On March 7, WikiLeaks kicked off a release of documents that it described as the “largest ever publication of confidential documents on the [CIA].” WikiLeaks further claims that this initial release is only a fraction of the available documents in its possession. One particular aspect of the released material, termed #Vault7, concerns UMBRAGE, a sub-group of the CIA’s Remote Development Group that is alleged to have misdirected attention and attribution from the agency’s clandestine efforts in order to make another country or group appear responsible.
UMBRAGE is especially interesting as it relates to the cyber realm of Advanced Persistent Threat (APT) actor groups, which include hackers, intrusion specialists, vulnerability researchers, and other specialists. These actors know how to cover or obfuscate their tracks because they are (usually) very experienced in their craft. They think tactically and operate offensively.
Humans take shortcuts, humans make mistakes, and humans are predisposed to patterns in their behaviors. The tendency to become complacent or make mistakes reflects typical human behavior on the part of cyber criminals. Drawing on these characteristically human traits, forensic evidence has sometimes been able to link certain threat actor groups with “signature clues,” which help in tracking actions back to specific actor groups with more certainty.
And yet — especially in light of what is purported to be disclosed in #Vault7 — what better way to cast doubt or to redirect attention than to leave clues that point forensic investigators to wrong conclusions?
In reading over the raw material associated with this latest release by WikiLeaks and considering what other agencies, companies, governments, and incident response professionals might learn from these documents, I believe it should be clear that attribution in cyber attacks and hacking can rarely be 100 percent certain, and assumptions in attribution must be avoided. Accurately uncovering attribution and protecting against further attacks requires diligent and thoughtful investigation. Digital forensics and cyber security experts must be wary of their own complacency when drawing conclusions, and be sure to play the devil’s advocate when presented with “typical” behavioral patterns and assumptions.
In my prior career as a special agent for the FBI specializing in digital forensics, my colleagues and I would run numerous investigations from a variety of angles — some creative and some traditional. Sometimes years of work would culminate in a final court appearance, where I or another agent involved in the investigation would take the stand as an expert witness for the government. Inevitably, the defense would pose a question along the lines of, “Is it possible that someone else did [the bad thing] behind the keyboard?” Deep down, the trained investigator in each agent would quietly cringe at the question of what is “possible”— a feeling I think might be familiar to practically all expert witnesses.
When we are investigating cyber crimes — which almost always take place out of the eye of witnesses, cameras, or other highly technical processes — then the answer to such a question will likely be, “Yes, it is possible.” We look at and examine evidence from multiple perspectives not simply for yes/no answers, we look for facts; ultimately we look for supportable, substantive answers. The fact of the matter is that if we were not standing there watching the bad guys typing at the keyboard or clicking the mouse, performing whatever steps were taken in the cyber crime, then stating categorically that one user or group had to be responsible is an assertion that must be accompanied with sufficient evidence. The goal of investigators, like forensic examiners, is to provide and present a well-substantiated explanation that is confirmed through observation and testing.
In my current role as a digital forensics and cyber security consultant with Kroll, my team and I approach digital evidence gathering by first identifying and evaluating exactly what forensic evidence is actually available. We then analyze and process that evidence for the forensic clues that can paint the picture or tell the story of what happened. The preponderance of that evidence and the expertise with which we gather and present the evidence may eventually be used to guide a client, or a jury, toward a conclusion.
The potential revelations in #Vault7 are a timely reminder that when it comes to attribution in the cyber realm, achieving absolute certainty is rare, sometimes impossible. Uncovering the truth in an investigation, particularly a cyber investigation, is complicated, but we as investigators and incident responders can and should have expert opinions about what the forensic evidence is telling us. We base these professional opinions on our training, education, and experience. However, now more than ever, when evidence is leading us to a particular conclusion, we must be diligent in examining our own potential assumptions and always remember that forensic science ultimately deals in evidence and actualities.
Devon Ackerman is a senior director with Kroll’s Cyber Security and Investigations practice. Before Kroll, Devon was a Supervisory Special Agent and Senior Digital Sciences Forensics Examiner with the FBI, where he was responsible for oversight and coordination of FBI digital forensics-related field operations across the United States, spanning matters such as domestic terrorism, mass shootings, critical incident response events, and large-scale electronic evidence collections.
The views expressed by contributors are their own and are not the views of The Hill.