In perhaps the greatest scene of any movie ever, Harrison Ford as Indiana Jones watches an expert swordsman on the streets of Cairo swiftly brandish his weapon in advance of an epic fight. Jones watches the fanciful display, and then just sighs and points his pistol at the guy and shoots. This scene is the canonical example of how you can do things the hard way - or you can do things the easy way. I crack up every time I re-watch it on YouTube.
The reason I bring this up is that the familiar cyber security concept of attribution can be done the hard or easy way - although for most organizations, the choice is pre-made. Specifically, the relatively straightforward way to establish attack origin is to use a snitch, leak, or tap - and if you're NSA, then this is how you would do it. But if you're the rest of us, then you must rely on more complex technical clues to determine accurate attribution.
I was pondering this trade-off while spending time last week with an intriguing start-up called HYAS. Focused on providing cyber attribution for enterprise, HYAS made news recently by attracting a $6.2M investment from Microsoft. The company employs advanced algorithms (no snitches involved) that help organizations locate - sometimes to the doorstep - the purported source of a cyber-attack. Here is what I learned during our discussion:
"Our Comox platform makes use of the best available information, much of it related to DNS infrastructure, to determine the accurate source of a cyber-attack," explained Sasha Angus, Vice President of Intelligence and Services for HYAS. "In many cases, we can help enterprise teams explain the complex network pattern used by malicious adversaries to attack their systems."
I wanted to understand the DNS-related origin of this collected data, and Angus said that HYAS has turned to multiple unconventional sources: "We have access to a constantly growing set of exclusive data that contextualizes attribution related to DNS domain creation and use," he said. "And we integrate this data into a massive database of prior public activity to analyze roughly a billion DNS queries daily. This creates a vantage point for attribution."
The team wanted to show me the Comox user interface, and I must say that it was engaging. They demonstrated how information about a sample exploit could be ingested and analyzed using their data to locate a foreign actor, including a picture of the building where they work. Their presentation reminded me of Kevin Mandia's famous images of the APT1 network of hackers supported by the Chinese military.
I expressed some concern that DNS-related metadata can be annoyingly out-of-date or manipulated, and they agreed that degrees of confidence were required to couch the specificity and accuracy of their attribution. But the team stressed the many years of high-quality data they have access to, including from many proprietary sources, to allow analysts to query a number of different IOC data types.
Time will tell how this novel approach to cyber attribution plays in the commercial space. The large Microsoft investment suggests a natural partnership for HYAS, and while they do include government investigators in their target customer base, I really think the better target is commercial and mid-market. With cyber attribution on television every day, I suspect the appetite for identifying attack sources in corporate environments will be healthy.
The HYAS team is working hard on their platform, and I think it is worth keeping an eye on their evolving solution as it develops more specificity and a larger experience base. Cyber attribution is tough business, and unless you have spies from the CIA to deploy into your adversary's inner circle, then will need to find a decent platform for assistance. I have high hopes that HYAS will provide that functionality for business customers.