P. G. Metzler The Attribution Problem 15 December 2008
“When you have eliminated the impossible, whatever remains, however improbable, must be the truth.” ~ Sherlock Holmes (The Sign of Four by Sir Arthur Conan Doyle)
Introduction
In December, 2008 a Colorado high school's administrative computers were
hacked. As a result, as many as 200 students had their grades changed. In the words of
one student, “everyone was being accused.” Students had to prove the grade in the
school's system was correct. The attackers have yet to be identified. (Nelson and
Garcia, 2008)
In 2000, FBI agents in a sting operation lured Russian hackers to the United
States and tricked them into providing their userids, passwords and server information.
The FBI then exploited their machines, downloaded evidence of criminal activity and
arrested them. Although the agents were successful in tracking down these criminals,
the Russian government charged the FBI agents with illegally hacking into computers,
creating an international incident. A US Federal Court judge ruled the agents had acted
in accordance with the 4th amendment (Denning, 2005).
Each of these incidents highlight a different aspect of challenges that are, in
information assurance circles, collectively referred to as the “attribution problem.” The
first instance is the classic “who stole my data” question. However, in the second,
successful attribution resulted in an international incident due to inadequate (read, non-
existent) cooperation. This paper is intended to provide the reader an overview of what
is meant by attribution, how attribution is categorized, associated challenges and
techniques for assigning attribution. Finally, a brief discussion of the trade-offs we have
1
P. G. Metzler The Attribution Problem 15 December 2008
yet to collectively decide upon regarding privacy, anonymity, attribution and non-
repudiation.
Attribution defined.
If you search the plethora of online IT dictionaries (e.g., SANS.org, ZDNet, etc.) you will
not find the term “attribution.” The term, formally defined, is more frequently associated
with law enforcement, the intelligence community or other disciplines where it is
desirable for a particular action to be traceable to the decisions or actions of a principal
for purposes of compensation (e.g., investment portfolio performance) or in cases
where pedigree significantly contributes to the perceived value of work (e.g., art, antique
or document appraisal).
Though lacking formal or at least codified definition, the term “attribution” is used
in information assurance circles (our specific area of concern) as a term of art referring
to the challenge of determining the identity of an actor in cyberspace- “the attribution
problem.” However, to look solely at identifying the actor is to oversimplify the problem.
We must also understand the nature of the action. Is it a cybercrime? Is it vandalism? Is
it hactivism? Is it an attack against critical infrastructure? Is it a diversion? Was this an
ad hoc attack or part of a larger, more complex operation? Only by understanding both
the actor and the intent, can we get beyond a reactive approach to defending our
information and toward a more holistic, strategic approach.
For purposes of this discussion, the term attribution will refer to the process of
determining the identity of an actor (or actors) originating an action or creating an
2
P. G. Metzler The Attribution Problem 15 December 2008
object. Law enforcement’s objective is to track the origin of an attack to an individual or
organization. This is more easily said than done. The more likely result, as we try to
attribute specific actions to actors is more in line with the definition of attribution used in
art history and antique valuation circles: “to consider as made by the one indicated, esp.
with strong evidence but in the absence of conclusive proof” (Dictionary.com, 2008).
The last phrase is important: “strong evidence absent conclusive proof” describes the
reality of the environment in which we operation and attempt to establish attribution. Our
response and our approach to risk mitigation in general, both defensive and offensive,
must take this into account.
To further bound this discussion to a degree that will allow its treatment of the
subject within a reasonable length, our emphasis will be on cyberspace intrusions,
exploitation (the exfiltration of information), or attack. We will focus on cyberspace
events from the perspective of national security- attacks or attempts to exploit
information for either the development of capabilities, counter-capabilities or preparation
of the environment by a potential adversary. This is not to imply these are the only
threats we face; however, the technical aspects of the attribution problem remain the
same whether we are investigating cybercrime or cyber espionage- it is the latter that
adds complexity in attribution from both a cooperation perspective and the need for an
increased burden of proof required to act decisively in diplomatic circles. Finally, while it
is understood that attribution is sought in situations that involve protocols other than
TCP/IP, for consistency the term packet will be used to denote bundled zeros and ones
transferring information, regardless of the actual protocol in use.
