In “Thinking Fast And Slow”, Daniel Kahneman describes a spectrum of human irrationalities, most of which appear to have significant implications for the world of information security. Of particular note, and the focus of this post, is the discussion on uncertainty.
Kahenman describes that people will generally seek out others who claim certainty, even when there is no real basis for expecting someone to be certain. Take the example of a person who is chronically ill. A doctor who says she does not know the cause of the ailment will generally be replaced by a doctor who exhibits certainty about the cause. Other studies have shown that the doctor who is uncertain is often correct, and the certain doctor is often incorrect, leading to unnecessary treatments, worry, and so on. Another example Kahneman cites is the CFO of companies. CFO’s are revered for their financial insight, however they are, on average, far too certain about things like the near term performance of the stock market. Kahneman also points out that, just as with doctors, CFOs are expected to be certain and decisive, and not being certain will likely cause both doctors and CFOs to be replaced. All the while the topic each is certain about is really a random process, or such a complicated process containing so many unknown and unseen influencing variables as to be indistinguishable from randomness.
Most of us would be rightly skeptical about someone who claims to have insight into the winning numbers of an upcoming lottery drawing, and would have little sympathy when that person turns out to be wrong. However, doctors and CFOs have myriad opportunity to highlight important influencing variables that weren’t known when their prediction was made. These variables are what make the outcome of the process random in the first place.
The same dichotomy regarding irrational uncertainty of random processes appears to be at work in information security as well. Two examples are the CIO who claims that an organization is secure, or at least would be secure if she had an additional $2M to spend, and the forensic company that attributes an attack on a particular actor – often a country.
The CIO, or CISO, is in a particularly tough spot. Organizations spend a lot of money on security and want to know whether or not the company remains at risk. A prudent CIO/CISO will, of course, claim that such assurances are hard to give, and yet that is the mission assigned to them by most boards or management teams. They will eventually be expected to provide that assurance, or else a new CIO/CISO will do it instead.
The topic of attribution, though, seems particularly interesting. Game theory seems to have a strong influence here. The management of the breached entity wants to know who is responsible, and indeed the more sophisticated the adversary appears to be, the better the story is. No hacked company would prefer to report that their systems were compromised by a bored 17 year old teaching himself to use Metasploit over the adversary being a sophisticated, state-sponsored hacking team the likes of which are hard, neigh impossible for an ordinary company to defend against.
The actors themselves are an intelligent adversary, generally wanting to shroud their activities with some level of uncertainty. We shouldn’t expect that an adversary will not mimic other adversaries, reuse code, fake timezones, change character sets, incorporate cultural references, and so on, of other adversaries in an attempt to deceive. These kinds of things add only marginal additional time investment to a competent adversary. As well, other attributes of an attack, like common IP address ranges, common domain registrars and so on, may be common between adversaries for reasons other than the same actor is responsible, such as that of convenience or, again, an intentional attempt to deceive. Game theory is at play here too.
But, we are certain that the attack was perpetrated by China. Or Russia. Or Iran. Or North Korea. Or Israel. We discount the possibility that the adversary intended for the attack to appear as it did. And we will seek out organizations that can give us that certainty. A forensic company that claims the indicators found in an attack are untrustworthy and can’t be relied upon for attribution will most likely not have many return customers or referrals.
Many of us in the security industry mock the attribution issue with dice, an magic 8-ball and so on, but the reality is that it’s pervasive for a reason: it’s expected, even if it’s wrong.