, more complex operation? Only by understanding both

the actor and the intent, can we get beyond a reactive approach to defending our

information and toward a more holistic, strategic approach.

For purposes of this discussion, the term attribution will refer to the process of

determining the identity of an actor (or actors) originating an action or creating an

2


object. Law enforcement’s objective is to track the origin of an attack to an individual or

organization. This is more easily said than done. The more likely result, as we try to

attribute specific actions to actors is more in line with the definition of attribution used in

art history and antique valuation circles: “to consider as made by the one indicated, esp.

with strong evidence but in the absence of conclusive proof” (Dictionary.com, 2008).

The last phrase is important: “strong evidence absent conclusive proof” describes the

reality of the environment in which we operation and attempt to establish attribution. Our

response and our approach to risk mitigation in general, both defensive and offensive,

must take this into account.

To further bound this discussion to a degree that will allow its treatment of the

subject within a reasonable length, our emphasis will be on cyberspace intrusions,

exploitation (the exfiltration of information), or attack. We will focus on cyberspace

events from the perspective of national security- attacks or attempts to exploit

information for either the development of capabilities, counter-capabilities or preparation

of the environment by a potential adversary. This is not to imply these are the only

threats we face; however, the technical aspects of the attribution problem remain the

same whether we are investigating cybercrime or cyber espionage- it is the latter that

adds complexity in attribution from both a cooperation perspective and the need for an

increased burden of proof required to act decisively in diplomatic circles. Finally, while it

is understood that attribution is sought in situations that involve protocols other than

TCP/IP, for consistency the term packet will be used to denote bundled zeros and ones

transferring information, regardless of the actual protocol in use.

3


Attribution levels

In 2003, Advanced Research and Development Agency released a solicitation,

BAA 03-03-FH, that among other things, parsed the general attribution problem into four

areas. The following is an overview of the levels, mechanisms for achieving them and

potential challenges (Cohen & Narayanaswamy, 2004) (Denning, 2005).

Level 1: Identification of attacking machines

Level 2: Identification of primary controlling machines

Level 3: Identification of humans responsible for attack

Level 4: Identification of sponsor organization

Level 1 Attribution. Level 1 attribution, the identification of attacking machines is

frequently referred to as traceback. Ideally, the objective of traceback is to identify the

actual device from which information was generated (Cohen & Narayanaswamy, 2004).

Traditionally, traceback involves identifying the source IP address. However, modern

network management makes this approach inadequate given the likelihood that DHCP

is assigning addresses to a subnet of machines let alone the very real possibility that

the identified IP address has been spoofed. Even hardware addresses (MAC

addresses) can be altered by a determined attacker as evidenced by the advanced

configuration settings of your home router. Likewise, attribution to the desktop or other

specific machine requires a great deal of cooperation from (or subversion of) nodes 4


between you and the suspect attacker. Such cooperation may not be a viable option.

Therefore, many attempts to get to level 1 attribution result in a range of potential IP

addresses, rather than the identification of a specific device (Cohen & Narayanaswamy,

2004).

The techniques used to achieve level 1 attribution are primarily technical in

nature. To support attribution to a degree necessary by the intelligence community or

law enforcement, Cohen & Narayanaswamy (2004) offer the following guidelines for an

ideal level 1 attribution capability:

The tracking mechanism must be capable of attributing single packets (most

require a stream of information).

It should work with existing commercial network hardware deployed “in the wild.”

(though they note one could build their own router using open source software

and standard hardware for the purpose).

It should be capable of performing high speed processing (currently a challenge)

It should not require special communication paths.

It should be capable of running continuously without seriously degrading network

performance or risk of detection.

Technical approaches to Level 1 attribution include but are not limited to:

5


Link identification methods such as Probabilistic Packet Marking (PBM);

Deterministic Packet Marking (DPM) and Source Path Identification Engine

(SPIE). (Denning, 2005)

Packet filtering methods such as ingress filtering of false IP addresses or route-

based filtering (source IP address inconsistent with routing data). (Denning,

2005)

Young & Reeves (2007) propose the optimized deployment of remote monitors to

triangulate the source of malicious packets.

The problem with these techniques is the adversary can use their own methods

to disrupt our efforts to track them down. ARP spoofing, IP address spoofing, DNS

poisoning, fast-flux networks and BGP man in the middle attacks are but a few example

of technical counter-measures an attacker can use to complicate our targeting problem.

