Read on Twitter
For laypeople demanding evidence that Russia is responsible for the #SolarWinds breach (and subsequent operations), be patient, it will come.
As an analogue, prosecutors typically don’t discuss specifics of ongoing investigations. This is because the target may interfere. 1/
As an analogue, prosecutors typically don’t discuss specifics of ongoing investigations. This is because the target may interfere. 1/
This analogy unfortunately breaks down precipitously. First, this is less like a robbery than a set of ongoing hostage situations. The problem is that we don’t know how many hostage situations we have yet. Every piece of evidence we discuss publicly can hurt us. 2/
With the release of every indicator of compromise, we always must balance the value of helping victims with the risk that the attacker will change their tradecraft to prevent future detection.
This adversary has shown that they practice counterintelligence and WILL change. 3/
This adversary has shown that they practice counterintelligence and WILL change. 3/
Now some might say “that’s circular logic, we don’t yet KNOW who the adversary is.” Sure, I hear you. But I’ve been in the malware. The adversary took obvious steps to prevent detection. We can easily conclude that an adversary taking such steps must also be watching the news. 4/
Back to our hostage situation analogue, we still don’t yet know how many hostage situations we have. SolarWinds says at least 18,000, but not all those are created equally. The attacker lacks resources to operate in all of those networks. Resources aside, each increases risk. 5/
Some of these “hostage situations” have casualties (follow on operations). We do now assess that in most situations where there are no follow on operations, the attacker has been neutered (defenders have control of the initial callback domain). 6/
So we (mostly) believe we’ve limited the attacker’s ability to create new hostage situations (at least through this vector). But we do still need to understand how many hostage situations (networks with follow on operations) are yet to be discovered. 7/
Any evidence released to help determine this number is not likely to be easy to attribute to any specific country.
Second, in any hostage situation, you always have to go room by room clearing the entire building once you think it’s over. 8/
Second, in any hostage situation, you always have to go room by room clearing the entire building once you think it’s over. 8/
The cat is out of the bag on the initial compromise vector, but we have to hold back some amount of evidence to enable continued investigations. Unfortunately THIS is the evidence that is most easily attributed to a particular country. I know this sucks if you want it now. 9/
Any evidence released now will be subject to an intel gain/loss(IGL) analysis. For those not familiar, watch The Imitation Game. There, they struggle with allowing people to die in order to protect the fact we’d broken the enigma cipher. There are huge parallels here. 10/
As much as I want to see all the evidence, I’m 100% convinced based on what I’ve seen firsthand this was a Russian government group. I’m not sure it matters which specific Russian group it is. In the coming weeks, pundits will argue about GRU vs SVR vs FSB, etc 11/
The highlight here isn’t “wow, there are lots of questions about attribution! We shouldn’t trust that it’s Russia.” Don’t fall prey to this.
By analogue, think about the Soleimani killing. Do you really care whether NSA or CIA provided the targeting? Does Iran? 12/
By analogue, think about the Soleimani killing. Do you really care whether NSA or CIA provided the targeting? Does Iran? 12/
Hopefully the analogies here help contextualize what we’re seeing now (and what is sure to come). Note that no analogy is perfect, certainly not these. Attribution is hard.
Be patient, better public evidence will come in due time. /FIN
Be patient, better public evidence will come in due time. /FIN
