Please welcome return guest author Megan Carney today! Megan has ten years of experience in the field of computer security. Her previous short story publications include: 'Flighty Youth' in the Raritan, 'Modern Mayhem' in the Wayfarer, 'Swing By Close' in the Wayfarer, 'Directions' in the Bell Tower. 'Swing By Close' and 'Directions' both won first prize in the fiction sections of that issue. The Christian Science Monitor dubbed her self-published photography book, 'Signs of My Cities' as having "youthful zest."
Her debut thriller, Sarina, Sweetheart, was a quarterfinalist in the Amazon Breakthrough Novel Award contest. Publisher's Weekly describes it as "[a] narrative with a dark humor that complements its fast pace and high stakes." Her next book, Trap and Trace, is due out soon.
Were the DNC’s email servers attacked by Russia? This year, attribution has become a hot topic.
To solve a crime in the physical world, we can use fingerprints, DNA and video footage. When a high profile attack occurs in the digital realm, traditional forms of evidence aren’t available. So how do investigators determine who’s responsible? And which investigators should you believe?
Most evidence in large-scale attacks is circumstantial, but a preponderance of circumstantial evidence can be enough to name a culprit. Not all organizations have the depth of knowledge required to make reasonable conclusions, though. Government agencies are a in a good position to gather the right intelligence, as are some private organizations that specialize in incident response.
The circumstantial evidence gathered by investigators is referred to as threat intelligence.
Part of threat intelligence is understanding what attackers want. Some groups are focused on gathering data for espionage (corporate or global). Some groups are focused on making money by encrypting data and holding it for ransom. Some groups focus on making money by offering denial of service attacks as service. What an attack accomplishes is just as important as the technical details. Who benefited from an attack is an important clue.
In March 2016, a sophisticated attack on Ukraine’s power grid left 230,000 people in the dark. (https://www.wired.com/2016/03/inside-cunning-unprecedented-hack-ukraines-power-grid/) Tensions between Ukraine and Russia are well known, and Ukraine’s intelligence community believes the attack was retribution for a physical attack on the power substations in Crimea. Ukraine hasn’t offered evidence to prove Russia was the culprit, but that’s not uncommon. Revealing how you know what you know can burn intelligence sources, and government agencies are often reluctant to do so. Unfortunately, lack of evidence means that the general public must decide what to believe based on how much they trust the motives of the accuser.
So what sort of information do government agencies guard so carefully? Nation states and organized criminal groups invest time and money in building infrastructure. The acronym often used to describe this infrastructure is TTP (Tools, Tactics and Procedures).
Tools are things like the infected attachments sent out in emails. Or the specific exploit used in those attachments. Every coder has a style, and often there are clues in the way the code is written. Or in the language used in the comments. Tools also include servers that are setup to receive stolen data or give commands to compromised machines inside their target’s network.
Tactics are the game plans used by attackers. Attackers focused on espionage may craft emails with subject lines they know will be interesting to their targets. Some attackers have even used online dating profiles as a way to build relationships with their targets. Some groups have a specific set of commands they run to move within an organization after they’ve gained a foothold.
Procedures are exactly what they sound like. For instance, nation state attack groups made up of government employees often work regular hours in their local time zone. Chain of command also plays a role. Some groups have a strict hierarchy and move less nimbly. Smaller, less hierarchical groups behave differently.
Even though attackers know that investigators study their TTPs, attackers don’t change TTPs as often as you’d think. Just like any organization, attack groups have to invest resources in order to change. As long as a group can accomplish their goal with what they already have built, they won’t make changes.
Of course, an attacker who wants another group to be blamed can try to copy another group’s TTPs to implicate them. And just like in any other domain it’s hard to fool a determined, intelligent investigator who has a lot of information to work with. This is another reason investigators can be reluctant to reveal evidence, because revealing how they draw their conclusions can make it easier for copycat crimes.
So, to answer the question we started with. Were the DNC’s email servers attacked by Russia? Most likely. The Obama administration isn’t perfect, but it has been reasonably functional on these matters. The combined opinion of the DHS (which is contains many different agencies) and the FBI is they are “confident that the Russian government directed the recent compromises of e-mails from . . . US political organizations.” (https://www.dhs.gov/news/2016/10/07/joint-statement-department-homeland-security-and-office-director-national) While the more recent joint analysis report didn’t do much to support that claim, it’s safe to say that’s because the US government didn’t want to share their most valuable and compelling evidence.