Consequently, Level 1 attribution is, in the face of a determined adversary is at best

imprecise and at worse, potentially deceptive.

Level 2 Attribution. The objective of level 2 attribution is to identify the first machine in a

causal chain of machines that control a computer that is believed to be involved in

malicious behavior (Cohen & Narayanaswamy, 2004). In truth, the behavior need not

be malicious. The techniques applied to identifying the controlling computer managing a

zombie net could be used to identify the controlling machine for a network of machines

used for other purposes (e.g., command and control systems).

6


While the objective of Level 2 attribution is to identify the primary (first) controlling

machine in a causal chain, there is a fundamental problem. As Cohen &

Narayanaswamy (2004) argue, the “primary controlling host” should be the machine

connected to the keyboard that is being touched by the human (identified through level

3 attribution). However, short of actually seeing the human’s fingers on the keyboard, it

is nearly impossible to be certain the behavior we are observing is not caused by

another machine. Our problem may be that we simply lack adequate knowledge of the

controlling mechanism. Given this, the best result one can expect is to determine with

reasonable certainty is that an activity observed on one computer is caused by an

identified activity on another identified computer (Cohen & Narayanaswamy, 2004)-

whether or not that computer is truly the controlling computer will be a judgment call

based on evidence and experience.

The primary reason for the difficulty in achieving level 2 attribution is the variety

of techniques available to an adversary to hide their controlling machines. Attackers

employ means of control such as reflectors, stepping stones (compromised intermediate

machines), non-standard software control, zombie control and physical control

(Denning, 2005). Additionally, their controlling channels are frequently encrypted or

employ deliberate deception techniques such as random delay, jitter or anonymizing

networks (Park & Reeves, 2007).

To achieve level 2 attribution, a number of techniques are employed. Many of the

techniques used in identifying machines for level 1 attribution are still valid for identifying

7


which machines are participating in an attack; however, they are unlikely to yield the

level of detail required to identify controlling machines. Level 2 attribution typically

requires extensive cooperation with other entities given the need to sort out zombies

and reflectors from controlling machines.

Internal monitoring of machine activity is usually effective in achieving level 2

attribution if one has access to the stepping stone machine simply through process

monitoring. However, in the case of a zombie machine, particularly if under the physical

control of an attacker, the attacker can present any view to the attacker they wish-

making level 2 attribution by this method unreliable.

Another option is extensive log review. Unfortunately, this requires training,

experience, access to Logs and some foresight to log the correct events. Such access

may not be realistic if we are trying to track an adversary through potentially hostile

machines or if we are trying to remain undetected. Another issue with logging is the

extent to which it must be done to actually track an adversary. According to Cohen and

Narayanaswamy (2004), the amount of logging required is impractical for machines

intended for normal use; however, the use of honeypot machines might make extensive

logging a feasible approach.

Network traffic analysis has proven fairly successful in achieving level 2

attribution. By analyzing the timing and data size characteristics of stepping stone

traffic, it is possible to track a packet's origin across multiple machines. However, the

use of anonymizing nodes or encryption can disrupt efforts to achieve level 2 attribution.

8


Emerging research indicates that watermarking (Park & Reeves, 2007)- particularly

timing based adaptive watermarking is able to survive the use of encryption and

anonymizing by an adversary.

Level 2 attribution can sometimes be determined by deliberately attempting to

elicit a reaction from someone controlling a machine. By sending unexpected traffic

across an inactive channel in use by an attacker, it is sometimes possible to track the

controlling machine's origin.

Finally, as with level 1 attribution, the deployment of network monitors can be

used to isolate the source of malicious network traffic. By using passive sensing

techniques it is possible to isolate source transmissions. For example, recent advances

in geo-location over the internet can not only be used to identify attacking machines, but

can also be useful in achieving level 2 and level 3 attribution. (Muir & Oorschot, 2006)

Level 3 Attribution. The objective of Level 3 attribution is to identify the humans

responsible for an action based on “evidence observed in the state or activity of one or

more computers that are connected to a network” (Cohen & Narayanaswamy, 2004). At

the end of the day, actions in cyberspace are initiated at some level by human beings.

Level 3 attribution relies heavily on more traditional law enforcement and intelligence

community investigative techniques to establish linkages between machines exhibiting a

specific behavior and the actors behind them in order to construct “a logical chain of

explanations” leading to an individual (Cohen & Narayanaswamy, 2004).

