The great attribution debate: Why we should focus on HOW not WHO
Organisations often don’t understand what they need to be protecting themselves from when it comes to costly cyber-attacks. The threat landscape is becoming ever-more evolved and it’s now rare for a day to go by without a new form of attack hitting the headlines.
Interventions by hacking groups into foreign affairs, such as reports that Russian hackers targeted twenty one US states during the election campaign and the recent Olympic Destroyer malware which targeted the Pyeongchang Winter Olympic Games, highlight how cyber-attacks can influence and affect not only individuals and organisations, but also global events, economies and political outcomes.
It has become increasingly challenging to effectively track these attacks, prevent against them and identify the perpetrator. But where exactly should organisations be focusing their efforts?
Attribution: achieving the impossible
It’s incredibly rare that we can categorically say whether a specific actor was definitively behind an attack. Anyone using the internet has some form of identifying information associated with their online activity – be it an IP address, user-agent or login credential – so it stands to reason that we can identify malicious actors through patterned usage of those features. However, careful use of certain tools, online tradecraft and encryption services (such as VPNs) can be used to mask a user’s online identity.
As analysts we are essentially trying to identify an actor’s signature; some uniquely identifiable component of their activities online which gives their identity away. As previously explained, it’s a very complex picture and we have to use structured threat intelligence in a threat intelligence platform to identify the key attributes that might provide clues. This can be anything from the way they write their malware, time-zone analysis or even specific commands they use when accessing networks. Even then however, attribution can rarely be 100 per cent accurate.
Scepticism is key to all good analysis and it’s important that companies who are interested in threat actor attribution explore assertions with healthy challenge. Keep challenging, and back assertions up with good evidential chains captured in a structured threat intelligence platform.
The ‘who’ vs. the ‘how’?
There are both good and bad reasons behind attribution and our desire to discover the actors responsible for attacks.
When an attack takes place, it’s human nature to want to have someone to blame. Yet often, attribution is too little, too late when it comes to keeping safe – the damage has already been done.
Alongside this, the seeming obsession many people have with identifying threat actors often leads to finger pointing, which could have a very large impact on the current geopolitical climate if a nation state is suspected to be involved. An understanding of an actor’s intents or modus operandi are clearly valuable for an investigator to respond to an incident – but that value should not be mistaken for an opportunity to gossip.
Instead of focusing on attribution – which could be deemed as closing the stable door after the horse has bolted – I believe the most important thing should be a specific focus on tactics, techniques and procedures (TTPs). It shouldn’t just be about the ‘who’, but the ‘how’.
By moving the focus away from attribution and more towards TTPs, we will be better prepared to prevent more attacks than at present. By knowing and understanding all the potential TTPs which could be used in an attack, it is possible to close off the back doors to criminals while those concentrating on attribution leave themselves open to cyber criminals and further attacks.
While TTPs are almost the only reliable way to track this sort of threat, analysts should not ignore attribution altogether. It’s important for them to take note of the Diamond Model, ensuring a holistic approach to data collection. It’s important to make sure your pursuit of attribution is in order to improve your understanding of the motivations behind the attack and to be able to compare/contrast those motivations with the tools used. If the motives don’t fit the crime, or the tools used, then allow yourself to explore alternative hypotheses and don’t get caught up with finger-pointing.
And finally, it’s vital to ensure sure the basics of network defence are covered first and foremost. Instead of getting too obsessed with the ‘who’, organisations should ensure all systems are up to date, patches are deployed and standards are adhered to. By doing this, businesses and governments can most effectively protect against the most commonly used TTPs and use their resources more effectively.