Finding the origins of a hacker
Sarah Freeman works on puzzles. It’s part of her job at Idaho National Laboratory (INL).
But the puzzles Freeman solves aren’t fun and games. They are serious; sometimes deadly serious. What’s more, the need to solve those puzzles is growing daily.
Freeman is a senior industrial control systems cybersecurity analyst. Within that mouthful of a title are clues about the importance of what Freeman and others at INL and elsewhere do. Industrial control systems, for instance, run utilities that provide the electricity to keep the lights on or that deliver the water that people expect to gush out when they turn on a tap.
Today those systems can be attacked via malicious code that an adversary inserts into the normal operating instructions. So, the cybersecurity analyst part of Freeman’s job title means that she looks at aspects of such cyberthreats – with an emphasis on which targets are involved.
“The focus is on critical infrastructure protection,” Freeman said.
Within this category lie power and water utilities, along with pipelines, transportation networks and other infrastructure critical to the everyday functioning of modern society. The list of possible attack points is long.
As part of her work, with seed funding from INL’s Lab Directed Research & Development program, Freeman solves the puzzle of who launched a cyberassault. Determining who is behind an attack is of keen interest to government analysts because of the potential to take some sort of action against perpetrators. Nongovernment analysts, in contrast, focus more on mechanisms, the “how” of an attack. Figuring out the “who” involves putting together a series of clues.
In solving the mystery of who did it, analysts keep in mind some key characteristics regarding industrial control systems. Such systems are examples of operational technology or OT. Unlike IT or information technology, OT controls physical space, and so can have a physical outcome. Having an industrial control system speed up and slow down a water pump, for instance, may damage and eventually destroy the pump or damage downstream water delivery.
Assessing just what malware code was meant to do requires carefully considering what infrastructure an industrial control system manages and what that infrastructure or equipment impacts. Such an evaluation can provide answers to some basic questions about the attacker.
“What were they doing? What was their intention?” Freeman said.
She added that intention is important because it can offer hints about what organization is behind a cyberassault. Intention also plays a role in assessing the threat risk, since the motivation behind an attack can help determine how likely the assailant is to try again or to give up.
In addition to information gleaned about the “why,” INL analysts also look at how. In shows on TV, the methods used in committing a crime are used to track down criminals. Something similar happens in cybersecurity, where perpetrators will have favorite techniques. In general, avenues of attack are either network-based, human-enabled or supply-chain-based.
Within these broad categories, there may be preferred approaches that provide other clues. An attacker, for instance, may often use a certain type of malware. The delivery may be via third parties, such as contractors. A particular attacker may favor the use of malicious code written onto a maintenance laptop. An unsuspecting contractor then may inject the code into the industrial control system by using the infected laptop for everyday system support.
In such a third-party or supply-chain scenario, the contractor may have undergone an attack with the sole purpose of planting the malware. But that intention and ultimate target may be hidden because the attack on the contractor seems to involve extortion. This makes it seem as though the attack is explained by the desire for a financial payoff.
Freeman noted that working through these possibilities is difficult, in part because it must be assumed that no one may be telling the truth or revealing actual motives. Freeman’s research is aimed at making such a forensic analysis of an attack more thorough.
“A lot of it is focused on formalizing the process of analysis so that pieces of information are not left on the table,” she said.
Some attackers, she added, tend to use the same methods over and over. In that case, the tendency may be to leap to a conclusion, such as it must be this army intelligence unit “X” from county “Y” because of the use of the malware code named “Hidden Cobra.” However, that can be misleading for several reasons, Freeman cautioned. One is that people and organizations tend to copy what works. Being the first to develop a new technique is difficult. Being the tenth to use it is not nearly as hard. Another issue is that actor “A” may copy methods from actor “B” to hide themselves and deflect blame – or a response.
Freeman has presented some of her research on the challenges of cyber attribution at conferences and elsewhere. Her work in this area is ongoing, partly because knowing who perpetrated a cyberattack can help formulate a response that will discourage such action in the future. For that to happen, though, figuring out the “who” behind a cyberattack is critical.
As Freeman said. “Where are your incentives to discourage these kinds of attacks? Your ability as a government to respond to a nation-state cyberattack is limited if you can’t prove which nation-state did it.”