The National Academies Press

Currently Skimming:

A Survey of Challenges in Attribution--W. Earl Boebert
Pages 41-52

The Chapter Skim interface presents what we've algorithmically identified as the most significant single chunk of text within every page in the chapter.
Select key terms on the right to highlight them within pages of the chapter.

From page 41... ... . Given that the "attribution problem" is seen as a major barrier to implementing any national policy to deter cyberattacks, this paper would lay out the technical and nontechnical barriers to attributing cyberintrusions, explore plausible aspirations for how these barriers may be overcome or be addressed in the future, and describe how and to what extent even perfect technical attribution would help to support national policy for deterring serious cyberattacks against the United States (that is, cyberattacks with a disabling or a crippling effect on critical societal functions on a national scale (e.g., military mission readiness, air traffic control, financial services, provision of electric power) Read the entire page →
From page 42... ... Malicious packets are those which are either used to communicate with a malicious functionality or used to shut down a target node by flooding it with traffic that it cannot handle. If the malicious packets are part of a flooding attack, then the source IP address can be forged because no return communication is desired and attribution is not available from the packets themselves. Read the entire page →
From page 43... ... 2.3 The Attribution Problem The general problem of attribution can be broken down into two subsidiary problems: technical attribution and human attribution. Technical attribution consists of analyzing malicious functionality and malicious packets, and using the results of the analysis to locate the node which initiated, or is controlling, the attack. Read the entire page →
From page 44... ... One technique for achieving technical attribution of a botnet control node is that of so-called "hon eypots."5 These are deliberately vulnerable machines that are placed on the Internet in the hope that they will have malicious botnet functionality installed in them. The malicious functionality, and the honeypot's communication with its control node, are then analyzed to determine the IP address of that control node. Read the entire page →
From page 45... ... ..2 Anonymizing Proxy Serers Other proxy servers are dedicated solely to anonymizing, and many of these are offered as a free public service. They are used by persons desiring privacy on the Internet, and also to bypass locationbased content controls imposed by national regimes who seek to deny their citizens access to certain Internet sites. Read the entire page →
From page 46... ... This means that packets originating from a given customer machine may have different source IP addresses, and packets going to it have different destination IP addresses, as time passes. The DNS service described above generally, but not exclusively, maintains a fixed relationship between symbolic hostname and numeric IP address. Read the entire page →
From page 47... ... This technique is less attractive as a way to communicate ith malicious functionality because of the overhead associated with extracting the information, but has been used for covert human to human communication.9 3.8 Future Indicators The now almost universal use of digital media, with its ease of copying and transmission, has led to a rise in the unauthorized distribution of copyrighted works, most notably music and motion pictures. The copyright owners have responded to this in two broad areas. Read the entire page →
From page 48... ... Even if Tor as a service was eliminated, the underlying technology is so well known that the creation of a clandestine successor can be predicted with certainty; a similar argument can be made for the continuation of anonymizing proxy servers. If Registration Privacy were somehow to be outlawed, then malicious registrants would simply revert to the practices they used before it was available, and provide false identity, location and contact informa tion on their registration documents. Read the entire page →
From page 49... ... The Internet adds further difficulties in that its transnational reach may, and in the criminal domain historically has, meant that investigations encounter severe jurisdictional constraints. One technique that combines technical and human attribution, and that is limited in applicability but can yield valuable information, involves administrators establishing the means to capture and replay the real-time actions of an intruder who is conducting a reconnaissance exercise. Read the entire page →
From page 50... ... 7.2 The Deterrent Effect of Perfect Technical Attribution The discussion to follow postulates an Internet in which there exists perfect technical attribution, that is, every action can be traced back to a specific human and every element of hardware and software can be identified as to source. Whether perfect attribution would serve to deter an attack naturally depends on the nature of the actor considering a large-scale, society-disrupting attack. Read the entire page →
From page 51... ... The involvement of non-state actors complicates the problem of assigning ultimate responsibility for the attack, and the existence of perfect technical attribution reduces that problem to one of determining a relationship between an identified non-state actor and some state. In the case of sponsorship, this determination can be made through traditional investigative and intelligence gathering techniques such as tracing financial transactions, interception of communications, and so forth. Read the entire page →
From page 52... ... 7. Even if perfect technical attribution were achieved, it would have a significant deterrent effect in but a minority of cases where significant disruptive cyberattacks are contemplated by parties hostile to the United States. Read the entire page →

From page 41...

