Under false flag: using technical artifacts for cyber attack attribution

• Main Authors: Florian Skopik, Timea Pahi
• Format: Article
• Language: English
• Published: SpringerOpen 2020-03-01
• Series: Cybersecurity
• Subjects: Actor attribution; Advanced persistent threats; Technical indicators; False flag campaigns
• Online Access: http://link.springer.com/article/10.1186/s42400-020-00048-4

Abstract The attribution of cyber attacks is often neglected. The consensus still is that little can be done to prosecute the perpetrators – and unfortunately, this might be right in many cases. What is however only of limited interest for the private industry is in the center of interest for nation states. Investigating if an attack was carried out in the name of a nation state is a crucial task for secret services. Many methods, tools and processes exist for network- and computer forensics that allow the collection of traces and evidences. They are the basis to associate adversarial actions to threat actors. However, a serious problem which has not got the appropriate attention from research yet, are false flag campaigns, cyber attacks which apply covert tactics to deceive or misguide attribution attempts – either to hide traces or to blame others. In this paper we provide an overview of prominent attack techniques along the cyber kill chain. We investigate traces left by attack techniques and which questions in course of the attribution process are answered by investigating these traces. Eventually, we assess how easily traces can be spoofed and rate their relevancy with respect to identifying false flag campaigns.