3
P. G. Metzler The Attribution Problem 15 December 2008
Attribution levels
In 2003, Advanced Research and Development Agency released a solicitation,
BAA 03-03-FH, that among other things, parsed the general attribution problem into four
areas. The following is an overview of the levels, mechanisms for achieving them and
potential challenges (Cohen & Narayanaswamy, 2004) (Denning, 2005).
Level 1: Identification of attacking machines
Level 2: Identification of primary controlling machines
Level 3: Identification of humans responsible for attack
Level 4: Identification of sponsor organization
Level 1 Attribution. Level 1 attribution, the identification of attacking machines is
frequently referred to as traceback. Ideally, the objective of traceback is to identify the
actual device from which information was generated (Cohen & Narayanaswamy, 2004).
Traditionally, traceback involves identifying the source IP address. However, modern
network management makes this approach inadequate given the likelihood that DHCP
is assigning addresses to a subnet of machines let alone the very real possibility that
the identified IP address has been spoofed. Even hardware addresses (MAC
addresses) can be altered by a determined attacker as evidenced by the advanced
configuration settings of your home router. Likewise, attribution to the desktop or other
specific machine requires a great deal of cooperation from (or subversion of) nodes 4
P. G. Metzler The Attribution Problem 15 December 2008
between you and the suspect attacker. Such cooperation may not be a viable option.
Therefore, many attempts to get to level 1 attribution result in a range of potential IP
addresses, rather than the identification of a specific device (Cohen & Narayanaswamy,
2004).
The techniques used to achieve level 1 attribution are primarily technical in
nature. To support attribution to a degree necessary by the intelligence community or
law enforcement, Cohen & Narayanaswamy (2004) offer the following guidelines for an
ideal level 1 attribution capability:
The tracking mechanism must be capable of attributing single packets (most
require a stream of information).
It should work with existing commercial network hardware deployed “in the wild.”
(though they note one could build their own router using open source software
and standard hardware for the purpose).
It should be capable of performing high speed processing (currently a challenge)
It should not require special communication paths.
It should be capable of running continuously without seriously degrading network
performance or risk of detection.
Technical approaches to Level 1 attribution include but are not limited to:
5
P. G. Metzler The Attribution Problem 15 December 2008
Link identification methods such as Probabilistic Packet Marking (PBM);
Deterministic Packet Marking (DPM) and Source Path Identification Engine
(SPIE). (Denning, 2005)
Packet filtering methods such as ingress filtering of false IP addresses or route-
based filtering (source IP address inconsistent with routing data). (Denning,
2005)
Young & Reeves (2007) propose the optimized deployment of remote monitors to
triangulate the source of malicious packets.
The problem with these techniques is the adversary can use their own methods
to disrupt our efforts to track them down. ARP spoofing, IP address spoofing, DNS
poisoning, fast-flux networks and BGP man in the middle attacks are but a few example
of technical counter-measures an attacker can use to complicate our targeting problem.
Consequently, Level 1 attribution is, in the face of a determined adversary is at best
imprecise and at worse, potentially deceptive.
Level 2 Attribution. The objective of level 2 attribution is to identify the first machine in a
causal chain of machines that control a computer that is believed to be involved in
malicious behavior (Cohen & Narayanaswamy, 2004). In truth, the behavior need not
be malicious. The techniques applied to identifying the controlling computer managing a
zombie net could be used to identify the controlling machine for a network of machines
used for other purposes (e.g., command and control systems).
