mailing list archives
Re: Late Friday thoughts on the Kevin Mandia RSAC keynote.
From: "Halvar Flake" <HalVar () gmx de>
Date: Tue, 25 Mar 2014 22:52:45 +0100
I will stay out of the quickly escalating discussion about "threshold of proof" required for successful attribution.
Depending on your field - intelligence, legal, mathematics - you will have a very different definition of what you
consider plausible. Legal proof comes nowhere close to mathematical proof, and intelligence "slam dunks" don't
necessarily come close to meeting the standard for legal proof.
All in all, all cyber-attribution work I have seen so far is at *least* as good as the intelligence on WMD that was
available to the only superpower prior to the Iraq invasion. So whatever negative things you wish to say about the
cyber-attribution folks - they are at least up to the professional standard of their field.
Let's be clear - attribution doesn't need legal levels of proof; if the collected data and Occam's Razor hint one
way, and it is sufficient to convince decision makers, it has worked. People have waged wars and lost billions of
on flimsier evidence.
I would like to throw more rocks into this minefield of ours, though:
1) There is a fascinating obsession with C2 domains in our field, and I have been watching this for years with a
mixture of amusement and bewilderment. The only way I can explain this is through the anecdote of Nasreddin's ring:
"Mulla had lost his ring in the living room. He searched for it for a while, but since he could not find it, he went
out into the yard and began to look there. His wife, who saw what he was doing, asked: 'Mulla, you lost your ring in
the room, why are you looking for it in the yard?'
Mulla stroked his beard and said: 'The room is too dark and I can’t see very well. I came out to the courtyard to
look for my ring because there is much more light out here.'"
DNS is easy to monitor, so because everything else is hard, we have *somewhere* to start.
The common obsession with DNS is doubly fascinating in a world full of QUANTUM-like techniques (why not be *any* IP
behind the great firewall of China? This surely can't be hard for them?) and Web 2.0 websites that easily allow the
sharing of large quantities of data via SSL.
So why this obsession, if it is not Nasreddin's ring?
2) What good is attribution if the other side is sufficiently powerful / heavily armed / gung-ho to ignore it? It is
not terribly hard to plausibly attribute the origin of the RPGs the pro-russian militants in Crimea - but what does
one do about it? Ask Russian law enforcement to prevent arms from crossing the border?
Does it help the US to attribute attacks to China? I think the effect on US network security gained by attributing a
cyber campaign to the Chinese Government is similar to the effect on EU communications security of the EU successfully
attributing wholesale fiber intercept to the US -- non-measurable.
Anyhow, time for me to get away from the screen.
Dailydave mailing list
Dailydave () lists immunityinc com
Re: Late Friday thoughts on the Kevin Mandia RSAC keynote. Halvar Flake (Mar 26)