Monday, 3 April 2017

CIA's Marble Framework

Another leaked document via Wikileaks this time about the CIA's Marble Framework obfuscation tool.
I am rather puzzled. The aim of the tools is to obscure the authorship of a cyber attack. Let's wind back a little. Large numbers of entities that mount cyber attacks want the attack to succeed but to be able to deny authorship. For the analyst and investigator this is "the problem of attribution".
One route for the attacker is to avoid mounting the attack from a computer that can be associated with them via its IP address. This is done by hijacking one of the several million unprotected computers and other devices and launching the attack from there. Or maybe they'll set up a chain of such devices. So investigators move on to code analysis - looking for clues in the use of structures and strings. Are there words in a specific language? Has the code been used before - and by some-one already known? The problem with this is that there is no enforceable copyright in attack code and it is relatively easy for a hacker to steal some-one else's code and hence point the finger of blame at them. This is known in espionage circles as a "false flag" action.
Marble Framework, if it works,  automates the process.  The CIA write their attack code and then run it through their Marble software so that any "English" references either are deleted or "foreign language" references added. 
So we move on to two other attribution routes - "resource required" and "motivation". Judgements about the level of resource required to mount the attack - the difficulty of creating the code, the amount of research required into accurately focusing the attack on the target - give clues about the nature of the attacker - lone recreational hacker or large national security agency or somewhere in between. Judgements about motivation take us away from technical matters into politics. Who would want to mount the attack? The attribution of Stuxnet is based on a combination of resource required and motivation.
Where does Marble Framework fit in? Well presumably in defeating code analysis by attempting to remove indications of authorship. Will it actually do so? If future analysts come across code that looks suspiciously anonymous, will they not say to themselves: "This looks as though it has been carefully cleaned - I wonder if this is the result of CIA's Marble tool?"
And of course there will still be the "resource required" and "motivation" tests.
I cover nearly all of these points in my Digital Evidence Handbook Kindle ebook. http://www.digital-evidence.expert.