6
P. G. Metzler The Attribution Problem 15 December 2008
While the objective of Level 2 attribution is to identify the primary (first) controlling
machine in a causal chain, there is a fundamental problem. As Cohen &
Narayanaswamy (2004) argue, the “primary controlling host” should be the machine
connected to the keyboard that is being touched by the human (identified through level
3 attribution). However, short of actually seeing the human’s fingers on the keyboard, it
is nearly impossible to be certain the behavior we are observing is not caused by
another machine. Our problem may be that we simply lack adequate knowledge of the
controlling mechanism. Given this, the best result one can expect is to determine with
reasonable certainty is that an activity observed on one computer is caused by an
identified activity on another identified computer (Cohen & Narayanaswamy, 2004)-
whether or not that computer is truly the controlling computer will be a judgment call
based on evidence and experience.
The primary reason for the difficulty in achieving level 2 attribution is the variety
of techniques available to an adversary to hide their controlling machines. Attackers
employ means of control such as reflectors, stepping stones (compromised intermediate
machines), non-standard software control, zombie control and physical control
(Denning, 2005). Additionally, their controlling channels are frequently encrypted or
employ deliberate deception techniques such as random delay, jitter or anonymizing
networks (Park & Reeves, 2007).
To achieve level 2 attribution, a number of techniques are employed. Many of the
techniques used in identifying machines for level 1 attribution are still valid for identifying
7
P. G. Metzler The Attribution Problem 15 December 2008
which machines are participating in an attack; however, they are unlikely to yield the
level of detail required to identify controlling machines. Level 2 attribution typically
requires extensive cooperation with other entities given the need to sort out zombies
and reflectors from controlling machines.
Internal monitoring of machine activity is usually effective in achieving level 2
attribution if one has access to the stepping stone machine simply through process
monitoring. However, in the case of a zombie machine, particularly if under the physical
control of an attacker, the attacker can present any view to the attacker they wish-
making level 2 attribution by this method unreliable.
Another option is extensive log review. Unfortunately, this requires training,
experience, access to Logs and some foresight to log the correct events. Such access
may not be realistic if we are trying to track an adversary through potentially hostile
machines or if we are trying to remain undetected. Another issue with logging is the
extent to which it must be done to actually track an adversary. According to Cohen and
Narayanaswamy (2004), the amount of logging required is impractical for machines
intended for normal use; however, the use of honeypot machines might make extensive
logging a feasible approach.
Network traffic analysis has proven fairly successful in achieving level 2
attribution. By analyzing the timing and data size characteristics of stepping stone
traffic, it is possible to track a packet's origin across multiple machines. However, the
use of anonymizing nodes or encryption can disrupt efforts to achieve level 2 attribution.
8
P. G. Metzler The Attribution Problem 15 December 2008
Emerging research indicates that watermarking (Park & Reeves, 2007)- particularly
timing based adaptive watermarking is able to survive the use of encryption and
anonymizing by an adversary.
Level 2 attribution can sometimes be determined by deliberately attempting to
elicit a reaction from someone controlling a machine. By sending unexpected traffic
across an inactive channel in use by an attacker, it is sometimes possible to track the
controlling machine's origin.
Finally, as with level 1 attribution, the deployment of network monitors can be
used to isolate the source of malicious network traffic. By using passive sensing
techniques it is possible to isolate source transmissions. For example, recent advances
in geo-location over the internet can not only be used to identify attacking machines, but
can also be useful in achieving level 2 and level 3 attribution. (Muir & Oorschot, 2006)
Level 3 Attribution. The objective of Level 3 attribution is to identify the humans
responsible for an action based on “evidence observed in the state or activity of one or
more computers that are connected to a network” (Cohen & Narayanaswamy, 2004). At
the end of the day, actions in cyberspace are initiated at some level by human beings.
Level 3 attribution relies heavily on more traditional law enforcement and intelligence
community investigative techniques to establish linkages between machines exhibiting a
specific behavior and the actors behind them in order to construct “a logical chain of
explanations” leading to an individual (Cohen & Narayanaswamy, 2004).
