The 2013 Global Threat Intelligence Report (GTIR) produced and published this week by Solutionary seeks to analyse the current threatscape so that companies can better organise their defenses. In examining and analysing current threats, from DDoS to malware and vulnerabilities, Solutionary paid close attention to the source of those threats – and found that US IP addresses are the largest source of attacks against US organisations.
“While there has been considerable discussion of foreign-based attacks against U.S. organisations, 83% of all attacks against U.S. organisations, identified by Solutionary in 2012, originate from U.S. IP address space, and the absolute quantity of these attacks vastly outnumbers attacks seen from any other country,” says the report. Solutionary believes that this is largely caused by foreign attackers using compromised machines near attack targets in the US to help evade security controls. It adds, “This attack localisation strategy has also been observed in attacks on targets in other countries.”
This begs the question that if attackers can falsify the origin of their attacks, how can the Mandiant and Dell SecureWorks reports be so certain that attacks traced to IP addresses in China definitely originate from those IP addresses? In conversation with Infosecurity, Dell SecureWorks cited a feature within Htran (code that is often used by attackers to obfuscate their source) that enabled them to track back to the original IP address – the ones hosted in China. Dell pointed out that it takes only one mistake from one member of the ‘gang’ to allow that traceback.
Solutionary, however, avoids pinning blame on specific countries. “The data leads where the data leads,” Don Gray, Solutionary’s chief security strategist told Infosecurity, “and the data is as good as the mechanism used to uncover it and the person analysing it.” He confirmed that Htran can allow traffic to be identified that leads back to China.
But he added, “These kinds of ‘technical indicators’ are relied on all the time to identify attacks and uncover attribution to groups.” But the attribution itself, he added, is not the goal. “The goal is to use this one piece of information to try and learn as much as possible about the attacks themselves.” Information security is never black-and-white, he added. “There is no ‘evil bit’ that we can look for. Therefore when we get a ‘crumb’ like this, we are all over it to try and make a mountain of technical indicators out of a mole hill.”
Infosecurity asked if external attackers could compromise machines in China and launch an attack from those machines that could then be traced back to China but no further, via Htran. “Yes, it’s entirely possible,” said Gray. Machines “can simply be compromised and be controlled using an entirely different mechanism.” Gray stressed that this doesn’t mean that Mandiant and Dell are wrong; only that they might not be wholly right.
“This is one of the primary reasons we have focused on the localised attacks in our report,” said Gray. “We do not share technical indicators currently except as part of certain closed membership groups and although we are focused on taking those crumbs and making the most out of them that we can, most of our customers care that potential attacks are identified and prevented if possible. Knowing that it came from China while interesting doesn’t do them much good and... is fraught with potential pitfalls.”