Attribution – Knowing Your (Cyber) Enemy
Today’s news is constantly streaming headlines of the latest and greatest cyber breaches faced by both the public and private sectors. Whether it is Facebook combating foreign influence operations, the City of Atlanta being hit with ransomware, troves of data being stolen from Equifax, or small and medium-sized businesses targeted by cybercrime, one thing is certain – malicious cyber activity is here to stay.
Victims of cyber breaches often find themselves needing fast answers to questions like:
- How did the incident occur?
- What sort of information was stolen or compromised?
- How will the breach adversely impact the organization?
- What does the affected organization have to disclose in its post-breach notification process legally?
- How soon can business operations resume?
- Can business operations resume?
In short, contending with a cyber-related breach is a taxing scramble. But one aspect of a breach that can at times fall by the wayside is the ‘whodunnit’ factor. In the cyber domain, the process of tracking, identifying, and laying blame on a perpetrator of a cyberattack or other hacking exploit is commonly referred to as attribution.
Complexities and Setbacks
Attribution can be a daunting task, particularly against a technologically advanced adversary. Typically, adversaries can include nation states, cyber criminals, hacktivists, script kiddies, and insiders. While the purpose of this article is not to detail the profiles and complexities of such diverse threat actors, it is helpful to know that your business can fall victim to a breach from a wide range of threats.
Let’s get back to attribution itself. Attribution is a complex process that can require highly trained forensics experts and cyber threat intelligence analysts to figure out who has breached your systems and how they managed to do so. Compounding an already difficult technical feat is the sophistication of the adversary you are facing. For example, if your business is the victim of a cyber breach that was executed by a nation state such as Iran, North Korea, or Russia, then finding out who is responsible may be difficult, if not impossible, due to nation states’ vast resources to conduct offensive cyber operations. Highly trained adversaries are also equipped with the expertise to cover their digital footprints or mislead forensic experts.
Another troubling aspect to attribution is the ‘so what’ factor. There is a perception that ideally once an adversary is identified, some retribution process can occur. Although a seemingly reasonable perception, in practice, however, this hardly suits the reality. Take for (fictitious) example, that the Farlandian government hacks U.S.-based company Demetrio's Communication Services (DCS) in the wider context of a United States and Farlandian geopolitical rivalry. The DCS incident will not likely prompt a comprehensive U.S. response against Farlandia. Moreover, any offensive action by DCS against Farlandia will likely be futile and may have overarching consequences for the U.S. Regardless of the type of threat actor an organization may be facing, successful attribution may not always warrant a satisfactory reprisal from the victim organization.
The Silver Lining of Attribution
Although attribution is anything but a clear-cut process, there are still some significant benefits from learning which adversaries are acting against us.
- Tools Tactics and Procedures – Organizations that conduct successful attribution can gain insight into the cyber ‘toolbox’ of their adversaries. This information can help an organization patch their existing vulnerabilities, prevent future attacks, and also provide other similar-industry organizations with advice to better safeguard their own networks.
- Risk Prioritization and Mitigation – Staying ahead of the game with your cybersecurity strategy means surveying for potential threats. Part of this pre-breach analysis can include learning the methods of threat actors that have been attributed to specific threat actors and understanding the targets they’re most likely to seek. By having an understanding of who might be trying to compromise your network, you can better defend against it by prioritizing your efforts.
- Post-Breach Efficiency - Knowing who has breached your organization can provide insights into determining what information they may have compromised. In addition to learning what data was compromised or stolen, effective attribution can help your incident response team determine what the data might be used for (financial gain, etc.). This can help your incident response team create a list of mitigation and remediation priorities in the post-breach phase.