9
P. G. Metzler The Attribution Problem 15 December 2008
The underlying challenge in achieving level 3 attribution is the fact that most
computers today are limited in their ability to detect human interaction other than
through the I/O devices; keyboard and mouse. (The fact that these interactions are
rarely stored makes the use of bio-mechanical analysis (e.g., typing characteristics,
mouse movements) to establish or at least narrow down a list of suspect actors
problematic (Cohen & Narayanaswamy, 2004). As with level 2 attribution, it is a matter
of confidence building and ultimately judgement; therefore, the emphasis on improving
level 3 attribution must be on improving the quality, analysis and visualization of the
information available to the humans in the loop that must put the pieces of the puzzle
together.
The mechanisms and technologies used to achieve level 3 attribution include
document analysis, keystroke timing, authorship analysis, code analysis and modeling.
Each of these techniques attempts to illicit information in order to build a profile of the
attacker and where possible, identifying characteristics. A summary of what information
these techniques provide and their relative effectiveness is provided in Table 1.
Table 1. Level 3 Attribution Technologies (Source: Denning, 2005)
Measurable & Method Characteristics Uncovered Effectiveness
Document Analysis –
Natural language methods
Attacker goals, style, education, native language, knowledge; comparison to prior writings
Computationally intractable; but potentially more accurate
Document Analysis –
Statistical methods
Attacker goals, style, education, native language, knowledge; comparison to prior writings
Tractable; probabilistic answer provided; attacker might be able to deceive analysis
10
P. G. Metzler The Attribution Problem 15 December 2008
Keystroke Timing Comparison to prior profiles; left-handed or right-handed
Tractable, but results unreliable – attacker can mislead
Email Authorship Similar to natural language; gender Potentially useful – similar problems as document analysis
Attack Code Analysis Attacker’s sophistication level; tools used; knowledge; capabilities and resources
Potentially effective; no need for cooperation with anyone else
Attack Models Enumerate potential paths for attacker to take to perpetuate activity
Starting point for level 3 attribution process
Level 4 Attribution. There is very little treatment in the literature with regard to the
identification of sponsor organization. Level 4 attribution is where computer science
meets the soft sciences and detective work. Social network analysis, cultural analysis,
political and economic intelligence all come together to tease out the relationships
between actions in the digital world with the relationships between organizations, actors
and machines in the physical world.
Using intelligence assets, corporate and academic resources, it is possible to
identify potential relationships between cyberspace actors and their sponsors. That isn't
to say there aren't sometimes obvious linkages. Occasionally, there are (e.g., funds
transfers). However, an organized, determined adversary will not leave obvious trails
and where trails are found, they are likely to be deceptive.
11
P. G. Metzler The Attribution Problem 15 December 2008
Why attribution matters
Beyond the obvious (because I want to know who stole my information), why is it
important that we be able to establish levels of attribution? What levels of attribution
should we have in order to respond with legal, diplomatic or military action? At the most
basic level, our first objective may be simply to stop an attack. Before the arrival of
mega-bot nets and the massively distributed denial of service attack, level 1 attribution,
even if only to a range of ip addresses was generally sufficient . Simply update your IP
block list and press on. However, the capabilities of our adversaries have changed. The
ability of an actor to precisely control thousands of machines enables them to conduct
highly synchronized, complex attacks. It is no longer sufficient to block or otherwise
isolate the attacking machine. We must achieve level 2, level 3 or even level 4
attribution if we are going to prevent future attacks or roll-up increasingly sophisticated
actor groups. For legal action, law enforcement requires level 3 attribution minimum
and possibly even level 4 if they are dealing with a bot-for-hire or cybercrime
organizations. (Denning, 2005)
As for a national security response, the degree of attribution required is driven by
the tactical, operational and strategic situation. At the tactical level, level 1 or 2
attribution may be sufficient to “fight through” an attack. However, for more complex
responses (military strike- kinetic or otherwise) or the initiation of diplomatic action, level
3 attribution may be required for tactical operations (e.g., rolling up a terror cell) and
level 4 will be required to hold state sponsors accountable. (Denning, 2005)
12
P. G. Metzler The Attribution Problem 15 December 2008
To deter future attacks, attribution becomes critical. A deterrent is only credible if
it is effective and timely. If an adversary believes the risk of being identified and brought
to justice (or destroyed) is low, they are more likely to attack.
