This report on mitigating risks arising from false-flag and no-flag cyber attacks handles issues related to establishing proper attribution following cyber attacks, in which the entity responsible for launching the attack is unknown (no-flag) or considered falsified (false-flag) for any other reasons. “Mitigating Risks arising from False-Flag and No-Flag Cyber Attacks” discusses the most prevalent protocols aimed at standardising information about malicious cyber activity, compares a number of programmes for cyber information-sharing partnerships, and finally lays out the issues surrounding collaborative data exchange.
Whilst legislation and other legal tools play catch-up with an ever-changing digital landscape, one thing is certain: without sufficient attribution, it is impossible to enforce regulations, laws or treaties. Technical means exist, but many are easily duped, and competing priorities of non-repudiation versus privacy and freedom of speech create a division in the requirements of internet users. Additionally, as the internet is globally interconnected with traffic crossing multiple national boundaries, malicious actors are often well beyond the jurisdiction of the victim.The issue is further complicated when attribution is defined. It is not enough to just locate a source IP address (unless looking solely at active defence): the identity of the attackers must be determined, as well as the parties they were acting on behalf of must also be unmasked.
In order to supplement the solely technical means of attribution, collaborative data exchange must ensure that when large amounts of data are brought together, data mining techniques and statistical analysis can afford us additional clues as to the author of such tools with a higher degree of certainty than technical means or independent data alone. By correlating the shared information, a more effective method for a community to detect potential risks and prevent cyber attacks at an early stage can be developed.
The first chapter, about cyber information exchange, describes various programmes, collaboration initiatives and protocols for attribution of malicious cyber activity. It also discusses what the barriers to effective collaborative data exchange are, as well as what some of the common issues with attribution through data exchange can be. Then, a chapter describes the information-sharing between security practitioners that takes place in Operational Security Communities. Following that, a third section describes the process and the discussions that took place during a workshop that was specifically designed to test procedures in situations where attribution is lacking. The participants were asked to take part in the scenarios while discussing procedures that should be followed and offering their recommendations on potential courses of action. Finally, a summary of the project and some conclusions are given.