Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

5/2/2017
10:00 AM
Jonathan Couch
Jonathan Couch
Commentary
Connect Directly
LinkedIn
Twitter
RSS
E-Mail vvv
100%
0%

What's in a Name? Breaking Down Attribution

Here's what you really need to know about adversaries.

In the past few years, the topic of "attribution" has often come up. As more large-scale breaches occur and issues concerning cybersecurity become more mainstream, people want to know who is responsible. Among cybersecurity practitioners, there are two general camps — some believe that identifying the perpetrators is important, and some see this as fruitless.

Those in the former group like associating a face or a specific organization to the problem because it makes the attacker "known" and makes them feel more empowered to fight back. Those on the opposite side don't care about attribution at all. They believe it's a waste of time and money because unless you're a casualty of a major crime spree, with law enforcement engaged to bring down the perpetrator, there isn't much value in knowing an individual's name.

Is there a middle ground? What value does putting a name to an adversary bring to the table? It really comes down to the level of attribution and the trade-offs you must make as you build your dossier, because generally, organizations don't need to be able to pin a photo of their attackers on the wall to stop them.

Levels of Attribution
Sometimes attribution means identifying the actual group or person. You want to know what they look like, where they live and work, their schedules, and how to reach them — either electronically or physically. Other times, attribution can be obfuscated to protect sources and methods. Those with a need to know have access to the full details, while others only hear about "source B" or "sensitive source 12345." Most frequently, attribution is based on what the adversary is actually doing. A code name is assigned to indicate an individual or group responsible for a certain attack, like APT 1, Comment Panda, or Comment Crew. Sometimes a name is assigned to a specific campaign, like Angler, Locky, and Sundown.

Government organizations typically seek the highest level of attribution. But for businesses, the level of attribution should be predicated on what security professionals need to achieve as their end goal: enabling the enterprise to be as secure as possible, given resource limitations, in order to drive business growth.

[Check out the two-day Dark Reading Cybersecurity Crash Course at Interop ITX, May 15 & 16, where Dark Reading editors and some of the industry's top cybersecurity experts will share the latest data security trends and best practices.]

Living by the 80/20 Rule
Attribution doesn't come easy, and the law of diminishing returns comes into play. There is a cost associated with attribution and you can get 80% of the way there for 20% of the cost. So with minimal time and effort, you can get basic but important information.

What starts with raw threat data becomes groups of campaigns and malware families based on the code base or indicators, how the malware and campaigns are used, and the infrastructure involved. Tying adversaries to campaigns and generically named adversary groups is typically sufficient so that multiple teams across the enterprise can utilize the threat intelligence. As you try to get more detail — the base of operations and individual names — costs increase exponentially, but to what end? An arrest is highly unlikely. If the goal is to protect the business, your employees, and customers, this approach of defining campaigns and adversary groups usually works very well.

Know Your User Groups
When it comes to security operations, consider what level of attribution the different groups involved in protecting your organization need to be successful.

  • The intel team is typically the group assigned to determine attribution and is responsible for pulling all this information together. To make the best use of their resources, this team typically creates a one-size-fits-all solution for attribution. They provide the information about the indicators and codebase involved, the malware and campaigns, the infrastructure used, typical targets by geography or industry, and then tie that information together to identify adversary groups. Other teams then tap into that attribution information for their needs. 
  • The incident response team needs context around campaigns to validate that something bad is really happening, and isn't a false positive so that they can remediate incidents and breaches. Campaigns can be grouped by attribution. When you have these groupings, it allows the incident response team to start with an indicator found on the network and learn more about the attack so they can look for related indicators that those adversaries use. Knowledge of how adversaries and campaigns operate and the infrastructure used can help them accelerate response and make sure it doesn't happen again.
  • The vulnerability management team needs to know which vulnerabilities are being targeted, if there is an exploit that is being deployed, and if any groups have successfully targeted that vulnerability already. This information provides the team with some level of confidence that someone is targeting the organization so that they can prioritize patching accordingly.
  • The security operations center is looking to threat intelligence for validation and verification. For example, with attribution grouped according to a campaign and how that campaign operates down to the command and control server, the exfiltration server, and a specific type of malware, the team knows how the adversary operates. This gives the team a high level of confidence that an attack is occurring and lets them quickly take action.
  • The hunt team takes the attribution information — in particular, the details of campaigns being run — to determine if they've seen that type of activity before. Understanding what an adversary targets, how they execute, their motivation, and any specific industries affected, the hunt team can see if there is some activity the SIEM may have missed.

For each of these functions, knowing if the team is fighting Joe or Jane doesn't matter. What matters is having intelligence grouped in a logical manner so that they can build confidence around knowing what these attackers are doing, how, when, and to whom. Whether it's knowing what to look for or understanding what they're seeing, they can then launch a better fight and apply a better fix. Organizations benefit from attribution, but at the level that makes sense for the business. 

Related Content:

As Senior VP of Strategy of ThreatQuotient, Jonathan Couch utilizes his 20+ years of experience in information security, information warfare, and intelligence collection to focus on the development of people, process, and technology within client organizations to assist in ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-3154
PUBLISHED: 2020-01-27
CRLF injection vulnerability in Zend\Mail (Zend_Mail) in Zend Framework before 1.12.12, 2.x before 2.3.8, and 2.4.x before 2.4.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the header of an email.
CVE-2019-17190
PUBLISHED: 2020-01-27
A Local Privilege Escalation issue was discovered in Avast Secure Browser 76.0.1659.101. The vulnerability is due to an insecure ACL set by the AvastBrowserUpdate.exe (which is running as NT AUTHORITY\SYSTEM) when AvastSecureBrowser.exe checks for new updates. When the update check is triggered, the...
CVE-2014-8161
PUBLISHED: 2020-01-27
PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 allows remote authenticated users to obtain sensitive column values by triggering constraint violation and then reading the error message.
CVE-2014-9481
PUBLISHED: 2020-01-27
The Scribunto extension for MediaWiki allows remote attackers to obtain the rollback token and possibly other sensitive information via a crafted module, related to unstripping special page HTML.
CVE-2015-0241
PUBLISHED: 2020-01-27
The to_char function in PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 allows remote authenticated users to cause a denial of service (crash) or possibly execute arbitrary code via a (1) large number of digits when processing a numeric ...