Forget that Forest, Look at These Trees!

The Bureau has a new focus on attribution:

 The FBI has changed its cybersecurity strategy to place greater emphasis on identifying the criminals behind attacks, a shift that some experts say won’t make a dent in hacking operations.

In a recent blog post, the bureau said it would dedicate more resources to “who is conducting the attack or the exploitation and what is their motive.”

Two things:

1. Tying series-of-events-X with series-of-events-Y doesn’t mean anything if you don’t know who, proof-positive, is behind the activity. Until you can do stuff like this to scale, clustering like things together simply identifies things that have certain similarities. Does that help you assess motivation? Well, if the common thread is (for example) stealing banking credentials then congratulations: you’ve built a stack of needles, vice a haystack with a needle in it.

2. What’s the point of identifying the perpetrators if you don’t have an effective enforcement mechanism? I’m sure that strongly worded demarche will do the trick. International cooperation? Sure, as long as the perpetrator isn’t already in bed with the local service/kleptocracy, in which case your “partners” will conveniently be unable to find the evil-doer.

I’m glad they’re trying, and I hope they stop doing stupid s*** like this, but until more actions like this are on the agenda, don’t hold your breath that there is going to be a hacker prison overcrowding problem.


Leave a Reply