From the Intelligence Analysis - How to Think in Complex Environments, we move into: "Analytic Guidance to Collectors." As stated in the intro to this guide of cyberwarfare, the intentions of my discourse was to create a form of discourse between an attacker and an analyst trying to determine who the attacker is, what he or she is doing in an effort to give analysts an alternative perspective he or she may not have thought about or overlooked. In using Intelligence Analysis as a guideline, my hope is to understand how an intelligence analyst will seek me out, in order for me to tell them: "this is what you really need to look for...", "this is why you fail in going a specific route..."
Getting back to chapter 4 of the book which is titled: "Setting the Stage for Advanced Analysis" I decided to pick out the bullet points which are as follows. Exception being that I added a number to replace the author's bullet points:
- Specific observables—functional, biometric, situational, cultural, technical.
- Locations and times of expected behaviors or other phenomena postulations.
- Reporting guidance and miscellaneous instructions, e.g., expectations of enemy counters to possible U.S. collection.
Counterpoint to 1): Cultural *anything* needs to be thrown out of the door since there is not and there is never going to be, a concrete mechanism to pinpoint any cultural indicators of an individual or a group, where cyberwarfare is concerned. Consider the following; as an attacker targeting America, I know via news outlets that we have many enemies. Take your pick - I can become one of them. In fact, in order to throw deception into the mix, I will usually pick a random entity to mimic. There are quite a few reasons I would want to do so. Perhaps I need to blend in as I attack, perhaps I need to become lost in any kind of logging information occurring. As a precautionary measure, almost everything and anything I would do would be via the use of decoy addresses (deception.)
Further, as an attacker, it would be absurd for me to outright directly attack my target. It is too time consuming and the risks are too high. In fact the likelihood I would target an infrastructure directly are low. It is always easier to have the infrastructure come to me. For this, my avenue of attack will almost always be the preferred "client side" attack. In a client side attack, I will send malicious software to a user who is already in your infrastructure for the sake of trying to have a machine on the inside "phone home" to a location of my choice.
From the deception perspective, the optimal "base of operations" I would choose would be an account on a server outside of the states. This is done because as an attacker, I know that by formulating an attack in this fashion buys me some time. From the moment I begin an attack, an invisible hourglass gets turned over and I have a set baseline of about 2 weeks for attacks before this server I am coming from goes dark forever.
Because of the complexities involved with the legal system here in the United States as well as other countries, I am likely to choose a server in a country where there are known issues involving information sharing and or legal exchanges. There is no lack of choices for finding such country. As an attacker, I know that I am buying myself some time to do what I sought out to do because 1) I need to be discovered as an attacker. 2) An investigation needs to occur in order for an agency to determine what sorts of crimes are committed. 3) That agency needs to take the appropriate steps in obtaining warrants.
From steps one through three, I may have bought myself say a week before the exact same steps need to re-occur. 4) After a warrant is obtained, an agency needs to find the appropriate counterpart in a country. 5) The agency needs to hope that their counterpart is willing to assist. 6) It may occur that the new agency (foreign counterpart) needs to go their judicial system (foreign country) to obtain a local warrant 7) Warrant needs to be executed. Perhaps I have bought myself two weeks tops and this is being extremely generous if I had to guess.
What have you as an intelligence analyst and agency gained so far? Now there is a machine in the custody of someone who needs to perform the forensics analysis to discover what occurred. Let me be more generous and say that the server went to say an embassy who has a forensics expert in house. An analysis occurs, discovery made, everyone cooperated game over right? So what have you gained when you discover that as an attacker, I also compromised a machine in a "not-so-friendly" country, say Iran in order to compromise the machine you analyzed. Dead end.
Now, supposing that an agency was well connected and was able to set up a tap in a foreign country, the fact I am initially coming from a "rogue" nation does little for your intel. You are now chasing a ghost and likely are bleeding money in doing so. As an analyst from numbers 1 through 7, you may have thought you had an upper hand and you must anticipate that the information you are seeing and analyzing is unreliable. Does this mean you could never discover what occurred? Not really, it just means you have to think different, outside of any normal box you are accustomed to.
