Attribution in Cyber Security

People like to argue in cyber security. If you’ve been around it for a while, you’ve almost certainly seen (too) many examples of this. Performing attribution to a group or persons for specific intrusions is one of those areas of consistent, and sometimes considerable, disagreement and friction. I’ve noticed that attribution attracts a very binary point of view. It either matters a lot or it doesn’t matter at all.

Two weeks ago I ran into this post on LinkedIn by Richard Bejtlich.

Where Attribution Matters Far Less

I don’t know that attribution does much when you are in the midst of a fire. If you are doing incident response, you are focused on containing the threat actor and getting them out of the compromised assets. If you are threat hunting, you are looking for anything malicious. It doesn’t matter who did it. Discovering it is the prime mission. The same goes for folks working in a SOC. They are watching for signs of malicious activity, no matter who did it.

Can attribution help here? Sure, there’s information that threat intel provides about different actors that could help respond in an incident. If the victim is able to quickly pin it down to an actor, they might be able to watch for different tactics, techniques, procedures, and tools. But more than likely, responders are heads down trying to put the fire out.

The victim organization may take some satisfaction in knowing that APT123456 or DIPSTICK DUCK did it, but there’s not much they can do against the party to blame. Maybe they can sue someone? But I don’t see suing the GRU leading to any useful response or relief.

Where Attribution Matters

Attribution can become very useful after the intrusion is over, depending on who is making use of the data. Law enforcement absolutely uses this information and tries to arrest the perpetrators of the intrusion. There have been a number of stories over the last few years where law enforcement was able to make some of these arrests. I was stunned when Colonial Pipeline paid the ransom and then the FBI was able to recover most of the Bitcoin tokens from the attacker’s wallet! Their work on attribution meant the FBI had infiltrated the group enough that they had access to the private key for their wallet, which is an amazing coup.

Policy makers and legislators can also make use of attribution to determine how their countries will respond to attacks. We usually see this in diplomatic denouncements and sanctions.

Finally, organizations and security teams can use the information being published related to these attributed intrusions to evaluate their risk and make preparations. For example, if there had been no public attribution of intrusions executed by the People’s Republic of China, then organizations would be blissfully unaware and completely unprepared for the risks that business operations within the country could incur. I’m not saying that organizations shouldn’t do business with China, but they should be aware of the landscape they are operating in. And take steps to protect themselves as much as possible.

Final Thoughts

Overall, I’m in favor of efforts to perform attribution. Without it too easy to walk blindly into risky situations. We end up completely unprepared for the reality of the world of online espionage. I recall people loudly saying that if your threat model included nation states, then you were doing it wrong. I disagree. It should be considered because I’ve seen the number and types of organizations that get targeted by countries. We may not be able to stop everything they do, but we don’t have to make it easy for them.

On the criminal side of things, I’m a MAJOR fan of attribution. The people engaging in extortion, ransomware, and social engineering scams are extracting a high price from us. They put business out of business and people out of work. They take money from the elderly by convincing them to buy gift cards and send them numbers, expiration dates, and CVVs on them. I really, really don’t like these folks at all. So yes, we (as a society) should find out who these folks are and arrest them if possible.

Jason Wood