In hacking, the Blame Game is Purely for Entertainment
Pointing fingers doesn't make your data more secure.


As the holidays approach, I find myself missing the drama and spectacle of the Sony hack.

You know, the kind of drama where a movie studio realizes it's under attack and decides that overacting will save the film. Or that threatening journalists to stop writing about it will put an end to all those "bad reviews" everyone's suddenly writing about Sony security. The holidays were made for this sort of thing. Can you even remember any of last year's Christmas specials? No. That's because watching Sony utterly fail to handle the epic breach with grace or wisdom was way more entertaining than seeing anything on ice last December.

And then the whole twist, where FireEye points the finger at North Korea as a sort-of "red scare' Krampus in act three, well, that must be what people mean when they talk about the magic of Hollywood. Now, that's entertainment.

As accustomed as we are to hearing there's a huge new breach every week, we're getting equally used to some insider lay the blame on China. With every breach-attribution cycle, hackers roll their eyes when headlines and PR firms whip out the same-old terms, methods and culprits. The chorus of "Chinese hackers did it" and lately "Russian hackers did it" has led to a lot of ridicule and no small amount of vocal annoyance from hackers in all quadrants.

The thing is, all that snark and frustration has some very legitimate grounding in reality.

Attribution is seldom fast, neat, easy or reliably accurate. Naming who did it can be near to impossible, even though that seems to be what PR departments and out-of-the-loop executives believe is the answer.

This is especially true because the name of the game for serious attackers is obfuscating one's tracks with "false flags." As in, leaving misleading clues, like hints of a specific country's language or planting markers that implicate another attacker. Either way, it's really easy to get attribution wrong.

Less than a month ago, the U.S. charged three Israeli men for hacking and robbing JPMorgan Chase & Co, in what is the largest-ever theft of customer data from a U.S. financial institution (and one of the biggest breaches to date). A fourth culprit, and American citizen, is still at large and wanted by the FBI. Except when news of the breach hit in August 2014, it was reported that "some members of the bank's security team to tell outside consultants that they believed the hackers had been aided by the hidden hand of the Russian government" -- and attribution was firmly assigned to Russia.



On top of issues with accuracy, attribution is seen by most as a waste of time for defenders because attribution has nothing to do with strategy. Matthew Monte, author of Network Attacks And Exploitation: A Framework, nailed it when he wrote, "What does full attribution change? Nation states maintain their innocence with an ever-weakening shield of plausible deniability as mountains of evidence pile up against them. ... But do not expect blame to slow down espionage."

Despite the follies of attribution, breached organizations seem inclined to use blame as a get-out-of-bad-PR card. The Sony Pictures Entertainment hack was mainstream America's first real taste of the breach-PR cycle, which with SPE practically became a musical production on ice of clinging to attribution for salvation.

The breach-PR cycle begins when a bad breach occurs.

A neat -- or shall we say, Hollywood -- ending is needed. An insider rolls in to announce a villain while headlines are still fresh, a role that goes to either a security company or an "unnamed insider." This misdirects attention from everything that really matters about the crime, and annoys the hell out of those of us in the audience with critical thinking skills.

Sony gave the role to FireEye Inc's Mandiant forensics unit. Its infosec reputation meant everyone expected that it would "blame China." So, the Sony hack was a show with a twist ending for some of us. In FireEye's script, turns out it was North Korea all along.

If this sounds a lot to you like "Colonel Mustard in the Library with the candlestick" then you're starting to understand the sarcasm and exasperation that led to the creation of Attribution Dice.

Like many, I was delighted to see the creation of Attribution Dice early this year -- they're sort of like sex dice, which unimaginatively reduce foreplay into randomized "Mad Libs," but for breach blame. The dice finally meant that anyone with $20 could assign attribution like a high-priced security consultant, and predict breach headlines before PR firms have a chance to feed them to reporters.

They sold out on December 2nd, but I think we can expect a lot of hackers over the holidays rolling the dice to wow friends, family and neighbors with their hacker super-cyber-powers.

But blaming North Korea sure didn't help Sony in court. Sony got an anniversary lump of coal in its stocking last month, in the form of a preliminary settlement in a class action suit against Sony by 435,000 former employees harmed by the hack. On November 25, a year and one day after the hack, a U.S. District Judge batted aside Sony's attempt to avoid blame by claiming that "injuries were the result of a hack attributed to North Korea."

So attribution, as a service, is really only selling the idea of knowing who did it. In our current atmosphere it's more like Three-Card Monte. Which, by the way, is not actually a game.

I think at this point, attribution should always come with a disclaimer -- that it's "for entertainment purposes only."