The Cyberattack

Instructions:

There has been a cyberattack on a US government agency.
Initial assessment points towards two potential tools that could have been used in the attack.

Each tool is the modus operandi (MO) of a distinct hacker group. These groups are small, with a tight-knit circle of loyal members, and as such, use of the group’s trademark tool is tightly controlled (and known only to high-level members). There have been no reports from sources within the hacker community of any defections. Additionally, “hacks” of this nature on government agencies are considered a badge of honor within the hacker community, and thus it is counterproductive for one group to impersonate another by using their tools (even if they could). Thus, it can be safely assumed that each tool is used exclusively by that one group.

These two groups are:

The Silver_Phalanx - known for deploying an exploit called “The Centurion”, which is one of the suspected tools used in the attack.
The Rattle-Jacks - known for deploying an exploit called “Jack-knifing”, which is the other suspected tool used in the attack.

Knowing nothing except the historical prevalence of attacks by these two groups and the kinds of weaknesses different exploits attack, it would appear that there is a 50% probability of the Silver_Phalanx having committed the attack and a 50% probability of the Rattle-Jacks having committed it. It is also certain that exactly one of these two hacker groups are responsible for the attack since one of only two possible exploits was used, and only Silver Phalanx has the capacity to use the Centurion exploit and only the Rattle-Jacks are able to employ “Jack-knifing.”.

No other groups should be considered for this scenario.

As an intelligence agent, you have cultivated a number of informants and cyber-intelligence experts from among the global “hacker” community. Over the years, you have been able to ascertain statistical information about each of these information sources which bear on the reliability of their reporting.

In this particular case, you know of three potential sources likely to have information regarding the Silver_Phalanx: One might be able to shed light on the group’s activities, and two are likely to have information regarding the deployment of “The Centurion” attack method.

You also know of three potential sources likely to have information regarding the Rattle-Jacks: One might be able to shed light on the group’s activities, and two are likely to have information regarding the deployment of the “Jack-Knife” attack method.

Some of your sources may be in communication with each other, for within the hacker community it is common practice for experts on the same attack method to share information. Below, based on considerable past experience and careful record keeping are the intelligence community’s best judgment about the trustworthiness of reports from your different possible informants.

Questions:

For your answers, assume the facts to be as stated in the problem.s

Part 1: When the only information you have is from the first round of intelligence (i.e. when second round intelligence is not available to you yet).

Q1. Given the information you have received so far, what do you now believe the probability is that the attack was conducted by the Silver_Phalanx?

Q2. Given the information you have received so far, what do you now believe the probability is that the attack was conducted by the Rattle-Jacks?

Q3.Given your responses to questions 1 and 2, do you now believe the attack to have more likely been carried out by the Silver_Phalanx? The Rattle-Jacks? Or are both still equally likely?

Note: Using information from the second round of intelligence to answer questions 1, 2, and 3 will be considered incorrect. The purpose of the above three questions is for analysts to deal with partial information appropriately.

Part 2: When both rounds of intelligence are now available to you.

Q4. Given all the information you have now received, what do you now believe the probability is that the attack was conducted by the Silver_Phalanx?

Q5. Given all the information you have now received, what do you now believe the probability is that the attack was conducted by the Rattle-Jacks?

Q6. Given your responses to questions 5 and 6, do you now believe the attack to have more likely been carried out by the Silver_Phalanx? The Rattle-Jacks? Or are both still equally likely?

Please provide your reasoning for all responses, referring to the evidence in each case.