Moving into the book's #2: "Locations and times of expected behaviors or other phenomena postulations." The locations and times are unreliable if you are trying to pinpoint any tangible information on an attacker. There will rarely be worthwhile timing variables that will yield a clue as to the identity of the attacker. Re-read that statement.
While time stamping will yield a concise time that an event occurred it will not yield any "wow factor'ish" results and there quite a few bits of information an analyst must consider. First and foremost will be the accuracy of the clock logging events. Any time shift (clocking not set to with NTP) can yield inaccurate data that can be argued in any case, provided an incident went as far as a conviction. Even so, if a country did manage to get that far, the variable (time) does not and cannot yield any possible identity of an attacker. Only a timeframe.
Let us look at a simple example here: A server is consistently compromised at 3AM EST. An analyst takes note that it may be say 3PM EST in China and an event is being tracked back to a Chinese IP address. Does this make the attacker Chinese? At no given point in time can an argument be made to label an attacker Chinese given the unreliability of IP as an identifier. Especially when I as an attacker, can sit in the comfort of my own home at 3AM EST (similar to the server) and launch an attack against a local machine at that time. There is no myth or mystery to these statements. Timing is an irrational field to rely on for analytical purposes. From the offensive perspective, it makes a wonderful tool to use against a target.
"Phenomena" from Wikipedia is defined (according to the best fit I found in regards to the book): "In scientific usage, a phenomenon is any event that is observable, however commonplace it might be, even if it requires the use of instrumentation to observe, record, or compile data concerning it." Do you as an analyst look at anything and everything after all, it is now defined for you. If you do, you fail, if you don't you fail. The reality of the counterpoint to this answer is that it would not only be impossible and consume too much time, but t would offer an impossible amount of scenarios yielding little. Remember, as explained, deception is almost always going to be thrown into an attack therefore phenomena is a waste of time. It is too time consuming where attacks are in realtime and in a "war" you need to react now, not after data has been sifted, parsed, correlated, analyzed and so forth.
My belief is that the entire approach to analytics where cyberwarfare is concerned need be reversed: Anomalous: inconsistent with or deviating from what is usual, normal or expected. Even this data analysis need be done from a reverse scope. An analyst should learn to create baselines of normality from the events leaving his infrastructure. This would yield better information at the end of the day as was explained: "you can't stop someone from knocking on your door no matter how hard you try. You can however, stop wasting resources answering that door especially when you know by now that when answered, no one will be there."
Building baselines can be complex however, humans have learned to create patterns of familiarity. (Creatures of habit) For example, John Smith's email client checks his emails every five minutes and he has consistently opened up www.CNN.com every hour on the hour. You know that as an analyst you can deduct these entries and look for patterns of inconsistent connections. The likelihood of you finding his machine making erratic outbound connections offers more accuracy than watching a meteor storm shower a firewall, IPS, IDS and or SIEM log systems. Extrusion Detection works much more effectively than intrusion detection ever will.
Operational context #3: Reporting guidance and miscellaneous instructions, e.g., expectations of enemy counters to possible U.S. collection. ... Erase this notion from your mind. Slowly I am hoping to convince you that there is no definitive enemy. Expect all worst case scenarios always. Create those scenarios on your own and learn to counter your own terror-filled scenarios. An analyst must treat every and all connections as that of the enemy. Unlike conventional analysis where with say via IMINT, an analyst has a picture, in cyberwarfare, enemies can morph into anyone they would like to pretend to be. For the sci-fi fans, hackers are shapeshifters. They can and will likely mimic anything.
Shapeshifting introduced, how can you objectively qualify any expectations of how you perceive an enemy will counter? Any value of doing so, would be so small and would alsp be almost impossible to wargame. This does not mean one should shrug their shoulders, cry "game over" and stop the analysis. On the contrary, the best approach would be for the analyst to become the attacker. Study the attacks, create the same if not even more destructive cyberattacks and learn how to counter those. It is only until one thinks like an attacker, outside of any "rules of engagement," will you be able to beat an attacker at his own game.
To be continued ...