Proof of Attack vs Proof of Attacker

In the aftermath of the November 8th US election, hacking and cybersecurity have moved decisively into the conversational mainstream. While the hightened awareness among average consumers and employees is likely to lead to beneficial outcomes in the long run, the short-term effect is large scale confusion.

While the belief of deliberate misinformation and partisan reporting most certainly exists, an even larger problem is the lack of understanding of infosec fundamentals on the side of laymen and reporters. This leads to the wrong experts being interviewed (penetration testing, forensics and abstract cryptography are all parts of information security but have very little overlap), expert quotes being misinterpreted by assigning more general meanings to precise technical terminology, and similar topics being grouped together.

One of the most pressing points of confusion at the moment appears to be the difference between proving an attack has taken place and proving the identity of the attacker. In this briefing we hope to shine some light on the crucial difference between the two.

Proof of attack determines wether a given system was attacked and/or compromised. Since all attacks leave some traces, it is usually possible to identify if a system was attacked even after the attack has taken place. Such traces may include backdoors installed on computers, traffic patterns stored in logs or information leaked that was only available on one specific system.

Proof of attacker determines who is responsible for a given attack. As we have pointed out in previous briefings, identifying the attacker himself/herself is a significantly more difficult task. The very nature of the internet is anonymous and attackers can employ a number of techniques to further hide their identity.

Let’s look at an example of why this distinction matters. 

The two main topics of focus regarding cyber attacks on the US election are wether the voting process itself was hacked and wether the DNC was hacked by Russian operatives.

In the first example, finding proof of attack would be fully sufficient for causing major concern and potentially holding a new election. If the results can’t be trusted the validity of the election falters. In this case, knowing who exactly is behind the hack would be beneficial but ultimately unnecessary.

No proof of such activity has to date been published.

In case of the DNC hacks, proof of attack has already been established by a variety of security consultancies and government agencies investigating the breach. We know that someone hacked the DNC and how the attack was performed. What is not proven so far however is the identity of the attackers. Since in this case proof of attack is rather meaningless and the geopolitical impact would stem from pinpointing the attack on Russia, proof of attacker identity is critical.

Distinguishing between these concepts is critical. Unfortunately both Republicans and Democrats have issued highly misleading statements which mix the terms. The result is the Democratic side claiming that there is proof [of attack] while the Republican side claims there is no proof [of attacker identity]. Both statements are true yet inaccurate.

Lastly, security professionals are used to dealing with “likely attackers”. If an attack uses tools, locations or techniques usually associated with a specific attacker, the attack is often attributed to that attacker. In a context of corporate IT security, this is a valid approach. Even if the suspicion turns out to be wrong, little is lost by keeping an extra close watch over all traffic coming from a certain region for a while.

This attribution however does not live up to proof in terms of criminal law or even geopolitics. It is merely an educated guess and will remain so unless further proof is discovered. That however is highly unlikely assuming that the attackers were competent.

Due to this mixed use of terminology and different standards of proof, we predict the general confusing among the news media and public to continue for the foreseeable future. Political players on all sides are expected to attempt to extract maximum value from this confusion to advance their own interests.