Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Botnet

Cyberattacks: Do Motives and Attribution Matter? 44

An anonymous reader writes: Whenever people think of APTs and targeted attacks, they ask: who did it? What did they want? While those questions may well be of some interest, a potentially more useful question to ask is: what information about the attacker can help organizations protect themselves better? Let's look at things from the perspective of a network administrator trying to defend an organization. If someone wants to determine who was behind an attack, maybe the first thing they'll do is use IP address locations to try and determine the location of an attacker. However, say an attack was traced to a web server in Korea. What's not to say that whoever was responsible for the attack also compromised that server? What makes you think that site's owner will cooperate with your investigation?
This discussion has been archived. No new comments can be posted.

Cyberattacks: Do Motives and Attribution Matter?

Comments Filter:
  • Why bother? (Score:5, Interesting)

    by SuricouRaven ( 1897204 ) on Sunday October 11, 2015 @04:37AM (#50702979)

    A while ago my employer came under DoS attack. We weren't the actual target - following a recent router replacement** the copying of configuration had been done wrong and left us with an open DNS resolver, we were just being used as an amplifier to attack some Russian websites. All the source IPs came from China, but many different organisations within China - a university, a factory, a local government office, and so on. Obviously a botnet, probably based on a Chinese-language trojan as that would explain the geographic clustering.

    I identified every source address, blocked it at our firewall, looked up whois on the IP, found the abuse email, and informed the responsible party with tcpdump output to show what was going on.

    Almost every email I sent came back as undeliverable. I had to muddle through Chinese customer service pages to find someone to contact on those, and not one of them ever got a reply. The packets kept on coming too until they all ceased together suddenly, probably at the point the responsible party realized I'd fixed the open resolver problem.

    So why bother? You can dance around waving flags and shouting 'you've been hacked!' and a lot of organizations just don't want to know.

    **If you ever upgrade a Smoothwall appliance, watch out for this!

    • by Anonymous Coward

      But this anecdote ties in neatly with "who did it? What did they want?"

      Most of the case the answer will be a botnet that is out fishing for known vulnerabilities.
      For most companies there is no risk of a targeted attack. In the vast majority of the cases the competitors aren't willing to break the law to bring you down.
      The attacks you will see on daily basis are script kiddies that don't know who you are and your security holes will consists of badly written third party libraries or tools that "gets the job

      • I have to say the motives do matter. A DDOS vs. a targeted attack to collect data. Then what is the motivation behind the data, stolen. Is it just to sell off to make money, or will it be used for blackmail, perhaps they are trying to search for abuse in the system. Is the system attacking you just an unwilling system, probably due to the server under the desk, type of setup, where an outside IT guy is called only when there is a noticeable problem. Or is it from a location where there is a large IT Staff

        • by TimSSG ( 1068536 )
          Yes, Motives matter. They matter a lot when it becomes time to sentence the guilty. Tim S.
    • Most of the IT admin in China are poorly run, and many of their machines have been compromised - resulting in China IPs keep showing up in many cyberhacking incidents

      The problem is that most of the IT staffs in China do not prioritize security - to them as long as the things run they are happy

      It boils down to mindset - security / safety isn't something Chinese care too much about

      I know, I am a Chinese

  • The jump from "what" and "wherefrom" - e.g. an ip address, Korea - to the "whom" and "why" seems hardly to be feasible in a purely machine-based way. IMHO, you're pretty soon going to hit the limits of what a sysadmin can do, both technically and professionally. There are corporations and individuals specialized in this kind of work, which has many traits of the criminal investigator's.

    Then again, to the sysadmin or the CTO, does the "why" really matter ?

  • by msobkow ( 48369 ) on Sunday October 11, 2015 @05:02AM (#50703023) Homepage Journal

    If it's some script-kiddie, you have the little bastard locked up.

    If it's a "professional" foreign intelligence agency, you sigh a heavy sigh and realize there is bugger all you can do about it.

  • by tlambert ( 566799 ) on Sunday October 11, 2015 @05:36AM (#50703129)

    "What makes you think that site's owner will cooperate with your investigation?"

    To be very clear: we are talking about an intermediate site that has themselves been hacked, rather than the origin of the attacks.

    In the absolute freaking limit? No holds barred?

    Because, if they are in Korea, they are extraterritorial to everyone but Koreans, and I will just hire Russians or some other third party to take them down more or less permanently if they choose not to cooperate. Or even better: I will pay the third party to cause their site to host illegal-in-Korea content, and then wait several weeks before having them reported to Korean authorities for their content through a side channel, and then the site's owner gets arrested.

    Or did you think "active defense" or "strike-back" doesn't happen?

    • > To be very clear: we are talking about an intermediate site that has themselves been hacked, rather than the origin of the attacks.

      And they _will not_ cooperate. Even if their technical staff wish to, I'm afraid that if any manager or corporate attorney gets involved, the investigation will be sealed off and no more information shared. They may request a subpoena to to turn over information, but those subpoenas are very difficult to obtain, especially in a timely fashion while the attack is ongoing and

  • The deep root cause of all of this is that we trust our code to do what it says on the tin... we need to fork everything to invert this assumption [blogspot.com] and trust nothing (except the OS kernel)... it's a lot of work, but it can be done.

  • Articles. (Score:5, Insightful)

    by Hognoxious ( 631665 ) on Sunday October 11, 2015 @06:40AM (#50703263) Homepage Journal

    Articles: should they have some actual content, or just a load of speculative waffle that two guys sipping beer could come up with?

    • Mod story down. (Score:2, Insightful)

      by Anonymous Coward

      Mod parent up! And mod entire story down. This is so much a Trend researcher making an MBO or cash payout for blogging, with some marketing person checking that the wording is correct, but having no context to know if the content is blog-worthy.

      I still think that moderators, en-masse, ought to be able to mod an entire story down.

    • Mod parent up! And mod entire story down. This is so much a Trend researcher making an MBO or cash payout for blogging, with some marketing person checking that the wording is correct, but having no context to know if the content is blog-worthy. I still think that moderators, en-masse, ought to be able to mod an entire story down.
  • by bytesex ( 112972 ) on Sunday October 11, 2015 @06:43AM (#50703269) Homepage

    When you have the capability to drop bombs.

    • by DarkOx ( 621550 )

      When you have the capability to drop bombs.

      Only if justice matters to you. Dropping bombs, virtual or physical on the most immediate source of the attack will certainly solve the immediate problem.

      Will the attackers find another victim to try and use against you, sure probably and likely sooner rather than later but if you haven't got the ability to locate the real source but have the ability to swat down the intermediaries, unwitting though they may be, what should you do?

      • When you have the capability to drop bombs.

        Only if justice matters to you. Dropping bombs, virtual or physical on the most immediate source of the attack will certainly solve the immediate problem.

        Will the attackers find another victim to try and use against you, sure probably and likely sooner rather than later but if you haven't got the ability to locate the real source but have the ability to swat down the intermediaries, unwitting though they may be, what should you do?

        It would teach the intermediaries the virtue of not going cheap on their IT budgets.

  • Finding out who or why is often driven by vindictive emotional reasons. You should always find out how first, patch, then look to answering who and why.
  • Whenever people think of APTs and targeted attacks, they ask: who did it? What did they want? While those questions may well be of some interest, a potentially more useful question to ask is: what information about the attacker can help organizations protect themselves better?

    Motive and attribution definitely matter if the organization attacked deserves to be attacked.

    Not all "organizations" are blameless.

  • by dweller_below ( 136040 ) on Sunday October 11, 2015 @12:40PM (#50704525)
    I do IT Security for a research university. For the last 10 years, we have attempted to handle all incoming attack. Some gets missed, but we make an attempt. It is good work for the interns/trainees. We document the incident, block the attacking IP for an appropriate amount of time, and notify the remote abuse contact. We have found that handling attack provides significant benefits:
    • * Our security team remains functional. Ignoring incidents creates bad habits in the security team.
    • * It creates memory of how we are attacked. We need to know how we are attacked, so our defenses are anchored in reality.
    • * It greatly reduces the amount of attack. The number of attacks drop off sharply a couple weeks after we begin religiously reporting attacking IPs. We have tested this effect several times. When we stop reporting, it ramps up. When we start, it drops to about 1/10th it's prior levels.
    • * It notifies the owner/ISP of the remote computer that they are attacking. Usually they are also innocent victims.
    • * In the last few years, the percentage of remote resolutions has been climbing. Currently, about 1/2 of the reported non-Chinese incidents appear to result in remote resolution.

    We utilize some automation to handle the load. We have a few honey-pots. We also monitor our dark IPs. We learned to distinguish DoS backscatter, and the various types of frequently spoofed attacks. We thought that an enterprising hacker would attempt to spoof an important Internet resource and cause us to auto-immune ourselves to death. So we whitelisted a bunch of critical external IPs and looked for critical spoofing. In the last 10 years the amount of spoofed attack has dropped drastically. We recently found an incident where an attacker spoofed a critical Google resource and tried to get us to block it. That is the only time we have detected that kind of spoofed attack.

    We have found that most attackers (even governments) don't like to have their attack methods documented and publicized. We have found that some ISPs turn evil and knowingly host attack, but they are quickly and easily blocked until they go broke or come to their senses.

    We have found many institutional scans. The best of these groups provide timely assistance to those who are making mistakes. In our view, the best groups include the ShadowServer Foundation, EFF, and the Chaos Computer Club. The worst of these groups are simply feeding on the mistakes of others. The worst groups provide no assistance to others. The worst groups actually have motivation to preserve or enhance the problems of others.

    More info is available here:

The next person to mention spaghetti stacks to me is going to have his head knocked off. -- Bill Conrad

Working...