Silver Phalanx / Centurion attack method – Expert Statistics

Name: Glymer
Expertise: Centurion attack method
Source Reliability Grade: High (based on the following statistics)
Source Reliability Statistics:

False Positive Rate (incorrectly implicating Silver_Phalanx): 10%
False Negative Rate (incorrectly exonerating Silver_Phalanx): 5%

Name: Almekist
Expertise: Centurion attack method
Source Reliability Grade: Medium (based on the following statistics)
Source Reliability Statistics:

False Positive Rate (incorrectly implicating Silver_Phalanx): 20%
False Negative Rate (incorrectly exonerating Silver_Phalanx): 10%

Name: Mark_of_Kain
Expertise: Silver_Phalanx activity
Source Reliability Grade: Medium (based on the following statistics)
Source Reliability Statistics:

False Positive Rate (incorrectly implicating Silver_Phalanx): 20%
False Negative Rate (incorrectly exonerating Silver_Phalanx): 10%

Rattle-Jacks / Jack-knife attack method – Expert Statistics

Name: The_Crysalis
Expertise: Jack-knife attack method
Source Reliability Grade: Medium (based on the following statistics)
Source Reliability Statistics:

False Positive Rate (incorrectly implicating Silver_Phalanx): 20%
False Negative Rate (incorrectly exonerating Silver_Phalanx): 10%

Name: Hail_Blob
Expertise: Jack-knife attack method
Source Reliability Grade: High (based on the following statistics)
Source Reliability Statistics:

False Positive Rate (incorrectly implicating Silver_Phalanx): 10%
False Negative Rate (incorrectly exonerating Silver_Phalanx): 5%

Name: TeaTimeCowboy
Expertise: Rattle-Jack activity
Source Reliability Grade: Medium (based on the following statistics)
Source Reliability Statistics:

False Positive Rate (incorrectly implicating Silver_Phalanx): 20%
False Negative Rate (incorrectly exonerating Silver_Phalanx): 10%

General Note Regarding Sources:
The source reliability statistics provided above have been gathered for when a given source is only using their own opinion / information.

As such, if one of your sources is referring to a secondary source in their reports (i.e. a source other than themselves), analysts are instructed to treat the supplied error rates for that source as more variable.

Specifically, error rates should either double (for instances where the secondary source has made an error) or halve (for instances where the secondary source has not made an error themselves). For example, if the secondary source falsely implicates a culprit, then the probability that the present source will also falsely implicate the culprit is doubled, while if the secondary source correctly exonerates a culprit, then the probability that the present source will still falsely implicate the culprit is halved.

Part 1: First Round of Intel:

Within 48 hours, you have heard back from 4 of your 6 sources. Based on their reports, you have the following summary information:

Glymer
Summary: The source reports that the attackers used “The Centurion” method (and thus indicates the Silver_Phalanx was the culprit).Glymer also mentions that they passed on their analysis to Alkemist – a source you are waiting to hear back from.

Mark_of_Kain
Summary: The source reports that the Silver_Phalanx was not active at the time of the attack, and thus indicates the Silver_Phalanx was not the culprit.

TeaTimeCowboy
Summary: The source reports that the Rattle-Jacks were not active at the time of the attack, and thus indicates the Rattle-Jacks were not the culprit.

Hail_Blob
Summary: The source reports that the attackers used the “Jack-knife” method (indicating the Rattle-Jacks were the culprit). Among Hail_Blob’s analysis, it should be noted that there appears to be technical references and arguments commonly attributed to The_Crysalis (a source you are yet to hear back from).

Part 2: Second (and final) Round of Intel:

A few hours after the first round of reports, you hear back from the final 2 sources. Based on their reports, you have the following summary information:

Alkemist
Summary: The source reports that the attackers did not use “The Centurion” method (and thus indicates the Silver_Phalanx was not the culprit). Among Alkemist’s analysis, it should be noted that there appears to be technical references and arguments commonly attributed to Glymer (a source you heard back from in the first round).

The_Crysalis
Summary: The source reports that the attackers did not use the “Jack-knife” method (and thus indicates the Rattle-Jacks were not the culprit). The_Crysalis also mentions that they passed on their analysis to Hail_Blob a few hours prior.

Technical Report Evidence

Evidence 5:

Radar Station automated logs

An old radar listening station is located on the island, covering the area of sky above the island’s landmass.

