"Ask the Expert" articles provide information and insights from MSU scientists, researchers and scholars about national and global issues, complex research and general-interest subjects based on their areas of academic expertise and study. They may feature historical information, background, research findings, or offer tips.
Thomas Holt, a cybercrime and cybersecurity expert in the School of Criminal Justice at Michigan State University, discusses how these attacks are discovered, why they take so long to identify and what the U.S. can do to prevent these attacks in the future.
How do experts determine who is guilty of carrying out these types of cyberattacks?
In cyberattacks, identifying a potential source of the attack is done through triangulating multiple pieces of information obtained through forensic analysis of affected computers, as well as other tools like Intrusion Detection Systems and reviews of network traffic usage. Looking at when a computer was affected and retracing the path of unusual or malicious traffic, including when users are logging in, can all help to paint a picture of potential attribution.
Another key tool in identification is reverse engineering, or disassembling the malicious software and code involved in an attack. There are often details in the code that may point to a specific place or actor, such as character sets unique to a specific language, like Cyrillic or Chinese characters. This information can then be compared with tools used in prior identified attacks and help match unknown attacks to potential sources of an attack.
Why did it take so long for government officials to realize there was a cyberattack?
Typically, nation states will use tactics that make it deliberately hard to identify what exactly they are doing for a long period of time – essentially, they are covering their tracks as they go along. The hackers may try to obtain login credentials of existing employees through phishing attempts, malware or social engineering.
With this attack in particular, malware was utilized through patches from a trusted source – SolarWinds Orion. Hackers will move within an organization slowly, from system to system, working non-business hours to try to conceal their activities as they work.
What can the U.S., and others, do to prevent these attacks in the future?
This is a challenge, as the U.S. is taking active steps to improve the national posture towards cyberattacks. One of the key aspects of this work is to actively lock down as many points of vulnerability as is possible. This is hard to achieve, because too much security can make it hard for employees to get their tasks completed – and too little makes it easy for targets to be hacked.
As technologies change, security professionals face a constant demand of balancing security with usability. Attackers recognize this dilemma and are always applying creative strategies to gain inroads into targets through the least visible points in an organization. That is what you can see in this current instance – attackers using a supposedly trusted source to gain backdoor access into sensitive systems. If we can’t trust what was otherwise trustworthy, how do we operate? Thus, cybersecurity professionals will now have to find ways to ensure that their trustworthy sources have not been compromised so that they can reduce additional threats to their organizations.