[Dailydave] "When you shoot at the king, you best not miss." (Allen)

the grugq thegrugq at gmail.com
Sat Jun 18 01:41:56 EDT 2016

I love the scepticism, this is an excellent attitude to have with cyber claims of attribution! So lets apply some analytic processes to the problem, I’m sure they can help illuminate the situation. 

What I’d love to see, from anyone, is an actual ACH matrix with some options and the available data we have mapped out. Lets see what hypothetical threat actors match against the available data. What are the alternatives here? I’ve heard:

TA-1. a kid, or kids, in it for the lulz
TA-2. a false flag op by another FIS
TA-3. a FIS badly attributed by CrowdStrike
TA-4. the Russian intelligence services
TA-5. a Russian intelligence sub contractor for cyber ops gone rogue

Any others I’ve missed? There are a lot of variants of TA-1, so I’m including all non-FIS autonomous threat actors (but please, if there is a variant that merits special consideration, lets add them as a separate possibility.)

There are three distinct operations that need to be covered by the actor. Lets map those out:

Op-1. the DNC breach and exfil
    a. at least two threat actors on the network
    b. used tools, techniques and procedures associated with Russian APTs
    c. focused on political data exfil, not monetisation
       - no ransomware, exploitation of PII, banking/CC fraud, etc.
          * I’d bet the DNC would pay a _lot_ to a ransomware operator

Op-2. the "covert action" against the Democratic campaign
    a. analysis of “thousands” of documents 
       - requires access to the take from Op-1
    b. requires some political savvy wrt document selection
       - political savvy requirement goes up if the documents were altered
    c. at least minimal planning wrt the release channel and the timing
       - wikileaks? the intercept? MSM? the pirate bay? dedicated website?
       - after Trump nomination, but before the election (obviously)
           * on the network for months, yet no docs leaked before WaPo article

Op-3. the guccifer2 claim of responsibility
    a. the supporting evidence 
       - requires access to the take from Op-1
       - requires analytic and political skills from Op-2.a & Op-2.b
    b. subtle notes of Russian (too subtle for media to notice, but not for pros)
       - maybe deliberately inserted (threat actor is proficient in Russian)
       - or, “mistakes were made” (threat actor happens to be Russian speaking)
    c. deployed w/in < 24hrs of the WaPo story
       - complete absence of evidence of g2 before the WaPo article
    d. why guccifer2? another eastern european hacker’s name
       - other threat actor’s have used unique names for claims of responsibility (e.g. the Sony hack, hackers seeking fame, etc)

With the data that we have available to us, what are some potential actors, or series of events w/ different actors, who would have the capability, the intent and the opportunity to execute the above three operations? 

Can someone show that Op-2 didn’t actually exist? Maybe no documents were passed to wikileaks, and the selection of evidence for Op-3.a was basically random? Would there be another way of providing evidence other than stolen documents? 

I am very honestly interested in hearing what suggestions people have.

As Mara pointed out, Op-2 would be an extremely risky move by Russia particularly at a politically sensitive time. That might be a motivation for some entity who wants to damage (a subset of) Russian interests by implicating them (see: TA-2, TA-5). Conversely, aiding Trump is inline with (a subset of) Russian interests (see: TA-4, TA-5), although it is also inline with other possible threat actors, e.g. 4chan’s alt-right community (see: TA-1). There are a lot of possibilities here!

Lets apply some analytic rigour to our speculation and see what we can come up with. 

* Can we use the available data to eliminate any of the threat actors?
* What additional data would help eliminate any, and can we get it?

Intelligence analysts frequently have to work with a patchwork of data of various levels of reliability. Which is precisely why these analytic processes were developed. Now is the perfect time to use them to help sift through what we know.

This is very exciting! Intelligence and cyber, making history, right before our eyes! 


ps. Maybe someone wants to start a Google Docs spreadsheet we can build an ACH matrix on? Probably columns for threat actors, and rows for operations and evidence would be most manageable. 

> On 17 Jun 2016, at 23:39, Jeffrey Carr <greylogic.carr at gmail.com> wrote:
> I agree entirely, Allen. The market incentives are huge for a company to discover and report an attack attributed to a nation state, the bar for evidence is negligible, and there's really no way to disprove a claim. Even when someone involved in the attack pops up and says I did it, here's proof, and you're an idiot, that becomes a "disinformation operation" and again, there's no way to disprove that.
> Jeff
> ----------------------------------------------------------------------
> Message: 1
> Date: Thu, 16 Jun 2016 21:28:42 -0400
> From: Allen <multimode1876 at gmail.com>
> To: Adam Shostack <adam at shostack.org>
> Cc: "dailydave at lists.immunityinc.com"
>         <dailydave at lists.immunityinc.com>
> Subject: Re: [Dailydave] "When you shoot at the king, you best not
>         miss."
> Message-ID:
>         <CADwYKiY5RYJ5s61QXLf+Hc7ZrgD1LCNbCcXt5qUsN8hv6c8kRA at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
> | It's entirely possible that this is a disinformation campaign, or that
> attribution is hard, and Crowdstrike made a mistake
> |
> I'm inclined to believe that while attribution may be hard there are
> entirely too many market incentives to brand any given attack with one of
> the nation state animal totems.
> The fact that attribution is frequently derived from prior intelligence
> blended with the fact that all of the source data is confidential only
> lends itself to confirmation bias. A small attribution mistake by one
> vendor can really snowball.
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20160616/55ad132a/attachment-0001.html>
> ------------------------------
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunityinc.com
> https://lists.immunityinc.com/mailman/listinfo/dailydave
> End of Dailydave Digest, Vol 55, Issue 12
> *****************************************
> -- 
> Jeffrey Carr (jeffreycarr.com)
> CEO, Taia Global, Inc. (taiaglobal.com)
> Founder, Suits and Spooks (suitsandspooks.com)
> Author, "Inside Cyber Warfare: Mapping the Cyber Underworld" (O'Reilly Media, 2009, 2011)
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunityinc.com
> https://lists.immunityinc.com/mailman/listinfo/dailydave

More information about the Dailydave mailing list