What's in a Name? Breaking Down Attribution

Here's what you really need to know about adversaries.

Jonathan Couch, Senior VP of Strategy, ThreatQuotient

May 2, 2017

5 Min Read
Dark Reading logo in a gray background | Dark Reading

In the past few years, the topic of "attribution" has often come up. As more large-scale breaches occur and issues concerning cybersecurity become more mainstream, people want to know who is responsible. Among cybersecurity practitioners, there are two general camps — some believe that identifying the perpetrators is important, and some see this as fruitless.

Those in the former group like associating a face or a specific organization to the problem because it makes the attacker "known" and makes them feel more empowered to fight back. Those on the opposite side don't care about attribution at all. They believe it's a waste of time and money because unless you're a casualty of a major crime spree, with law enforcement engaged to bring down the perpetrator, there isn't much value in knowing an individual's name.

Is there a middle ground? What value does putting a name to an adversary bring to the table? It really comes down to the level of attribution and the trade-offs you must make as you build your dossier, because generally, organizations don't need to be able to pin a photo of their attackers on the wall to stop them.

Levels of Attribution
Sometimes attribution means identifying the actual group or person. You want to know what they look like, where they live and work, their schedules, and how to reach them — either electronically or physically. Other times, attribution can be obfuscated to protect sources and methods. Those with a need to know have access to the full details, while others only hear about "source B" or "sensitive source 12345." Most frequently, attribution is based on what the adversary is actually doing. A code name is assigned to indicate an individual or group responsible for a certain attack, like APT 1, Comment Panda, or Comment Crew. Sometimes a name is assigned to a specific campaign, like Angler, Locky, and Sundown.

Government organizations typically seek the highest level of attribution. But for businesses, the level of attribution should be predicated on what security professionals need to achieve as their end goal: enabling the enterprise to be as secure as possible, given resource limitations, in order to drive business growth.

[Check out the two-day Dark Reading Cybersecurity Crash Course at Interop ITX, May 15 & 16, where Dark Reading editors and some of the industry's top cybersecurity experts will share the latest data security trends and best practices.]

Living by the 80/20 Rule
Attribution doesn't come easy, and the law of diminishing returns comes into play. There is a cost associated with attribution and you can get 80% of the way there for 20% of the cost. So with minimal time and effort, you can get basic but important information.

What starts with raw threat data becomes groups of campaigns and malware families based on the code base or indicators, how the malware and campaigns are used, and the infrastructure involved. Tying adversaries to campaigns and generically named adversary groups is typically sufficient so that multiple teams across the enterprise can utilize the threat intelligence. As you try to get more detail — the base of operations and individual names — costs increase exponentially, but to what end? An arrest is highly unlikely. If the goal is to protect the business, your employees, and customers, this approach of defining campaigns and adversary groups usually works very well.

Know Your User Groups
When it comes to security operations, consider what level of attribution the different groups involved in protecting your organization need to be successful.

  • The intel team is typically the group assigned to determine attribution and is responsible for pulling all this information together. To make the best use of their resources, this team typically creates a one-size-fits-all solution for attribution. They provide the information about the indicators and codebase involved, the malware and campaigns, the infrastructure used, typical targets by geography or industry, and then tie that information together to identify adversary groups. Other teams then tap into that attribution information for their needs. 

  • The incident response team needs context around campaigns to validate that something bad is really happening, and isn't a false positive so that they can remediate incidents and breaches. Campaigns can be grouped by attribution. When you have these groupings, it allows the incident response team to start with an indicator found on the network and learn more about the attack so they can look for related indicators that those adversaries use. Knowledge of how adversaries and campaigns operate and the infrastructure used can help them accelerate response and make sure it doesn't happen again.

  • The vulnerability management team needs to know which vulnerabilities are being targeted, if there is an exploit that is being deployed, and if any groups have successfully targeted that vulnerability already. This information provides the team with some level of confidence that someone is targeting the organization so that they can prioritize patching accordingly.

  • The security operations center is looking to threat intelligence for validation and verification. For example, with attribution grouped according to a campaign and how that campaign operates down to the command and control server, the exfiltration server, and a specific type of malware, the team knows how the adversary operates. This gives the team a high level of confidence that an attack is occurring and lets them quickly take action.

  • The hunt team takes the attribution information — in particular, the details of campaigns being run — to determine if they've seen that type of activity before. Understanding what an adversary targets, how they execute, their motivation, and any specific industries affected, the hunt team can see if there is some activity the SIEM may have missed.

For each of these functions, knowing if the team is fighting Joe or Jane doesn't matter. What matters is having intelligence grouped in a logical manner so that they can build confidence around knowing what these attackers are doing, how, when, and to whom. Whether it's knowing what to look for or understanding what they're seeing, they can then launch a better fight and apply a better fix. Organizations benefit from attribution, but at the level that makes sense for the business. 

Related Content:

About the Author

Jonathan Couch

Senior VP of Strategy, ThreatQuotient

As Senior VP of Strategy of ThreatQuotient, Jonathan Couch utilizes his 20+ years of experience in information security, information warfare, and intelligence collection to focus on the development of people, process, and technology within client organizations to assist in the consumption, use, and communication of cyberthreat intelligence. Jonathan's expertise is in leading advanced cyber warfare, cybersecurity, information operations, and intelligence technologies research. Prior to ThreatQuotient, Jonathan was a Co-Founder and VP of Threat Intelligence Services for iSIGHT Partners. There he created and managed a threat fusion center to help clients transition to intelligence-led security programs. Jonathan also has previously served in the Air Force at the NSA, Air Force Information Warfare Center, and in Saudi Arabia as the regional network engineer for the Joint Task Force (Southwest Asia). After leaving the military, Jonathan led a 25-member research and development team at Sytex Inc., later acquired by Lockheed Martin's Advanced Technology Labs in 2005.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights