What's the value in attack attribution?

The pros and cons of allocating assets to identifying an attacker

Credit: Lachlan Hardy

For those who pursue forensic analysis with the hope of identifying and prosecuting an attacker, they likely will find that the time spent on attack attribution is fruitless.

If, however, they are looking to use what they gain through attack attribution to inform their overall security procedures from prevention to response, the effort yields valuable results.

Many experts in the industry have questioned whether there is any value to attribution. SafeBreach CTO & co-founder Itzik Kotler said, "The only interesting aspect in attribution itself is to classify and put information in a box and use it over and over again."

Kotler offered a hypothetical in which right now CNN gets hacked by the Chinese. "That someone can or cannot attribute it to the Chinese doesn't matter. It does matter if we can say we think this is from China," Kotler said.

In order to create a stronger defense, security teams need to learn better offensive strategies. "Offensive knowledge can turn the table into defensive advantage. They are able to try new things before the attack happens and determine whether the tools are actually working," Kotler said. are

Cyber defenders need to know who their adversaries are in order to understand how to expand beyond just those known vulnerabilities. "If they can be proactive and predictive, they will have better control of the outcome," said Kotler.

Given that attack attribution is so challenging, some, like Robert M. Lee, CEO and founder of Dragos, argue, "True attribution at the tactical threat intelligence level is only harmful to good security practices."

Lee wrote in his blog, "The Problems with Seeking and Avoiding True Attribution to Cyber Attacks," that attribution can lead analysts to make misguided assumptions due to cognitive bias.

"The analysis leans so heavily on the human thought processes that it can lead us to inappropriate conclusions. Now, instead of keeping an open mind and searching for the threat in the network our analyst is falling prey to confirmation bias where the analyst is looking at the data differently based on their original hypothesis," Lee wrote.

In contrast, John Miller, manager of threat intelligence at FireEye, said, "It's valuable when it allows them to take action. When it allows a security team to get an understanding of the attacker's intention in a way that allows them to take countermeasures."

Whether a security team has a relatively open-ended lead on what is going on or a broad lead, "Attributing who is responsible can help folks be better able to understand what they are doing beyond what they have seen," Miller said.

Take, for example, Cobalt Strike, the tool used by pen testers and available for purchase. It's widely known that a number of attackers use that tool. "If a network defender identifies Cobalt Strike, it only tells them here is something malicious but not much more," said Miller.

If, however, the tool is tied to Fin7, a group identified as using that tool, said Miller, "They can look at point of sale malware and other tools that are specific to Fin7 operations, even if they haven't already detected them. That informs them on what else they need to be looking for and what other steps they should be taking."

Attribution is not useful when it doesn't provide any opportunity for action," said Miller, "It doesn't give defenders the ability to follow up in any meaningful way."

Since a lot of organizations have lost that connection back to what makes attribution valuable and what they can do with it, they become skeptical. "People tend to like it when they can put a face on something they are dealing with, particularly for those that aren't knowledgeable from a technical perspective," Miller said.

They see attack attribution as a way to gain an informed narrative about the attacker, or "They pursue attribution through internal capabilities without really knowing what to do with the information," said Miller.

For any given organization, the mass majority of events they have to deal with are not all that significant and not worth a lot of time. "The challenge is figuring out the significance, which they can do with attribution clues," said Miller.

Ryan O'Leary, vice president of threat research center, WhiteHat Security, agreed that attribution matters when it comes to prioritizing the vulnerabilities that they have.

"If you are an enterprise, you want to fix vulnerabilities. If you know who is attacking you, it makes prioritizing a little bit easier," O'Leary said. In the grand scheme of things attribution doesn't really matter because if an enterprise has one vulnerability, then an attacker has an entry point.

Attribution does, however, help in that, "If they know that someone is targeting them for a DDoS, they probably want to go harden their server. It helps them to prioritize what is on their plate," O'Leary said.

Given that some cybercriminals are lazy, they are going to go after known vulnerabilities that are easy. Attribution provides a security team with the information they need to identify the vulnerabilities they have in order to fix them.

"They can spend money on fixing them rather than doing analysis on trends and figuring out who is trying to attack them. It's about reducing the attack surface," O'Leary said.

When attribution is used for defense and prioritization, it has great value. "If the goal is to use it in offense, for going after them, it is not as useful. These people are in places that you can't prosecute them. People want to use data in lots of different ways, but in some cases, it doesn't make sense," said O'Leary.

Despite the challenges and arguments against attack attribution, Patrick Dennis, CEO of Guidance, said there's a lot of value in attribution, particularly for the security industry at large.

"We can learn a lot when we learn where the attack came from, whether it is a tier 1 attacker or a tier 2 attacker using what was once a zero day with modification. There is great benefit to the industry in identifying trends," Dennis said. 

Yes, analysts can get it wrong or not come to a conclusion altogether, which some might see as a waste of time, but attribution is not a one size fits all solution.

"They don't have to attribute every attack, but there is a class of attack worth identifying. In the same way that it would be unacceptable to not attribute a murder, if we don't figure out where a large scale attack came from, that would be unacceptable," Dennis said.

Attribution sorts out the category of attacker. "It can help determine who is executing the attack, how capable they are, and the resources they have so that what you should do is then more informed. It can help make decisions about engaging law enforcement or FBI in a more meaningful way," Dennis said.

Ideally, the industry would be sharing attribution information of what they have seen in an effort to better combat what they have seen in a group, in the same way that law enforcement agencies work together on physical crimes.

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
How much is a data breach going to cost you?