9


The underlying challenge in achieving level 3 attribution is the fact that most

computers today are limited in their ability to detect human interaction other than

through the I/O devices; keyboard and mouse. (The fact that these interactions are

rarely stored makes the use of bio-mechanical analysis (e.g., typing characteristics,

mouse movements) to establish or at least narrow down a list of suspect actors

problematic (Cohen & Narayanaswamy, 2004). As with level 2 attribution, it is a matter

of confidence building and ultimately judgement; therefore, the emphasis on improving

level 3 attribution must be on improving the quality, analysis and visualization of the

information available to the humans in the loop that must put the pieces of the puzzle

together.

The mechanisms and technologies used to achieve level 3 attribution include

document analysis, keystroke timing, authorship analysis, code analysis and modeling.

Each of these techniques attempts to illicit information in order to build a profile of the

attacker and where possible, identifying characteristics. A summary of what information

these techniques provide and their relative effectiveness is provided in Table 1.

Table 1. Level 3 Attribution Technologies (Source: Denning, 2005)

Measurable & Method Characteristics Uncovered Effectiveness

Document Analysis –

Natural language methods

Attacker goals, style, education, native language, knowledge; comparison to prior writings

Computationally intractable; but potentially more accurate

Document Analysis –

Statistical methods

Attacker goals, style, education, native language, knowledge; comparison to prior writings

Tractable; probabilistic answer provided; attacker might be able to deceive analysis

10


Keystroke Timing Comparison to prior profiles; left-handed or right-handed

Tractable, but results unreliable – attacker can mislead

Email Authorship Similar to natural language; gender Potentially useful – similar problems as document analysis

Attack Code Analysis Attacker’s sophistication level; tools used; knowledge; capabilities and resources

Potentially effective; no need for cooperation with anyone else

Attack Models Enumerate potential paths for attacker to take to perpetuate activity

Starting point for level 3 attribution process

Level 4 Attribution. There is very little treatment in the literature with regard to the

identification of sponsor organization. Level 4 attribution is where computer science

meets the soft sciences and detective work. Social network analysis, cultural analysis,

political and economic intelligence all come together to tease out the relationships

between actions in the digital world with the relationships between organizations, actors

and machines in the physical world.

Using intelligence assets, corporate and academic resources, it is possible to

identify potential relationships between cyberspace actors and their sponsors. That isn't

to say there aren't sometimes obvious linkages. Occasionally, there are (e.g., funds

transfers). However, an organized, determined adversary will not leave obvious trails

and where trails are found, they are likely to be deceptive.

11


Why attribution matters

Beyond the obvious (because I want to know who stole my information), why is it

important that we be able to establish levels of attribution? What levels of attribution

should we have in order to respond with legal, diplomatic or military action? At the most

basic level, our first objective may be simply to stop an attack. Before the arrival of

mega-bot nets and the massively distributed denial of service attack, level 1 attribution,

even if only to a range of ip addresses was generally sufficient . Simply update your IP

block list and press on. However, the capabilities of our adversaries have changed. The

ability of an actor to precisely control thousands of machines enables them to conduct

highly synchronized, complex attacks. It is no longer sufficient to block or otherwise

isolate the attacking machine. We must achieve level 2, level 3 or even level 4

attribution if we are going to prevent future attacks or roll-up increasingly sophisticated

actor groups. For legal action, law enforcement requires level 3 attribution minimum

and possibly even level 4 if they are dealing with a bot-for-hire or cybercrime

organizations. (Denning, 2005)

As for a national security response, the degree of attribution required is driven by

the tactical, operational and strategic situation. At the tactical level, level 1 or 2

attribution may be sufficient to “fight through” an attack. However, for more complex

responses (military strike- kinetic or otherwise) or the initiation of diplomatic action, level

3 attribution may be required for tactical operations (e.g., rolling up a terror cell) and

level 4 will be required to hold state sponsors accountable. (Denning, 2005)

12


To deter future attacks, attribution becomes critical. A deterrent is only credible if

it is effective and timely. If an adversary believes the risk of being identified and brought

to justice (or destroyed) is low, they are more likely to attack.

Attribution is also useful in the identification of emerging threats. An effective,

continuous capability of assigning attribution aids in the identification of emerging

actors, profiling their level of technical sophistication, establishing social network

relationships, potential “supply chains” and ultimately adversary vulnerabilities.