These stations were automated, and were designed to look for particular radar signatures, providing a simple daily report log that indicated positive if anything meeting its target signature characteristics had been detected in the last 24 hours(and negative if nothing had).

Automated Report Log Reliability:
Even now, the automated report logs are considered highly reliable, in that they have very low chances of false positives (0.5%) if no such signatures were present. There is however, an issue with the report logs: Although the radar station was originally designed to look for signatures corresponding to the typical size and altitudes of Rinian spy planes, in more modern times, two types of plane are known to fit these criteria: Rinian spy planes and Ul’Sandan drones. As such, the engineers who maintain the station provide you with the statistics they have regarding typical detection probabilities for each of these two cases:

Ul-Sandan drones have typically triggered positive reports 95% of the time they have been known to fly within the range of the radar, while modern Rinian spy planes have typically triggered positive reports 90% of the time that they are known to be within the area covered by the radar.

Automated Report Log:
The report comes back as positive for the 24-hour period when the Black Site was present.

Population

1000

hit + miss + false alarm + correct reject

500

500

base rate hit + miss 1 - base rate false alarm(FA) + correct reject(CR)

250

250

250

250

hit rate hit

miss rate miss

FA rate FA

CR rate CR

p(H/D) =

250 250 +250

=

0.5

Frequency	True positive	True negative	Total
	hit	false alarm	All positive
Positive test	250	250	500
	miss	correct reject	All negative
Negative test	250	250	500
Total	500	500	1000

Population

1000

hit + miss + false alarm + correct reject

500

500

base rate hit + miss 1 - base rate false alarm(FA) + correct reject(CR)

250

250

250

250

hit rate hit

miss rate miss

FA rate FA

CR rate CR

p(H/D) =

250 250 +250

=

0.5

Frequency	True positive	True negative	Total
	hit	false alarm	All positive
Positive test	250	250	500
	miss	correct reject	All negative
Negative test	250	250	500
Total	500	500	1000

Population

1000

hit + miss + false alarm + correct reject

500

500

base rate hit + miss 1 - base rate false alarm(FA) + correct reject(CR)

250

250

250

250

hit rate hit

miss rate miss

FA rate FA

CR rate CR

p(H/D) =

250 250 +250

=

0.5

Frequency	True positive	True negative	Total
	hit	false alarm	All positive
Positive test	250	250	500
	miss	correct reject	All negative
Negative test	250	250	500
Total	500	500	1000

Population

1000

hit + miss + false alarm + correct reject

500

500

base rate hit + miss 1 - base rate false alarm(FA) + correct reject(CR)

250

250

250

250

hit rate hit

miss rate miss

FA rate FA

CR rate CR

p(H/D) =

250 250 +250

=

0.5

Frequency	True positive	True negative	Total
	hit	false alarm	All positive
Positive test	250	250	500
	miss	correct reject	All negative
Negative test	250	250	500
Total	500	500	1000

Population

1000

hit + miss + false alarm + correct reject

500

500

base rate hit + miss 1 - base rate false alarm(FA) + correct reject(CR)

250

250

250

250

hit rate hit

miss rate miss

FA rate FA

CR rate CR

p(H/D) =

250 250 +250

=

0.5

Frequency	True positive	True negative	Total
	hit	false alarm	All positive
Positive test	250	250	500
	miss	correct reject	All negative
Negative test	250	250	500
Total	500	500	1000

Population

1000

hit + miss + false alarm + correct reject

500

500

base rate hit + miss 1 - base rate false alarm(FA) + correct reject(CR)

250

250

250

250

hit rate hit

miss rate miss

FA rate FA

CR rate CR

p(H/D) =

250 250 +250

=

0.5

Frequency	True positive	True negative	Total
	hit	false alarm	All positive
Positive test	250	250	500
	miss	correct reject	All negative
Negative test	250	250	500
Total	500	500	1000