Attribution is also useful in the identification of emerging threats. An effective,
continuous capability of assigning attribution aids in the identification of emerging
actors, profiling their level of technical sophistication, establishing social network
relationships, potential “supply chains” and ultimately adversary vulnerabilities.
Why is attribution difficult?
The technical challenges of specific attribution levels have been addressed in
previous paragraphs; however, when one looks at the attribution problem, several
recurring themes emerge that help explain why achieving a specific level of attribution in
a timely manner is difficult. Intruders frequently make use of compromised machines,
encryption and other deceptive techniques to cover their tracks. Often, the machines
initially identified in an attack are, themselves victims. Source information is frequently
spoofed. As was highlighted in the FBI article, attacks frequently cross international
boundaries, further complicating a technically challenging response to an event. Finally,
a means of more accurately gathering attribution related data (particularly log data),
analyzing it and ultimately representing the information in a way that is meaningful to
decision makers needs to be developed and deployed.
13
P. G. Metzler The Attribution Problem 15 December 2008
Attribution, anonymity, privacy and non-repudiation.
One man's attribution is another man's invasion of privacy. The Internet was
founded on two fundamental principles; sharing and trust. Consequently, the underlying
architecture was not designed to provide anonymity, privacy, attribution and non-
repudiation out of the box. As Schneier (2000) points out, most people want privacy on
the web but don't want to pay for it. Most governments want the ability to conduct
attribution and see attempts at privacy and anonymity as a barrier to maintaining law
and order. As citizens of a democracy, we recognize anonymity as crucial to conducting
fair elections- the secret ballot. Not all countries (at least their ruling class) feel the same
way. As consumers, we want to be able to buy anything they want on the Internet
without being tracked yet want to be able to track down whoever stole their credit card
number then went on an Internet shopping spree. Vendors want neither privacy nor
anonymity (for you, that is). They want to know who you are, your spending habits and
what they can do to get you to buy from them again.
Can we come up with an architecture that supports the competing expectations
related to privacy, anonymity, attribution and non-repudiation? In theory it is technically
feasible; in terms of enabling an opt-out mode, incorporating end to end encryption,
labeling, key management, anonymizers, security policies and a process that supports
legitimate activities by law enforcement to recover clear text communication, files, etc.
In practice; however, the problem is intractable. To do so would be to fundamentally
redesign much of the infrastructure the world uses. It would require a level of debate
14
P. G. Metzler The Attribution Problem 15 December 2008
(followed by substantive action) regarding privacy, anonymity and attribution with
stakeholders that have too much to lose if we changed from the current insecure, low
assurance status quo. We must look to a mix of solutions if we are going to improve our
ability to conduct attribution.
Is “attribution on demand” feasible?
First it is important to describe what is meant by attribution on demand. By
attribution on demand, we mean that upon presentation of a court order or other
appropriate documentation (e.g., subpoena) by authorized officials, information could
be provided that would lead to rapid, accurate identification of a machine, controlling
machine, actor or sponsor regardless of its/their physical location. Within an
organization’s network boundaries, it is certainly technically feasible. The use of
biometrics coupled with cryptography and other technical mechanisms (e.g., robust
logging, remote sensors, etc.) could provide a degree of traceback and non-repudiation
sufficient in most circumstances- up to level 3.
Beyond an organization's internal network boundaries, things become more
complicated. A high degree of cooperation is required to conclusively establish level 1
attribution to a specific machine, let alone higher levels. Law enforcement, diplomatic or
military responses will require both a higher standard of proof and more complicated
interaction given privacy concerns, jurisdiction differences and political agendas. An
environment that would support attribution on demand is probably infeasible from a
practical standpoint. While a technical solution can be envisioned (gateways that serve
15
P. G. Metzler The Attribution Problem 15 December 2008
as anonymizers to provide privacy for users (with logging that could be retrieved on
court order); a public key encryption solution that provides a degree of non-repudiation
(again, decrypt on court order), at least for specific categories of transactions;
watermarking of information in transit; none of these is likely to be adopted across
service providers or international boundaries. We will continue to operate within a
complex, adaptive system with an adversary that has a vote in the outcome and is as
technically capable (if not more so) than those trying to track them. Attribution will
continue to be a matter of probability, not certainty.
