Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

6/29/2016
06:30 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

The Attribution Question: Does It Matter Who Attacked You?

Everyone will ask whodunnit, but how can an organization put that information to practical use during disaster recovery and planning for the future?

In normal life crises, the jump to assess blame is often the emotional reaction, but rarely the appropriate reaction. Assessing blame for who hit you with a cyberattack, however -- if not the individual, at least the general classification -- could be effective, if not essential to your recovery efforts, according to speakers at a Dark Reading Virtual Event Tuesday.

We asked speakers flat-out, "does attribution matter?"

Does it matter?

"It depends," said Mark Potter, principal systems security officer for Strategic Health Solutions. "It really depends, on the size and budget of your organization, the value and type of the assets, and types and frequency of attacks." 

If you don't have the internal skill set to go hunting for an attacker or the funds to hire outside contractors, says Potter, then it's more important to get the business back to normal. 

If you've got the resources, though, there are areas where accurate attacker attribution can help.

For one: damage assessment. Attribution is "key to trying to understand the extent of the damage and where else you should be looking," said Toni Gidwani, director of research operations at ThreatConnect. To make sure you've found all the places the attackers have reached, infected, damaged or stolen from, she said, the forensics team can be helped by the extra context, like knowing what particular exploit kits to hunt for.  

Dmitri Alperovitch, CTO and Co-founder of Crowdstrike, added that attribution helps assess the damages from a business perspective. "If your data has been stolen, who has it -- is it a competitor or is it a cybercriminal who may resell that data? ... Who's coming after and you and why can be a very important question."

Some businesses have begun to ask, said Alperovitch, to know more about about the character of certain ransomware operators. When deciding whether or not to pay a ransom request, victims want to whether this is an operator with a history of delivering on their promise to restore access to locked data or the type that just takes the money and runs.

Knowing the identity of attackers also impacts the design of security programs going forward. According to Alperovith and Gidwani, the difference between an opportunistic attacker and a targeted attacker or the difference between a destructive attacker and an intellectual property thief will change the sort of decisions you make about your defense. Some attackers move on quickly, while others come back if they didn't finish a job. They may aim for a variety of data, systems, or users.

"The better you know, the better you can allocate those funds to protect those assets," said Andrew Wild, chief security officer of Lancope. Knowing this information can also be used to get better buy-in and smarter investment from above, according to Wild. 

Why did we get better at attribution?

There is still a lot of progress to be made in attribution -- some are still announced with only low or moderate confidence. However, there has been a great deal of progress made in the past couple years: why?

Attribution is getting better because security got better, says Alperovitch. "It used to be that adversaries were inside networks for literally years. Now we're catching more and more intrusions, we're actually building up an encyclopedia, if you will, of tradecraft on what we've seen for different adversaries," he said, "how they operate, what their motivations are. And you start building the profiles and the modus operandi for the adversary so when you see them again, you know who you're dealing with."

Better attribution, however, has had its own impacts. Knowing with high confidence that one nation-state launched a cyberattack on another can create or exacerbate socio-political conflicts, and not all regions have equal attribution capabilities (according to Richard Bejtlich in a Dark Reading interview last year).

Alperovitch commented that it was "really remarkable to watch" cybersecurity become the top issue of a meeting between two world leaders, when President Barack Obama and President Xi Jinping of the People's Republic of China met last year. 

Gidwani added that better attribution is "starting to open up these non-technical responses for our political leaders."

The ability to respond to cyber espionage or destructive attacks with trade sanctions, for example, is, says Gidwani, a "step forward."

Related Content:

 

Black Hat’s CISO Summit Aug 2 offers executive-level insights into technologies and issues security execs need to keep pace with the speed of business. Click to register.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MarionGirault
50%
50%
MarionGirault,
User Rank: Apprentice
7/7/2016 | 8:09:14 AM
Re: The "Who" and the "How"
Ah yes i think to
LegerMuller
50%
50%
LegerMuller,
User Rank: Apprentice
7/6/2016 | 9:18:14 AM
Re: The "Who" and the "How"
Oh interresting
nathanwburke
50%
50%
nathanwburke,
User Rank: Author
6/30/2016 | 2:22:06 PM
The "Who" and the "How"
I really liked this article, as it makes you wonder about the "who" rather than the "how".

First, asking "does it even matter?" really means that we've conceded the battle. We're saying that it doesn't matter who attacked you because they'll never be found, operate in a consequence-free environment, and even if you knew who was beind the attack generally, nothing will come of it. 

Second, it begs the question: are the attackers really interchangeable as long as the methods work? Like 401 scammers, craigslist ripoff artists, and drug dealers, it seems that busting one criminal just means someone else will take their place. 

You're right in that it's an emotional reaction. There's someone out there that has made the decision to attack and hold data for ransom, and that person should be punished. However, the fact that there's money to be made that is virtually risk-free means there will always be someone willing to do it. 
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
Mobile App Fraud Jumped in Q1 as Attackers Pivot from Browsers
Jai Vijayan, Contributing Writer,  7/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15105
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
CVE-2020-11061
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
CVE-2020-4042
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
CVE-2020-11081
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
CVE-2020-6114
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...