As the cyber security landscape evolves and attacks become more sophisticated and malicious, the question of responsibility has grown increasingly important. Despite the fact that in the wake of high profile cyber attacks charges of blame abound, pinpointing blame for cyber attacks is actually harder than most people think.
Over the course of my career, I’ve had a number of customers ask me to help collect attack data for the purposes of prosecuting those responsible. Unfortunately, savvy attackers have many tools at their disposal to avoid being held accountable for their actions. Below are the three most common tactics that make assessing blame following a cyber attack a difficult task.
The Internet Protocol, commonly referred to as IP, is used for practically everything. It was designed for interoperability and survivability in the event that parts of the network were taken offline abruptly. One thing it was not originally designed for was security. Each IP packet has headers that allow routers and other devices to see where the packet has come from and where it’s supposed to be going, among other things. The destination device uses the source IP address information to see where responses should go. Changing those headers is very straightforward.
When attackers falsify the source IP address in a packet header, it’s called spoofing. It’s easy and very common. For DDoS attacks in particular, the attacker will often create packets with a source IP address belonging to the victim. The intended result is a storm of responses from all over the Internet, slowing or stopping the victim’s legitimate network traffic. At other times packets are sent directly to one of the victim’s IP addresses, with the source addresses belonging to innocent third parties. The limitation of source IP spoofing is that it cannot be used to establish two-way communication, making it unworkable for more sophisticated attacks.
Before botnets, it used to be more common for an attacker to remotely compromise a server, either through an operating system vulnerability or by other means. A rootkit would be installed, which is software designed to help attackers hide the evidence of their activities and make it easier for them to regain access if it was lost.
Once that was done, attacks could be launched from the compromised server, with the attacker removing logs to cover his tracks. Clever attackers would compromise many servers, hopping from one to another to create a lengthy trail of servers with logs deleted to prevent investigators from discovering the attacker’s origin. System administrators had to become security gurus, installing patches and making configuration changes to protect their systems from attack.
With high-speed Internet access no longer limited to servers, workstations become better targets. They’re not frequently monitored closely by information security departments and often are not fully patched. In addition, it’s rare for administrators to be willing to spend significant time investigating anomalies on them.
Creating, managing, renting, and using large groups of infected computers is big business. Botnets are used for many purposes, including DDoS attacks, network intrusions, distribution of malware, and other cybercrime. The traffic between botnet members and victim networks is often easy to track back to the infected computer, but all that gets you is the victim of the infection. Intercepting the Command and Control traffic then becomes the goal, but smart botnet operators don’t send traffic directly from their home computers to the botnet nodes they control.
Command and Control traffic typically uses a covert channel, such as IRC, Twitter, IM, or peer-to-peer networking. Command and control servers are often decentralized, and commonly use fast-flux DNS to hide behind constantly changing network of compromised hosts acting as proxies.
Protecting Your Enterprise
The unfortunate truth is that network providers and law enforcement often cannot catch smart cybercriminals. It falls upon individual enterprises to use appropriate policies, procedures and technology to protect themselves. Strong perimeter defense, including Network Behavioral Analysis, DoS mitigation, and IP reputation services, can work in conjunction with application-aware security to provide comprehensive protection.