Before you carry out surveillance or a covert shinobi activity, you should leave a note for your future reputation.
—Yoshimori Hyakushu #54
The Bansenshūkai describes an open-disguise infiltration technique for shinobi called “the art of fireflies” (hotarubi no jutsu).1 I like to think that this technique was named based on how the flash of light from a firefly lingers in your night vision after the fly has moved, causing you to grasp at empty space. Shōninki describes the same technique as “the art of camouflage” (koto wo magirakasu no narai).2 Using this technique, shinobi plant physical evidence that baits an enemy into taking some desired action, including misattributing whom the shinobi works for, making false assumptions about the shinobi’s motives, and reacting rashly to the attempted attack, exposing themselves to further offensive actions.
A forged letter with incriminating details or misleading evidence about the enemy was the most common hotarubi no jutsu technique, with several variations. The scrolls describe shinobi sewing a letter into their collar so that it would be found quickly if they were caught or searched.3 Or, a shinobi might recruit a willing but inept person to be a “ninja,” give them a letter detailing the exact opposite of the shinobi’s true plans, and send them on a mission into the adversary’s environment, knowing that this “doomed agent” would certainly be captured. Importantly, the recruit themselves would not be aware of this part of the plan. Upon searching the recruit, guards would find the forged letter, which implicated a high-value target—such as the adversary’s most capable commander—in a treasonous plot. The “ninja” would likely break under torture and attest to the authenticity of the message, further damning the target.4 This all served to deceive the enemy into attacking or disposing of their own allies.
In an even more elaborate variation, prior to the mission, the shinobi would carefully plant evidence that supported the letter’s false story and place the forged letter in an incriminating location, such as the quarters of the enemy commander’s trusted adviser. The forged letter then became a safeguard. If the shinobi were caught, they would withstand torture until they could determine the enemy’s objectives, and then reveal their secret knowledge of the letter. The enemy would then find the letter and the connected evidence. Having built credibility, the shinobi would then pledge to become a double agent or share secrets about their employer in exchange for not being executed.5 This technique left the enemy confused about the shinobi’s motives, concerned about potential betrayal, and in doubt about who the real adversary was.
In this chapter, we will review the challenges associated with attributing threats to a specific adversary and/or source. We’ll cover attribution investigations using threat analytics, observable evidence, and behavior-based intelligence assessments. We’ll also discuss the problem of sophisticated adversaries who are aware of these attribution methods and thus take countermeasures. The more emphasis a defender places on attribution, the more difficult and risky cyber threat actors can make pursuing leads, so we’ll also discuss ways to address this increased risk.
Attribution, in a cybersecurity context, refers to an assessment of observable evidence that can be used to identify actors in cyberspace. The evidence can take many forms. A threat actor’s behavior, tools, techniques, tactics, procedures, capabilities, motives, opportunities, and intent, among other information, all provide valuable context and drive responses to security events.
For example, suppose your home alarm went off, indicating a window had been broken. Your response would vary drastically based on your level of attribution knowledge: a firefighter entering your home to extinguish a blaze would evoke a different response than a robber breaking in to steal your belongings, or an errant golf ball crashing through the window. Of course, attribution isn’t always simple to attain. A thief can exercise some control over observable evidence by wearing gloves and a mask. They could even wear a firefighter outfit to disguise their identity and deceive homeowners into acquiescing to their entry. A thief could plant, destroy, or avoid creating evidence of the crime during or after the act, impeding the subsequent work of forensic investigators. A truly sophisticated criminal might even frame another criminal using spoofed fingerprint pads; stolen hair, blood, or clothing samples; a realistic 3D-printed mask; or a weapon acquired from the unsuspecting patsy. If the framed individual has no alibi, or the crime is committed against a target consistent with their motivations, then authorities would have every reason to suspect or arrest the patsy.
Cybersecurity professionals face these types of attribution problems and then some. Attribution is particularly difficult due to the inherent anonymity of the cyber environment. Even after executing the difficult task of tracking an attack or event to a source computer and physical address, cybersecurity professionals can find it exceedingly hard to verify the identity of the human attacker. Attempts to trace the threat actor’s origin on the compromised machine often lead to tunnels, VPNs, encryption, and rented infrastructure with no meaningful logs or evidence. Sophisticated threat actors may even compromise and remotely connect to foreign machines, using them as platforms to launch attacks against other systems. Even after detecting the adversary, it may be advisable in certain cases to not immediately block them or remove their access; instead, it may be beneficial to monitor them for a while to determine their goals and identifying characteristics.6
In some cases, threat groups deliberately leave behind tools or other observables to push an attribution narrative. The United States, Russia, and North Korea have reportedly altered or copied code segments, strings, infrastructure, and artifacts in their cybertools to cause misattribution.7 When cybersecurity professionals discover and reverse engineer particularly stealthy malware, they occasionally observe unique, superfluous strings in the malware traces. Perhaps these strings were overlooked—a tradecraft error by the operator or developer. But they could also be “the art of fireflies”—evidence designed to be discovered and used for (mis)attribution.
Note that the same mechanisms that make deception possible also provide powerful means of identification. Memory dumps, disk images, registries, caches, network captures, logs, net flows, file analyses, strings, metadata, and more help identify cyber threat actors. Various intelligence disciplines, such as signal intelligence (SIGINT), cyber intelligence (CYBINT), and open source intelligence (OSINT), also contribute to attribution, while human intelligence (HUMINT) capabilities collect data from specific sources that, once processed and analyzed, helps indicate who may have conducted cyberattacks. These capabilities are typically kept secret, as disclosing their existence would inform targets how to avoid, deny, or deceive these systems, stunting the ability to generate useful intelligence and threat attribution.
It is reasonable for organizations to want to know the identity and origin of threat actors who compromise their systems and networks. It’s understandable that many want to take action, such as hacking back, to discover who these threat actors are. However, threat actors, like the shinobi, will always find ways to conduct covert malicious actions through denial and deception, making attribution uncertain. Furthermore, to take a lesson from history, the need to conduct shinobi attribution only ceased once Japan was unified under peaceful rule and shinobi were no more. The world is unlikely to experience unity in the foreseeable future, so nation-state cyberattacks are likely to continue. Until world peace happens, the following approaches to attribution can help you identify what, if anything, you can do about ongoing cyber conflict:
While many of these configuration changes incur no direct costs, the time and labor (and opportunity costs) to implement such wide-reaching changes can give management pause. However, consider whether a prior decision to invest in good cameras and lighting helps a storekeeper correctly identify a vandal. Establishing sound logging, documentation, and evidence collection practices improves attribution capabilities, enforces greater technological accountability, and provides end users with better visibility into network threats.
For example, suppose two threat actors target your organization’s intellectual property. One wants to sell the information on the black market to make money, and the other wants the information to help build weapons systems for their country. It actually doesn’t matter. Regardless of the threat actors’ purpose and an organization’s capability to track them down, defenders must ultimately restrict or deny opportunities to exploit their security flaws. The organization does not necessarily need to assess a threat actor’s motivation to avoid the threat.
Where relevant, recommendations are presented with applicable security controls from the NIST 800-53 standard. Each should be evaluated with the concept of attribution in mind.
In this chapter, we reviewed the art of the fireflies—a misattribution technique used by the shinobi. Cyber threat groups are continually evolving in sophistication, and they are likely to incorporate this technique into their operations security procedures, if they haven’t already. We noted that several threat groups are believed to be using misattribution techniques already and discussed approaches to handling attribution, and how the future for attribution is bleak.
In the next chapter, we will discuss shinobi tactics for maintaining plausible deniability when defenders interrogated them. The chapter will also discuss advanced shinobi interrogation techniques and tools used when capturing enemy shinobi.