Browse Month: May 2017

Attribution: Does It Really Matter?



Hacker typing on a laptop


Unlike the movies, hackers typically don’t infiltrate businesses and steal intellectual property while sitting in their mother’s basement. Instead, they launch attacks from devices in organizations they’ve already infiltrated. They use these infiltrated sites to make multiple “hops” before arriving at their objective to obfuscate their location. These hackers use their skills and time to hide their identity prior to the start of the operation. This process makes it difficult for threat analysts to determine who they are and where they are located (aka attribution).

Not only can attribution be difficult, but if the wrong organization (nation-state, etc.) is identified, it can lead to false accusations, which can be risky for the accuser.

Over the past few years, attribution has come up more often as large-scale breaches have become more mainstream. After a major breach occurs, security analysts will typically attempt to determine who was behind the attack. For example, China was believed to have carried out an attack against the Office of Personnel Management; the Iranian government was believed to have hacked a small dam in New York; and North Koreans were believed to be responsible for the Sony breach. In the end, people want to know who is responsible for the incident, and attribution is an attempt to uncover the culprit.

Attribution is not a new concept. It’s been around for a while as officials try to identify who is responsible. Just as there isn’t always a direct answer to who committed a traditional crime, it can also be difficult to find evidence of attribution of a cybercrime.

“Attribution is extremely difficult and requires intelligence sources that are reliable and accurate,” says David Kennedy, CEO of TrustedSec. “The intelligence community typically monitors specific groups and activity in order to have high confidence. It’s not a perfect system, but the US is one of the best.”

Thomas Rid, professor and author of Attributing Cyber Attacks seems to agree. “Obviously there are cases where we cannot come to a clear conclusion in digital forensics. It’s always a question of what evidence did you get,” says Rid. “But there is still this ‘attribution is impossible’ knee jerk reaction that occasionally pops up, which really doesn’t make much sense. The idea that attribution is not possible really doesn’t carry any weight in the technically informed community anymore.”

Are We Focusing On The Wrong Thing?

Having a security team attempt to determine attribution can be a time-consuming process, and sometimes futile if you don’t have the evidence or talent to attribute the event. While having this information may be useful, it doesn’t help your organization improve its defenses so it will be better prepared for the next attack.

Your resources should be focused first on protecting your network to make sure you’ve done everything to stop future infiltrations. This includes following these steps:

  1.    Appoint a person to oversee your security program.
  2.    Update your security software (this includes operating system security patches).
  3.    Schedule security audits to make sure you measure your efforts.
  4.    Create a plan for incident response.
  5.    If you don’t have enough internal talent to handle the load, get help from a managed services provider.

While it may be helpful to know “whodunit,” it’s more important to protect your company before the next attack occurs. Following these five steps will help you reach that goal.


Want to get more information and updates on Cyber-security? Join our LinkedIn group >>

New Call-to-action




Network Security vs. Endpoint: Which One Is Right For Your Business?




Every week, 95% of network threat alerts are ignored worldwide, leaving behind an average of 16,232 threats that go unchecked. Most of these are unwanted and irrelevant alerts, but what about the vital ones that go unnoticed?

Should you block these threats using network security before they actually hit your endpoints with detection and sandboxing?

What if you don’t have secure endpoints? Will this create a single layer that hackers can easily  penetrate?

Network security

Network security involves protecting the devices and files on your network against unauthorized access. It focuses on protecting the integrity, confidentiality, and availability of your data. Network-based security can provide information about traffic on the network and threats that have been blocked. The downside is that so many warnings can be generated that it’s easy to get overwhelmed by the data and false alarms and miss the actual attack.

Network security can also be time consuming. When a viable threat is found, it needs to be investigated, which can be a long process. Networks have also become unpredictable, which makes protecting them using network-based security more difficult.

In the past, network security has been a majority of an organization’s security budget. However, things may be changing. As more security options are moved to the endpoint such as authentication, encryption, and anti-malware, network security is changing.

“It’s certainly not time to rip out the firewall, network security isn’t dead yet. It’s changing,” says Spencer Ferguson of Wasatch Software.

Endpoint security

Endpoint security secures end-user devices like laptops, desktops, and mobile devices. It addresses the risk associated with the devices that are connecting to your network. Endpoint security is different than traditional antivirus in that with an endpoint security framework, each individual endpoint is at least partially responsible for maintaining their own security.

“The focus is going away from the network perimeter and to the endpoint because it has to,” says Shane Vinup with Cyber Advisors. “There’s a lot of data and a lot of sensitive data in the wild outside of the firewall. The focus now really is: How do I protect that data? The focus for a security professional has shifted from the perimeter.”

Mike Spanbauer, VP of Research and Strategy at NSS Labs seems to agree that endpoints are important, but has concerns about determining who is responsible for protecting them. “Organizations have more endpoints today than ever, and securing those endpoints is challenging, because it’s rare that any one organization is responsible for all the endpoints that touch its network and servers,” says Spanbauer. “This is why it’s so critical for businesses to identify who’s responsible for securing which endpoints before a security incident occurs.”

Why Not Use Both?

The advantages of endpoint and network security are not mutually exclusive. There are advantages to using both. With network security, anomalies can be identified and confirmed and then endpoints can provide clarification.

To help secure your network, make sure your endpoints are secure. Then make sure your network security is in place to supplement your endpoint protection.

Want to get more information and updates on Cyber-security? Join our LinkedIn group >>

New Call-to-action