Another leaked document via Wikileaks this time about the CIA's Marble Framework obfuscation tool.
I am rather puzzled. The aim of the tools is to obscure the
authorship of a cyber attack. Let's wind back a little. Large numbers of
entities that mount cyber attacks want the attack to succeed but to be
able to deny authorship. For the analyst and investigator this is "the
problem of attribution".
One route for the attacker is to avoid mounting the attack from a
computer that can be associated with them via its IP address. This is
done by hijacking one of the several million unprotected computers and
other devices and launching the attack from there. Or maybe they'll set
up a chain of such devices. So investigators move on to code analysis -
looking for clues in the use of structures and strings. Are there words
in a specific language? Has the code been used before - and by some-one
already known? The problem with this is that there is no enforceable
copyright in attack code and it is relatively easy for a hacker to steal
some-one else's code and hence point the finger of blame at them. This
is known in espionage circles as a "false flag" action.
Marble Framework, if it works, automates the process. The CIA write their attack code and then run it through their Marble software so that any "English" references either are deleted or "foreign language" references added.
So we move on to two other attribution routes - "resource required"
and "motivation". Judgements about the level of resource required to
mount the attack - the difficulty of creating the code, the amount of
research required into accurately focusing the attack on the target -
give clues about the nature of the attacker - lone recreational hacker
or large national security agency or somewhere in between. Judgements
about motivation take us away from technical matters into politics. Who
would want to mount the attack? The attribution of Stuxnet is based on a
combination of resource required and motivation.
Where does Marble Framework fit in? Well presumably in defeating code
analysis by attempting to remove indications of authorship. Will it
actually do so? If future analysts come across code that looks
suspiciously anonymous, will they not say to themselves: "This looks as
though it has been carefully cleaned - I wonder if this is the result of
CIA's Marble tool?"
And of course there will still be the "resource required" and "motivation" tests.
I cover nearly all of these points in my Digital Evidence Handbook Kindle ebook. http://www.digital-evidence.expert.
Discussion of public policy in relation to cyber security, cyber warfare, cyber surveillance and cyber crime. Events in digital evidence and forensic science in general
