Attribution is tough. We all know that. We all question it. Some of our jobs might depend on it. Yet, through it all, we have a lot to learn about it.
I bring this up because I feel it is an elephant in the room. We as infosec professionals and even amateurs have a desire to know the who, what, where, when, why and how security events/incidents occur. It helps us plan out our defenses. It allows us to show worth to those outside our field. Attribution needs to be done carefully. this article from SC Magazine has an interesting statement in it, and this will be our example to work with at the moment. About halfway through the article the following statement is made:
Malwarebytes took this a step further and reported BadRabbit was produced by the team behind Petya/NotPetya, although the security firm did not offer any evidence to back this theory.
Malwarebytes is a well known and respected company. Their software has been used by millions. They are also putting credibility on the line with this sort of statement. Everything that I have seen so far on BadRabbit is that it uses some methods similar to NotPetya (which I have not seen evidence or attribution to the original Petya author(s) before). It is not using much if any code from NotPetya. In fact, the biggest issue I have with this statement, as just a statement, is that they are offering no evidence for a very certain attribution. Now, imagine you are a news company like CNN, FOXNews, or any other of the well known ones that are not dedicated to infosec. You have people keeping track of cybersecurity feeds, looking for news to pick out of there. You see news about BadRabbit, and go to Malwarebytes for their take on it, knowing this is a trusted company. They give you the above statement, you run with it, and the general public now thinks it is all the same. Weeks/months down the line, the attribution is shown as false, a retraction is issued and now trust is broken. The other side effect is the general person asking why should they listen to the world of information security when we get attribution wrong? How many quickly attributed things wind up changing or are questioned as time goes on.
Think about it. Look at what is going on with Kaspersky and what sort of attribution is pointed at them by the U.S. Government, and yet no evidence has been shown publicly. Look at how our own community has reacted. Heck look at the Sony hack a few years ago and what went on over attributing it to North Korea? Look at the inside joke we have about everything being North Korea, China or Russia who is responsible for X malware/breach.
The human psyche is a strange creature, but a couple things are certain from what I have seen. First, we are an impatient species. We want everything now, immediate, otherwise it is no good. This is an evolution that has occurred because of how society has changed over the last few hundred years. Second, like computer systems, our world is built on trust. Who we trust, what information we trust. Once that trust is broken, it takes a long while to get it back, if it comes back at all. Basically the boy who cried wolf syndrome. This is true inside the infosec community and outside it. The more initial trust you have in someone/something the more likely you are to forgive blunders. After all nothing and no one is perfect. You go outside your community though and that trust level becomes thinner and thinner.
So how do we fix this? The simplest and easiest way is to not give into having to be first in claiming something. Take the race out of it. Allow time to gather all the facts and properly analyze them. Second, well, that is learn lesson one, and make sure that those above you understand that. Remember an ounce of prevention is worth a pound of cure.
Leave a Reply