Hi everybody. Ed Amoroso here and I want to talk to you about a topic that is very much in the news, the last couple of a few years. It's a concept called cyber attribution. And here's what it means. When a cyber attack is carried out successfully or unsuccessfully, there's usually a great demand certainly by the victim and also by law enforcement and maybe by all of us the society to figure out who did it. Who did this cyber attack. Now, if you've studied the TCP/IP protocol, you know that because of spoofing and the ability to essentially set your source IP address to whatever you want, you can't just do cyber attribution by looking at a packet and figuring out the source IP, and then mapping that somewhere and going, they did the attack. You certainly can stop traffic from a region or place by doing that. For example, in China you could decide you don't want to allow traffic from America. How would you do that? Wouldn't be easy which you'd have to go in and do a look at the numeric mappings from the authorities that do IP mappings and maybe put some filters in. I don't know why you would want to do that. But if he did, you could certainly do that. Does that mean you are stopping cyber attacks? No. Does that mean you're able to effectively attribute attacks somewhere? No. It's just a way of blocking based on geography. So, that's not the way to do attribution. But it turns out that law enforcement groups, intelligence agencies all around the world, doesn't matter what country you're talking about for the most part, but in most developed countries, there is pretty good techniques for doing attribution. So, as you, as a citizen, are just thinking through how would an intelligence agency or a law enforcement group figure out who did a cyber attack, turns out they have some techniques that are pretty useful. I want to go through them. There's seven ways that cyber attribution can be carried out. The first is, in fact, by doing some cyber forensics. So, no question that you do want to look at the attack. You want to look at the malware, you want to look at how worked, decode and somehow do some forensic analysis, deep analysis on whatever you can get your hands on. If you get your hands on the malware, you should look at it. Now, there might be a language embedded in the comments and you know, this is written in Russian. It must have come from Russia. It seems like a very weak attribution to me, and I think to most people, but it may provide hints. You never know. I might tie the code, the malware, to some similar types of things that analysts may have seen. There might be hints. Who knows what. But certainly cyber forensics is one technique, one factor that's used in determining where some sort of an attack may have originated. Second it's called network monitoring. So, this is where in addition to looking at the malware, the entire globe, for the most part, involves lots of metadata collection from public networks and from private networks. Those things generally are done under a legal authority. It's usually perfectly good legal and policy and business acceptability for doing that. Sometimes it's under contract, sometimes it's just legal. Yes, I guess some of it may be illegal. That's up to you to decide when and where that sort of thing may occur and that needs to stop. But where it is legal, there's a lot of data that's out there and certainly law enforcement will have access to a lot of that, and they can use that to go rewind the tape and see what may have traveled where. An enterprise may have, for example, lost a bunch of data. Maybe it was all encrypted but you can see a big monster file flew out. It's some time from their gateway, from here to there. You can go back and you could look at that, say if there is anything greater than a gig left our gateway in the last week and you see and you get some hints. So, network monitoring is two. Third is kind of controversial. This is called offensive attacks. Certainly not acceptable if it's illegal. But we do know that nation states break into each other stuff. That's sort of attributed. Most people know that. So for example, if you break into somebody's apple cart and you see one of your apples there, pretty good idea, that maybe they aren't stealing your apples. Now, again, that's kind of controversial because you could argue for most part that that may not be acceptable. But it is a technique that's used, it is something that a lot of militaries will use, and it's kind of a third technique for cyber attribution. The fourth involves spies, insiders. People who are there just watching what's going on. You can't deny the fact that in the business of law enforcement and cyber intelligence and so on and so forth, certainly nation state, there are going to be cases where an insider may be planted there specifically to hack in back to, you know, the home office exactly what's going on and provide some attribution that an attack may be going on. Could be extremely illegal kinds of things, but again, I'm just going through the functional techniques that can be used. Each society, each group, has to decide what's considered acceptable. Another one is leaks, and sort of a fifth, and we see that all the time. It may be documents describing some sort of aspect of the attack or someone bragging on social media and it gets leaked out. You can read the transcripts of this. Again, very, very, very common in catching hackers, young people who are hacking many cases will brag and their bragging is done online and then it leaks out. This is a time when I think maybe 9 out of 10 cyber attributions were done with respect to hackers based on them having bragged and that information leaking out. You can see how that clearly would be something that would be a useful means for determining who does what. A six is basic law enforcement investigation, going and tracking leads and determining motives and trying to understand who might be doing what, for what reason, to whom, why, how. Very traditional techniques. Extremely mature. Law enforcements has been doing that forever. That's a sixth. And then the seventh is that if you have partners or allies, other countries, other groups who are doing this sort of thing, you share and they may be doing the same thing. So, you put all of these things together. If you're asking a group of authorized nation state, military, government or law enforcement group, are you able to determine who did a particular cyber attack, it's not one of these, well, because you can spoof a source IP, we can't possibly figure it out. The answer is they have a lot of techniques. Now, if you are a business and you want to do cyber attribution, a lot of these things are not available to you. Better not be doing offensive attacks. I hope you're not planning spies out there somewhere. I hope you're not intentionally grabbing leaks. But the other ones are probably okay, forensics and monitoring in some sense, working with law enforcement and having partners sharing threat information with others. Those are all still pretty powerful. So, the bottom line here is that cyber attribution is a pretty well-developed field, certainly in law enforcement, a little lesser for business and certainly the least well-developed as individuals trying to determine attribution. But we've this into your understanding as a cybersecurity fledgling or developing expert, because it's something that will make him a more informed citizen. Hope this has been helpful. I'll see you in a subsequent video.