... . Given that the "attribution problem" is seen as a major barrier to implementing any national policy to deter cyberattacks, this paper would lay out the technical and nontechnical barriers to attributing cyberintrusions, explore plausible aspirations for how these barriers may be overcome or be addressed in the future, and describe how and to what extent even perfect technical attribution would help to support national policy for deterring serious cyberattacks against the United States (that is, cyberattacks with a disabling or a crippling effect on critical societal functions on a national scale (e.g., military mission readiness, air traffic control, financial services, provision of electric power)

Read the entire page →

From page 42...

... Malicious packets are those which are either used to communicate with a malicious functionality or used to shut down a target node by flooding it with traffic that it cannot handle. If the malicious packets are part of a flooding attack, then the source IP address can be forged because no return communication is desired and attribution is not available from the packets themselves.

Read the entire page →

From page 43...

... 2.3 The Attribution Problem The general problem of attribution can be broken down into two subsidiary problems: technical attribution and human attribution. Technical attribution consists of analyzing malicious functionality and malicious packets, and using the results of the analysis to locate the node which initiated, or is controlling, the attack.

Read the entire page →

From page 44...

... One technique for achieving technical attribution of a botnet control node is that of so-called "hon eypots."5 These are deliberately vulnerable machines that are placed on the Internet in the hope that they will have malicious botnet functionality installed in them. The malicious functionality, and the honeypot's communication with its control node, are then analyzed to determine the IP address of that control node.

Read the entire page →

From page 45...

... ..2 Anonymizing Proxy Serers Other proxy servers are dedicated solely to anonymizing, and many of these are offered as a free public service. They are used by persons desiring privacy on the Internet, and also to bypass locationbased content controls imposed by national regimes who seek to deny their citizens access to certain Internet sites.

Read the entire page →

From page 46...

... This means that packets originating from a given customer machine may have different source IP addresses, and packets going to it have different destination IP addresses, as time passes. The DNS service described above generally, but not exclusively, maintains a fixed relationship between symbolic hostname and numeric IP address.

Read the entire page →

From page 47...

... This technique is less attractive as a way to communicate ith malicious functionality because of the overhead associated with extracting the information, but has been used for covert human to human communication.9 3.8 Future Indicators The now almost universal use of digital media, with its ease of copying and transmission, has led to a rise in the unauthorized distribution of copyrighted works, most notably music and motion pictures. The copyright owners have responded to this in two broad areas.

Read the entire page →

From page 48...

... Even if Tor as a service was eliminated, the underlying technology is so well known that the creation of a clandestine successor can be predicted with certainty; a similar argument can be made for the continuation of anonymizing proxy servers. If Registration Privacy were somehow to be outlawed, then malicious registrants would simply revert to the practices they used before it was available, and provide false identity, location and contact informa tion on their registration documents.

Read the entire page →

From page 49...

... The Internet adds further difficulties in that its transnational reach may, and in the criminal domain historically has, meant that investigations encounter severe jurisdictional constraints. One technique that combines technical and human attribution, and that is limited in applicability but can yield valuable information, involves administrators establishing the means to capture and replay the real-time actions of an intruder who is conducting a reconnaissance exercise.

Read the entire page →

From page 50...

... 7.2 The Deterrent Effect of Perfect Technical Attribution The discussion to follow postulates an Internet in which there exists perfect technical attribution, that is, every action can be traced back to a specific human and every element of hardware and software can be identified as to source. Whether perfect attribution would serve to deter an attack naturally depends on the nature of the actor considering a large-scale, society-disrupting attack.

Read the entire page →

From page 51...

... The involvement of non-state actors complicates the problem of assigning ultimate responsibility for the attack, and the existence of perfect technical attribution reduces that problem to one of determining a relationship between an identified non-state actor and some state. In the case of sponsorship, this determination can be made through traditional investigative and intelligence gathering techniques such as tracing financial transactions, interception of communications, and so forth.

Read the entire page →

From page 52...

... 7. Even if perfect technical attribution were achieved, it would have a significant deterrent effect in but a minority of cases where significant disruptive cyberattacks are contemplated by parties hostile to the United States.

Read the entire page →

← Previous Chapter Skim

Next Chapter Skim →

This material may be derived from roughly machine-read images, and so is provided only to facilitate research.
More information on Chapter Skim is available.

A Survey of Challenges in Attribution--W. Earl Boebert Pages 41-52

A Survey of Challenges in Attribution--W. Earl Boebert
Pages 41-52