Rhamnousia: Framework for cyberattack attribution

The science of cyberattack attribution gets a boost, thanks to a U.S. Department of Defense $17.3 million award to a team led by Georgia Institute of Technology researchers.

The team led is working to develop an attribution framework called – a nod to the Greek goddess Rhamnous and the spirit of divine retribution – to reliably track virtual illicit actors engaging in campaigns.

Attribution is critical for deterrence within cyberspace, because deterrence is impossible without the ability to identify the culprits behind cyberattacks.

Just how challenging is attribution? In the wake of Russia’s reported state-sponsored hacking of the Democratic National Committee and others during the 2016 U.S. election, an assessment report issued by the U.S. Office of the Director of National Intelligence describes determining attribution in cyberincidents as “difficult, but not impossible.”

That’s because every cyberoperation – malicious or not – leaves behind a trail that analysts can trace by tapping a constantly growing knowledge base of previous events and known malicious actors and the tools and techniques they favor, as well as any of their consistent errors or unique characteristics.

But attributions tend to go far beyond simply determining who was behind an attack – including judgments about whether it was an isolated incident, the possible motives behind the attack, and whether a foreign government played a role in ordering or leading it. It’s crucial, particularly at the nation-state level, to get the attribution right if sanctions or some other retaliatory response is being considered.

“Attack attribution has been the Holy Grail for the security community for years,” says Manos Antonakakis, an assistant professor in Georgia Tech’s School of Electrical and Computer Engineering and the principal investigator for the Rhamnousia project. “Once you can reliably track an attack operation against your network infrastructure you’re in a better position to defend and reason about necessary policy actions, as an organization or even a state.”

The biggest problems with attribution today? It’s a complex, largely manual process that requires expertise, resources, and time.

In the case of identifying nation states behind cyberattacks, using forensic analysis to identify them is extremely difficult. “Data-driven identification with actual hard evidence of nation-state actors is even harder,” Antonakakis says.

By using public, free, or commercially available data – known as threat intelligence – Rhamnousia will enable users to piece together an attack-attribution analysis that will be easier for investigators to confirm and independently validate.

The team is developing efficient algorithmic methods capable of converting the group’s experience with manual attack attribution to novel, tensor-based learning methods. These algorithms will, in turn, allow expansion of existing efforts to create a science of attribution and traceback and will generate reports to be shared within the attribution community.

Artificial intelligence (AI) and machine learning can help speed up the attribution process, which frequently requires weeks or months to complete. “AI and machine learning are among the very few tools we have to help us analyze different datasets in a timely and rigorous manner,” Antonakakis explains. Much as it does for internet searches, “machine learning should be able to shrink the time required for an attribution report to be generated, making attribution analysis more relevant and impactful.” (Figure 1.)

It’s important to note that “identifying a threat indicator is still a very hard detection problem,” he points out. “Every organization needs to be able to ‘quickly’ identify that something is wrong within their networks, because attack prevention is often an impossible task.”

Given enough resources, highly motivated adversaries like nation-state attackers will have access to similar, if not exactly the same, defenses. “Evading them is just a matter of time,” Antonakakis notes. “In other words: Attacks are inevitable, breaches will happen, and we should prepare for the actions after such events.”

Beyond existing network defenses, by using alternative reasoning and processes, “we want to use the threats and indicators to quickly move from a single attack event to the virtual actor(s) behind an attack,” he continues. “Failure to do so leaves you fighting multiple different seemingly independent threats, which effectively saturates the security personnel within your organization.”

Timely and accurate attack attribution is an important, if not the most important, action for organizations immediately after they detect a security event. “The Rhamnousia framework is a start and, if we’re successful, we should be able to create attribution analysis for a variety of attacks – targeted, nation-state, or otherwise,” Antonakakis says.

The Rhamnousia project – a group effort expected to run about four-and-a-half years – includes other academic institutions and companies. The end goal of the project is to combine intrusion detection with attribution to provide a systematic and scientific way of helping U.S. companies and the government cut off attackers more quickly.

21
Figure 1: Network monitoring facility. Photo by Rob Felt, courtesy of Georgia Tech.

Topics covered in this article