Proof of Attack vs Proof of Attacker

When a system is said to be under attack, compromised or a breach is suspected and/or detected, given the physical and technical challenges, is it even possible to prove who did it?

First Published 15th December 2016 |  Latest Refresh 13th September 2022

Proof of Attack vs Proof of Attacker

Sufficient due process to separate the attacker from the attack is increasingly lacking.

4 min read  |  Reflare Research Team

Cast your mind back

In the aftermath of the 2016 US election, hacking and cybersecurity moved decisively into the conversational mainstream. While the heightened awareness among average consumers and employees was likely to lead to beneficial outcomes, in the long run, the short-term effect was large-scale confusion.

While the belief of deliberate misinformation and partisan reporting most certainly exists, an even larger problem was the lack of understanding of infosec fundamentals on the side of laymen and reporters. This led to the wrong experts being interviewed (penetration testing, forensics and abstract cryptography are all parts of information security but have very little overlap), expert quotes being misinterpreted by assigning more general meanings to precise technical terminology, and similar topics being grouped together.

The long-standing confusion

One of the most pressing points of confusion at the moment still appears to be the difference between proving an attack has taken place and proving the identity of the attacker. In this briefing, we hope to shine some light on the crucial difference between the two.

Proof of attack determines whether a given system was attacked and/or compromised. Since all attacks leave some traces, it is usually possible to identify if a system was attacked even after the attack has taken place. Such traces may include backdoors installed on computers, traffic patterns stored in logs or information leaked that was only available on one specific system.

Proof of attacker determines who is responsible for a given attack. As we have pointed out in previous briefings, identifying the attacker himself/herself is a significantly more difficult task. The very nature of the internet is anonymous, and attackers can employ a number of techniques to further hide their identity.

Case in point

Let’s look at an example of why this distinction matters.

The two main topics of focus regarding cyber-attacks on the 2016 US election are whether the voting process itself was hacked and whether the DNC was hacked by Russian operatives.

In the first example, finding proof of attack would be fully sufficient for causing major concern and potentially holding a new election. If the results can’t be trusted the validity of the election falters. In this case, knowing who exactly is behind the hack would be beneficial but ultimately unnecessary.

No proof of such activity has to date been published.

In the case of the DNC hacks, proof of attack has already been established by a variety of security consultancies and government agencies investigating the breach. We know that someone hacked the DNC and how the attack was performed. What is not proven so far however is the identity of the attackers. Since in this case proof of attack is rather meaningless and the geopolitical impact would stem from pinpointing the attack on Russia, proof of attacker identity is critical.

Distinguishing between these concepts is critical. Unfortunately, both Republicans and Democrats have issued highly misleading statements which mix the terms. The result is the Democratic side claiming that there is proof [of attack] while the Republican side claims there is no proof [of attacker identity]. Both statements are true yet inaccurate.

Years later

The issue of differentiating between proof of attack and proof of attacker has grown significantly since we first published this advisory. In late 2022, barely a day goes by where one nation-state isn't accusing another of a cyber attack or causing a data breach. And as always, while the attack itself can easily be proven, the identity of the attacker usually can not. During the early days of Russia's invasion of Ukraine, hundreds of targets on both sides were hit by cyber-attacks. In most cases, attribution has been impossible and will likely forever remain impossible. Even when one group claims responsibility for a hack it is not guaranteed that they were actually responsible.

The task of assigning actors to sides is also becoming increasingly difficult. Is an unrelated group that identifies with the war effort on one side of the conflict a part of said group? If Anonymous leaks a Russian database to help Ukraine then is it hacktivism or a state actor attack? What if they received part of the information required for the attack from Ukraine or even from a different nation-state? Does that change the calculation? If hacktivists exploit a vulnerability to hit a Russian target, but that vulnerability was already known and "held back" by US intelligence for a future attack, did the hacktivists help Russia or the US?

The waters that were always muddy have now become almost fully opaque. This does not matter that the truth does not matter. We are and should be striving to identify the actors in every cyber attack. But at this point in time, if someone tells you that they are immediately and fully certain who the attack was, they are almost certainly lying to you.

The legacy of the educated guess

Security professionals are used to dealing with “likely attackers”. If an attack uses tools, locations or techniques usually associated with a specific attacker, the attack is often attributed to that attacker. In the context of corporate IT security, this is a valid approach. Even if the suspicion turns out to be wrong, little is lost by keeping an extra close watch over all traffic coming from a certain region for a while.

This attribution however does not live up to proof in terms of criminal law or even geopolitics. It is merely an educated guess and will remain so unless further proof is discovered. That however is highly unlikely assuming that the attackers were competent.

Due to this mixed use of terminology and different standards of proof, we predict the general confusion among the news media and public to continue for the foreseeable future. Players on all sides of a successful hack are expected to attempt to extract maximum value from this confusion to advance their own interests, and you should be ready to deal with the fallout.

Subscribe by email