Unlike the movies, hackers typically don’t infiltrate businesses and steal intellectual property while sitting in their mother’s basement. Instead, they launch attacks from devices in organizations they’ve already infiltrated. They use these infiltrated sites to make multiple “hops” before arriving at their objective to obfuscate their location. These hackers use their skills and time to hide their identity prior to the start of the operation. This process makes it difficult for threat analysts to determine who they are and where they are located (aka attribution).
Not only can attribution be difficult, but if the wrong organization (nation-state, etc.) is identified, it can lead to false accusations, which can be risky for the accuser.
Over the past few years, attribution has come up more often as large-scale breaches have become more mainstream. After a major breach occurs, security analysts will typically attempt to determine who was behind the attack. For example, China was believed to have carried out an attack against the Office of Personnel Management; the Iranian government was believed to have hacked a small dam in New York; and North Koreans were believed to be responsible for the Sony breach. In the end, people want to know who is responsible for the incident, and attribution is an attempt to uncover the culprit.
Attribution is not a new concept. It’s been around for a while as officials try to identify who is responsible. Just as there isn’t always a direct answer to who committed a traditional crime, it can also be difficult to find evidence of attribution of a cybercrime.
“Attribution is extremely difficult and requires intelligence sources that are reliable and accurate,” says David Kennedy, CEO of TrustedSec. “The intelligence community typically monitors specific groups and activity in order to have high confidence. It’s not a perfect system, but the US is one of the best.”
Thomas Rid, professor and author of Attributing Cyber Attacks seems to agree. “Obviously there are cases where we cannot come to a clear conclusion in digital forensics. It’s always a question of what evidence did you get,” says Rid. “But there is still this ‘attribution is impossible’ knee jerk reaction that occasionally pops up, which really doesn’t make much sense. The idea that attribution is not possible really doesn’t carry any weight in the technically informed community anymore.”
Are We Focusing On The Wrong Thing?
Having a security team attempt to determine attribution can be a time-consuming process, and sometimes futile if you don’t have the evidence or talent to attribute the event. While having this information may be useful, it doesn’t help your organization improve its defenses so it will be better prepared for the next attack.
Your resources should be focused first on protecting your network to make sure you’ve done everything to stop future infiltrations. This includes following these steps:
- Appoint a person to oversee your security program.
- Update your security software (this includes operating system security patches).
- Schedule security audits to make sure you measure your efforts.
- Create a plan for incident response.
- If you don’t have enough internal talent to handle the load, get help from a managed services provider.
While it may be helpful to know “whodunit,” it’s more important to protect your company before the next attack occurs. Following these five steps will help you reach that goal.