Every government organization has been the victim of a cybersecurity incident. These can range from mundane incidents such as a user leaving their desk without locking their screen, up to a major breach such as the OPM hack in which hackers stole comprehensive and confidential information on millions of government employees and contractors.

Security personnel, then, must be able to respond to incidents and to determine how to avoid the second occurrence of such an incident.  Identifying the perpetrators and their methods of attack – or forensics (the term has been co-opted from its original, stricter meaning) – is a key part of the process.

Cybersecurity forensics is an art as much as a science. Criminals are adept at covering their tracks, so attribution is a matter of probability, not certainty. For example, most systems and software generate log files that track all activity, so they are a natural first stop for forensic investigation. If the criminal is unsophisticated, log files might very well tell a complete story of the exploit. It is possible, even easy, to delete incriminating log entries, or to create false entries to mislead the cyber sleuths.

Log entries showing the IP address of attackers can be helpful – provided they are valid – but, even then, complications arise. Adversaries of even moderate skill will not carry attacks from their own machines but instead will use someone else’s machine for their illicit activity. (That machine could even be yours).

Investigators also search systems for files containing malware. Discovering such files obviously aids the search, but is by no means conclusive evidence of the source or nature of a breach. Hackers will deposit misleading files to cloud the investigation; will inject malware into files already resident on a system, or will replace legitimate files with illegitimate versions by the same name.

Investigators also will look for the time and date of creation of malicious files, to see if they are consistent with working hours in countries known to be hostile to the United States. Even a novice hacker, however, can manipulate such indicators, so their value is limited. Moreover, there is a significant growth in file-less attacks: attacks that run directly from memory, leaving no evidence behind on disk, a method that can make attribution particularly difficult.

The most reliable approach, then, is to aggregate numerous pieces of evidence and to analyze the attack holistically. Even so, it can be very difficult to determine exactly who perpetrated an attack, and the methods they used. Security analysts can rest assured that their jobs are safe, at least for now.

Don Maclean