Why is attribution difficult?

The technical challenges of specific attribution levels have been addressed in

previous paragraphs; however, when one looks at the attribution problem, several

recurring themes emerge that help explain why achieving a specific level of attribution in

a timely manner is difficult. Intruders frequently make use of compromised machines,

encryption and other deceptive techniques to cover their tracks. Often, the machines

initially identified in an attack are, themselves victims. Source information is frequently

spoofed. As was highlighted in the FBI article, attacks frequently cross international

boundaries, further complicating a technically challenging response to an event. Finally,

a means of more accurately gathering attribution related data (particularly log data),

analyzing it and ultimately representing the information in a way that is meaningful to

decision makers needs to be developed and deployed.

13


Attribution, anonymity, privacy and non-repudiation.

One man's attribution is another man's invasion of privacy. The Internet was

founded on two fundamental principles; sharing and trust. Consequently, the underlying

architecture was not designed to provide anonymity, privacy, attribution and non-

repudiation out of the box. As Schneier (2000) points out, most people want privacy on

the web but don't want to pay for it. Most governments want the ability to conduct

attribution and see attempts at privacy and anonymity as a barrier to maintaining law

and order. As citizens of a democracy, we recognize anonymity as crucial to conducting

fair elections- the secret ballot. Not all countries (at least their ruling class) feel the same

way. As consumers, we want to be able to buy anything they want on the Internet

without being tracked yet want to be able to track down whoever stole their credit card

number then went on an Internet shopping spree. Vendors want neither privacy nor

anonymity (for you, that is). They want to know who you are, your spending habits and

what they can do to get you to buy from them again.

Can we come up with an architecture that supports the competing expectations

related to privacy, anonymity, attribution and non-repudiation? In theory it is technically

feasible; in terms of enabling an opt-out mode, incorporating end to end encryption,

labeling, key management, anonymizers, security policies and a process that supports

legitimate activities by law enforcement to recover clear text communication, files, etc.

In practice; however, the problem is intractable. To do so would be to fundamentally

redesign much of the infrastructure the world uses. It would require a level of debate

14


(followed by substantive action) regarding privacy, anonymity and attribution with

stakeholders that have too much to lose if we changed from the current insecure, low

assurance status quo. We must look to a mix of solutions if we are going to improve our

ability to conduct attribution.

Is “attribution on demand” feasible?

First it is important to describe what is meant by attribution on demand. By

attribution on demand, we mean that upon presentation of a court order or other

appropriate documentation (e.g., subpoena) by authorized officials, information could

be provided that would lead to rapid, accurate identification of a machine, controlling

machine, actor or sponsor regardless of its/their physical location. Within an

organization’s network boundaries, it is certainly technically feasible. The use of

biometrics coupled with cryptography and other technical mechanisms (e.g., robust

logging, remote sensors, etc.) could provide a degree of traceback and non-repudiation

sufficient in most circumstances- up to level 3.

Beyond an organization's internal network boundaries, things become more

complicated. A high degree of cooperation is required to conclusively establish level 1

attribution to a specific machine, let alone higher levels. Law enforcement, diplomatic or

military responses will require both a higher standard of proof and more complicated

interaction given privacy concerns, jurisdiction differences and political agendas. An

environment that would support attribution on demand is probably infeasible from a

practical standpoint. While a technical solution can be envisioned (gateways that serve

15


as anonymizers to provide privacy for users (with logging that could be retrieved on

court order); a public key encryption solution that provides a degree of non-repudiation

(again, decrypt on court order), at least for specific categories of transactions;

watermarking of information in transit; none of these is likely to be adopted across

service providers or international boundaries. We will continue to operate within a

complex, adaptive system with an adversary that has a vote in the outcome and is as

technically capable (if not more so) than those trying to track them. Attribution will

continue to be a matter of probability, not certainty.

Conclusion

Ultimately attribution and more importantly what to do with it once we’ve achieved

it boils down to a judgment call: something computers are decidedly not good at. The

amount of corroborating evidence technical and otherwise needed to reach a particular

threshold for action should be a function of the severity of the courses of action under

consideration, the strength of the case we have built and the potential outcomes if we

are wrong. We must recognize that attribution is a matter of probability not certainty and

short of fundamentally changing the underlying architecture of our networks; we are

unlikely to solve the “attribution problem.”

