Overwhelming circumstantial evidence is nevertheless not proof

In many cases, however, this supposedly simple question cannot be answered so easily. Especially not if one bases oneself exclusively on the objective facts and leaves out the subjective formation of opinion through the local/temporal perception of the victim or through the press.

What happens when there is too much subjectivity is easily illustrated by the recent example of EyePyramid - an "information stealer" that has stolen around 87 GB of data in recent weeks. This includes that of private companies, but also government offices and other public organizations.

EyePyramid targeted more than 100 mail domains with more than 18,000 mail accounts. The victims, some of them high-ranking, came from Italy and other European countries, but also from the USA and Japan.

With this overwhelming evidence, the conclusion was clear to many: this is a state-driven or sponsored attack!

This conclusion was then gratefully taken up by the media and the general public. Unfortunately, there was only one problem - it was not true!

As it turned out in retrospect, the people behind EyePyramid are a brother and sister with purely monetary interests. It is not a state-sponsored organization that is going to fight the next cyber war.

This incident clearly shows what happens when facts are interpreted only in the context of one's own "convenient" context or are oversimplified. Serious security researchers limit themselves to technically verifiable information when it comes to "attribution," i.e., assigning attacks to actors.

Of course, there are also "clues" that point in a certain direction or whose combination is reinforced. But the metaphorical "smoking gun" in the attacker's hand is rarely found.

To stay with EyePyramid: Factually, (also) government-related organizations were compromised. These are objective facts. The simplification that a state actor must therefore be behind this is subjective and overly simplistic.

Unfortunately, the factual reporting is far less spectacular than the (incorrect) simplification...

Even though the unjustified simplification of facts annoys me as a technically interested person, the topic could be over at this point. If there were not quite other side effects:

When reporting turns every mosquito into a bull and every cybercriminal action into a cyberwar by state actors, this also has an impact on the security perception or the security behavior of all of us.

When everywhere there is only talk of cyber war and state actors, resignation sets in for many companies and private individuals:

"How am I as a person/company already supposed to be able to protect myself against a state?"

Alternatively:

"Why would a state target me already?"

The "success" of such market-shouting communication is that many do not even perceive the real danger - namely ordinary cybercriminals - and accordingly do not take appropriate protective measures.

To put it bluntly: Yes, there are state actors out there who operate with big budgets. But for normal companies and private individuals, these actors are negligible from a risk assessment perspective! The "normal", monetarily driven cybercriminal poses the far greater risk!

Therefore, my request at this point: Do not let yourself be unsettled by sensational reports on cyberattacks by state actors! Conduct a risk assessment of your business processes, verify which actors pose a real risk there, and set up your security strategy accordingly.

Last but not least, I have a request to the press, bloggers, etc.: Some things cannot be simplified any further! This also applies to circumstantial evidence in IT attacks. Even if the omission/simplification of circumstantial evidence may lead wonderfully to "evidence" that can then be placed as a big sensation.

Raimund Genes died unexpectedly at his home on Friday, March 24, as a result of a heart attack.

Trend Micro's longtime Chief Technology Officer turned 54. He built up the Japanese IT security provider in Germany and Europe and gave it an important voice in public.

Starting in 2014, Genes enriched E-3 Magazine with his timely and astute commentary as part of the monthly IT Security column. Here, too, he provided valuable educational work for the SAP community.

We publish his last comment on this page posthumously. Our sympathy goes to his family and friends.