Abstract
The attribution of cyber attacks is often neglected. The consensus still is that little can be done to prosecute the perpetrators – and unfortunately, this might be right in many cases. What is however only of limited interest for the private industry is in the center of interest for nation states. Investigating if an attack was carried out in the name of a nation state is a crucial task for secret services. Many methods, tools and processes exist for network- and computer forensics that allow the collection of traces and evidences. They are the basis to associate adversarial actions to threat actors. However, a serious problem which has not got the appropriate attention from research yet, are false flag campaigns, cyber attacks which apply covert tactics to deceive or misguide attribution attempts – either to hide traces or to blame others. In this paper we provide an overview of prominent attack techniques along the cyber kill chain. We investigate traces left by attack techniques and which questions in course of the attribution process are answered by investigating these traces. Eventually, we assess how easily traces can be spoofed and rate their relevancy with respect to identifying false flag campaigns.
Highlights
A false flag in the cyber domain is significantly different and much easier to carry out than in the physical world (Goodman 2010)
Cyber false flags refer to tactics applied by cunning perpetrators in covert cyber attacks to deceive or misguide attribution attempts including the attacker’s origin, identity, movement, and exploitation
It is typically very hard to conclusively attribute cyber attacks to their perpetrators and misdirection tactics can cause misattribution (permitting response and counterattack, which can lead to retaliation against the wrong party (Wheeler and Larsen 2003; Philbin 2013; Harrington 2014))
Summary
A false flag in the cyber domain is significantly different and much easier to carry out than in the physical world (Goodman 2010). In a complex technical system this is realistic; the complexity of today’s systems does it make hard for investigators to fetch the relevant data to achieve vital insights, but it makes it hard for cunning attackers to consistently carry out false flags campaigns. “Artifacts for the attribution process” section discusses the critical questions being asked in course of investigations for the different phases of an APT attack, and highlights information sources and artifacts that may help attributing an attack correctly. “Attribution and false flags” section elaborates on the actual attribution process and the potential of spoofed artifacts in course of false flag campaigns. It further discusses an illustrative attribution scenario and demonstrates the application of methods presented in this paper.
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
