In Cyberwar, Attribution Can Be Impossible — and That's OK

Instead of using a substantial proportion of resources to determine attribution, organizations should focus on defenses that will help them remediate an attack.

Justin Fier, Director for Cyber Intelligence & Analytics at Darktrace

October 18, 2021

4 Min Read
Graphic suggesting a major cyberattack
Source: Skorzewiak via Alamy Stock Photo

For most of human history, battle lines have been clearly demarcated. Physical borders, trenches, and satellite imagery have shown us launch sites, front lines, and enemy targets. Technology has allowed opponents to trace every inch of a weapon's path. Historically, we have been able to determine the source of a strike and know who we're up against with clarity.

But the rules of cyberspace are different.

Acts of cyberwar continue to proliferate — defined by espionage, proxy battles, disinformation campaigns, and guerrilla tactics. Every day, it becomes more challenging to establish the source of an attack — and therefore, to establish an effective, proportional response.

An enemy you can neither see nor identify looms large. But it's time to acknowledge a hard truth: In today's world, attack attribution in cyberspace can be impossible for all but the best-resourced governments and organizations. A recent analysis of more than 200 cybersecurity incidents associated with nation-state activity since 2009 found that half of them involved "low budget, straightforward tools that could be easily purchased on the darknet."

The reality is apparent: We may never know who is behind incidents that create chaos and cause damage in most cases.

And that's OK.

Why "Who Did It" Matters Less Than "How to Prevent It"
Leading governments, enterprises, and other organizations on the cutting edge of cyber defense realize they cannot stop determined attackers from getting into systems. There are too many attack vectors, and digital infrastructure across industries is only becoming more complex. Between 2019 and 2020, ransomware attacks alone were up by 62% worldwide and 158% in just North America.

Instead, the entities best positioned to protect themselves are changing their strategy. Sophisticated organizations that are the victims of cyberwar are increasingly focusing on minimizing risk and disruption once attackers inevitably get inside — not on identifying attackers.

By assuming that a breach is inevitable, companies can concentrate on identifying anomalies in their digital infrastructures. Identifying potential threats will help prevent a breach from spreading laterally within their network and transitioning from a manageable attack into a full-blown disaster.

Consider the attack on SolarWinds, which came to light in December 2020. It cost SolarWinds $18 million to sort and $90 million for cyber insurers. Overall damages were estimated to be as high as $100 billion.

Similarly, the attack on Microsoft Exchange affected up to 60,000 organizations and 125,000 unpatched servers worldwide. The most alarming statistic? Attackers aimed 23% of all Microsoft exploit attempts at US government and military targets.

But how do you respond proportionately to the SolarWinds attack when Russia denies any involvement? How do you punish China for the Microsoft Exchange attack when they claim the accusation is nothing more than a "malicious smear"?

Why Self-Learning AI Matters More Than Ever
Instead of using a substantial proportion of resources to answer these questions of attribution, organizations should reprioritize these resources to focus on defenses that will help them remediate an attack. We absolutely should not ignore the geopolitical dynamics of cyberwar. But we should shift energy to concentrate resources on defensive capabilities to make operations significantly safer no matter the threat actor.

Self-learning artificial intelligence (AI) is the most effective weapon we can employ in this fight. Self-learning AI can continuously analyze an organization's behaviors in real time to learn what's normal for that organization. Detecting and disrupting abnormalities in their early stages will prevent malicious activity from escalating and give human security teams valuable airtime to respond and remediate the root cause of any incidents.

As attackers grow more advanced, so must our preparations to defend ourselves. We should not abandon efforts to determine attribution; President Biden's recent ransomware sanctions on virtual cryptocurrency exchange platforms and "red line" warning to Russia are steps in the right direction. That said, there needs to be more transparency around which cyber actions will lead to which consequences.

The sooner security leaders can embrace what is achievable, the better. We cannot stop breaches, but we can minimize disruption by continuing to expand and improve defensive capabilities. In cybersecurity, a good defense is more important than offensive capabilities. Cyber peace will not happen anytime soon, but cyber resilience will prove pivotal in helping nation-states gain the advantage over opponents.

About the Author

Justin Fier

Director for Cyber Intelligence & Analytics at Darktrace

Justin Fier is one of the United States' leading cyber intelligence experts, and holds the position of Director for Cyber Intelligence & Analytics at Darktrace. With over 10 years' experience in cyber defense, Justin has supported various elements in the US intelligence community, holding mission-critical security roles with Lockheed Martin, Northrop Grumman Mission Systems, and Abraxas. Justin is also a highly skilled technical specialist, and works with Darktrace's strategic global customers on threat analysis, defensive cyber operations, protecting IoT, and machine learning.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights