What is Ownership?

August 19, 2019

Post by Robert Hansen

Sometimes people in the security industry say “attribution is hard”. What they’re referring to is the tricky attribution of who is attacking whom, because people use botnets. But the same is true even in benign circumstances. When you want to know who owns a thing you have to ask some very tough questions.

Who owns the IP space? This could be you, sure. But it could also be your ISP or rented to you by some SaaS who rents it from an ISP. So while you may think of it as yours, it may be a few orders of magnitude away from yours.

Who owns the domain? This should be you, right? Well maybe, if you think of domain ownership as something that cannot be taken away. But in reality, that’s owned by the registrars who rent access to you. For all intents and purposes, this is probably your domain, unless it isn’t. Did you have someone else register it for you like a marketing team that you long ago fire, or is this done under someone’s personal account? So while you may own it, you don’t necessarily own it in the sense that you control it. Also, the DNS entries can be pointing to all kinds of different things – so while the domain might be “yours” in an obscure legal sense there are many layers to ownership.

What about the box? For example, physical stuff is where it should be more analogous to things in your home that you know you own. Well, that is unlikely. Lots of boxes are rented, so while it may be in your data center, it might be rented. But more likely than not you’re using cloud-based machines, or even more likely these days hypervisors on machines that are ephemeral. So what do you own exactly? It is difficult to know that it’s “yours” when the IaaS provider can barely tell you where your data lives on the machines.

How about the code? Well, that’s unlikely. It’s probably stolen from tons of stack overflow pages or libraries like Jquery. The actual code that is completely yours is probably the smallest part of the stack when you take into account the libraries, the webserver, the database code, and the APIs you connect to. None of which is yours in the sense that you developed it and that it’s unique to you.

So what exactly is attribution of ownership? It’s not as easy as it looks. Being hyper-focused on a single attribute is probably not going to get you what you think it is. It’s a complex multi-layered answer that has many caveats. Anyone who claims to be able to do it perfectly, either doesn’t understand the problem or is lying outright. That’s why giving you, the user, control over what we find rather than auto-adding it for you will be a bigger and bigger feature of BitDiscovery moving forward.