Cyber Whodunit: AI's Emerging Role in Establishing Attribution in Cyberattacks.

In over twenty years in the FBI, I spent plenty of time working as an Evidence Response Team member and found each crime scene was unique, as different from each other as the crimes we were investigating.  However, at each scene from which I collected evidence - from the location of the abduction of a seven-year old in rural Ohio, or the crash site of United Flight 93 in western Pennsylvania on 9/11, to a residence rented by the Oklahoma City bombers, as well as the Wichita, Kansas home and office of the BTK serial killer - the concern was always the same:  to determine what the perpetrator(s) left at the scene and what, if anything, was taken away.    

Cybersecurity is no different.  Intelligence and law enforcement agencies - as well as firms in the private sector, where I now apply my skills - all seek to establish who was responsible for an attack by focusing on what was left at the crime scene. Here we seek not blood, hair, or fingerprints, but unique strings of code, a new vulnerability that was exploited, or an IP address we have seen before.  In the FBI, our focus on attribution in cybercrimes was relentless - we wanted to identify those involved and, through an evidentiary chain, “put their hands on the keyboard.”  Once we did that, we could impose consequences on those involved,  as well as on their handlers. 

Shifting to what was taken from the scene - in the cases I worked, it may have been a household item that was used as a weapon or a victim's driver's license taken as a trophy.  In cyberspace, what is taken away may be client files, directories, or a means of access that can be used to re-enter the system at a later date. 

Establishing attribution is not easy.  That is why it is encouraging to see the federal government start to use the power of Artificial Intelligence, or AI, to parse the billions of artifacts collected from threat actors at cyberspace crime scenes.   AI, as wielded by talented cyber investigators, represents the frontier in the fight against cybercriminals. As noted in the Wall Street Journal, AI will change the game of establishing attribution, which will benefit those battling to defend our networks.