Therefore, the objective should not be to throw money at technical solution

vendors hoping to find an attribution silver bullet. Rather, given the complex nature of

the problem, we should seek out technologies and processes that attempt to reduce

ambiguity, improve data mining and visualization and reduce cultural, policy and

16


technical barriers to cooperation- thereby improving the judgment calls made by the

human in the loop. Through a holistic approach incorporating traditional investigative

techniques, technical intelligence, and an understanding of the potential actors involved

we can have a greater success of achieving attribution- not only to the actors involved,

but perhaps more importantly, their intent.

17


References

Advance Research and Development Agency (ARDA). “BAA 03-03-FH: Information Assurance for the US Intelligence Community (IC), Department of Defense (DoD), National Security Agency (NSA), Advanced Research and Development Agency (ARDA).” 16 March 2003

Brenner, Susan W. “At light Speed: attribution and response to cybercrime/terrorism/warfare.” Journal of Criminal Law and Criminology (Winter 2007) retrieved from http://findarticles.com/p/articles/mi_hb6700/is_2_97/ai_n29360738/pg_1?tag=artBody;col1 on 12 January 2008.

Cohen, Don & Narayanaswamy, K. Surrvey/Anallysiis off Level I, II, III, and IV Attack Attribution Techniques. (27 April 2004). Retrieved from http://74.125.95.132/search?q=cache:ZFJHJuVicwwJ:www.cs3-inc.com/arda-survey.pdf+K.+Narayanaswamy,+Survey/Analysis+of+Levels+I,+II,+and+III+Attack+Attribution+Techniques,+Cs3,+Inc.,+April+27,+2004.&hl=en&ct=clnk&cd=2&gl=us&client=firefox-a on 7 December 2008.

Denning, Dorothy E. “Presentation: Cyber Attack Attribution: Issues and Challenges.” (March 2005) retrieved from

Dictionary.com “Attribution” retrieved from http://dictionary.reference.com/search?q=attribute&db=luna on 3 December 2008.

Muir, James A. & van Oorschot, P.C. “Internet Geolocation and Evasion.” (8 April 2006) retrieved from http://66.102.1.104/scholar?hl=en&lr=&client=firefox-a&q=cache:Qp5IjyYGmPUJ:www.ccsl.carleton.ca/paper-archive/2007/TR-06-05.pdf+web+geo-location+ on 22 November 2008.

18

http://66.102.1.104/scholar?hl=en&lr=&client=firefox-a&q=cache:Qp5IjyYGmPUJ:www.ccsl.carleton.ca/paper-archive/2007/TR-06-05.pdf+web+geo-location



http://dictionary.reference.com/search?q=attribute&db=luna

http://dictionary.reference.com/search?q=attribute&db=luna

http://74.125.95.132/search?q=cache:ZFJHJuVicwwJ:www.cs3-inc.com/arda-survey.pdf+K.+Narayanaswamy,+Survey/Analysis+of+Levels+I,+II,+and+III+Attack+Attribution+Techniques,+Cs3,+Inc.,+April+27,+2004.&hl=en&ct=clnk&cd=2&gl=us&client=firefox-a



http://findarticles.com/p/articles/mi_hb6700/is_2_97/ai_n29360738/pg_1?tag=artBody;col1

http://findarticles.com/p/articles/mi_hb6700/is_2_97/ai_n29360738/pg_1?tag=artBody;col1


Park, Young Hee & Reeves, Douglas S. “Adaptive Watermarking against Deliberate Random Delay for Attack Attribution through Stepping Stones” retrieved from http://footfall.csc.ncsu.edu/papers.htm on 10 December 2008.

Schneier, Bruce. “Secrets and Lies” (2000). John Wiley & Sons. New York.

Wolf, Jeffrie and Garcia, Nelson. “Students Hack in Into School System, Change Grades.” Retrieved from http://www.9news.com/news/article.aspx?storyid=63092 on 9 December 2008.

Yong June Pyun & Reeves, Douglas S. “Strategic Deployment of Network Monitors for Attack Attribution.” retrieved from http://footfall.csc.ncsu.edu/papers.htm on 10 December 2008.

19

http://footfall.csc.ncsu.edu/papers.htm

http://www.9news.com/news/article.aspx?storyid=63092

http://www.9news.com/news/article.aspx?storyid=63092

http://footfall.csc.ncsu.edu/papers.htm

Documents

The Attribution Problem