Conclusion
Ultimately attribution and more importantly what to do with it once we’ve achieved
it boils down to a judgment call: something computers are decidedly not good at. The
amount of corroborating evidence technical and otherwise needed to reach a particular
threshold for action should be a function of the severity of the courses of action under
consideration, the strength of the case we have built and the potential outcomes if we
are wrong. We must recognize that attribution is a matter of probability not certainty and
short of fundamentally changing the underlying architecture of our networks; we are
unlikely to solve the “attribution problem.”
Therefore, the objective should not be to throw money at technical solution
vendors hoping to find an attribution silver bullet. Rather, given the complex nature of
the problem, we should seek out technologies and processes that attempt to reduce
ambiguity, improve data mining and visualization and reduce cultural, policy and
16
P. G. Metzler The Attribution Problem 15 December 2008
technical barriers to cooperation- thereby improving the judgment calls made by the
human in the loop. Through a holistic approach incorporating traditional investigative
techniques, technical intelligence, and an understanding of the potential actors involved
we can have a greater success of achieving attribution- not only to the actors involved,
but perhaps more importantly, their intent.
17
P. G. Metzler The Attribution Problem 15 December 2008
References
Advance Research and Development Agency (ARDA). “BAA 03-03-FH: Information Assurance for the US Intelligence Community (IC), Department of Defense (DoD), National Security Agency (NSA), Advanced Research and Development Agency (ARDA).” 16 March 2003
Brenner, Susan W. “At light Speed: attribution and response to cybercrime/terrorism/warfare.” Journal of Criminal Law and Criminology (Winter 2007) retrieved from http://findarticles.com/p/articles/mi_hb6700/is_2_97/ai_n29360738/pg_1?tag=artBody;col1 on 12 January 2008.
Cohen, Don & Narayanaswamy, K. Surrvey/Anallysiis off Level I, II, III, and IV Attack Attribution Techniques. (27 April 2004). Retrieved from http://74.125.95.132/search?q=cache:ZFJHJuVicwwJ:www.cs3-inc.com/arda-survey.pdf+K.+Narayanaswamy,+Survey/Analysis+of+Levels+I,+II,+and+III+Attack+Attribution+Techniques,+Cs3,+Inc.,+April+27,+2004.&hl=en&ct=clnk&cd=2&gl=us&client=firefox-a on 7 December 2008.
Denning, Dorothy E. “Presentation: Cyber Attack Attribution: Issues and Challenges.” (March 2005) retrieved from
Dictionary.com “Attribution” retrieved from http://dictionary.reference.com/search?q=attribute&db=luna on 3 December 2008.
Muir, James A. & van Oorschot, P.C. “Internet Geolocation and Evasion.” (8 April 2006) retrieved from http://66.102.1.104/scholar?hl=en&lr=&client=firefox-a&q=cache:Qp5IjyYGmPUJ:www.ccsl.carleton.ca/paper-archive/2007/TR-06-05.pdf+web+geo-location+ on 22 November 2008.
18
P. G. Metzler The Attribution Problem 15 December 2008
Park, Young Hee & Reeves, Douglas S. “Adaptive Watermarking against Deliberate Random Delay for Attack Attribution through Stepping Stones” retrieved from http://footfall.csc.ncsu.edu/papers.htm on 10 December 2008.
Schneier, Bruce. “Secrets and Lies” (2000). John Wiley & Sons. New York.
Wolf, Jeffrie and Garcia, Nelson. “Students Hack in Into School System, Change Grades.” Retrieved from http://www.9news.com/news/article.aspx?storyid=63092 on 9 December 2008.
Yong June Pyun & Reeves, Douglas S. “Strategic Deployment of Network Monitors for Attack Attribution.” retrieved from http://footfall.csc.ncsu.edu/papers.htm on 10 December 2008.
19