Attack attribution does little to improve enterprise security

Improving a company’s defenses should be the top priority after a hack, not spending time trying determine who conducted the attack

Why attack attribution does little to improve enterprise security
Véronique Debord-Lazaro (CC BY-SA 2.0)

After every major data breach, the security community engages in a game of whodunit and attempts to figure out what entity or nation state carried out the attack. The North Koreans were behind the Sony breach, while China carried out the attack on the Office of Personnel Management (OPM). Meanwhile, hackers linked to the Iranian government hacked a small dam in New York as well as the networks of AT&T, Bank of America and the New York Stock Exchange, among other major U.S. businesses. 

And now Russia is being singled out for supporting hackers who infiltrated the Democratic National Committee’s computers and disclosed sensitive files and emails.

+ Also on Network World: Cybersecurity: Stop the attacker's offense, don’t do defense +

While people want some sort of closure after a crime has been committed and to see the perpetrators brought to justice, it’s time to reconsider the benefits of attributing cyber attacks. Having a corporate security team attempt to figure out who is behind a hack is complicated, is time consuming and does very little to improve an enterprise’s defenses, which should be a company’s priority after an attack. And, perhaps most important, many attributions are just guesses or completely wrong.

When laws are broken in the physical world, there’s irrefutable evidence that links the guilty party to the crime. Maybe it’s fingerprints or a strand of hair or surveillance footage from a security camera. Whatever the evidence, it’s tangible and hard to manipulate. In the cyber world, however, evidence can be easily altered, making the task of figuring out who pulled off an attack much more difficult and sometimes impossible.

To understand why attribution does not work, think like the people who are behind the operation. They have invested significant time and resources masking their identity prior to the operation’s start. They employ basic precautions like making sure their tools never communicate with a server based in the country where the attack originated. Instead, they’ll make the communication appear to originate from another nation and buy domain names in different countries.

The hackers also want to avoid establishing any link between them and the hardware and software used in the operation. This means instead of purchasing equipment with credit cards connected to the hackers, they will use bitcoins or stolen credit cards.

Deception is always a major part of an attack. The attackers want to make sure that if the operation is discovered, any evidence that’s unearthed points toward someone else. Russian hackers, for example, may include Chinese in the malware’s code to make it appear that China played a role in the attack. Or nation state hackers will employ tactics and techniques typically used by cyber-crime groups in an effort to pin the attack on a criminal organization instead of a nation state. In recent years, the sophisticated attack techniques used by nation state attackers have been adopted by cyber criminals, making attack attribution very tricky.

Even if a security team correctly identifies an attacker, the return may not be worth the investment. Figuring out who hacked a company may fill security professionals with pride, but how can they retaliate against the group or nation that executed the attack? While the U.S. government can take action against the country behind a data breach, as it did with North Korea with the Sony hack and imposed sanctions, federal officials don’t and can’t seek retribution after every attack. I suspect the U.S. government lacks the ability to investigate all cyber attacks. Additionally, going after every attacker doesn’t seem like a sound cybersecurity policy.

When an attack has been attributed, prosecution by the U.S. government rarely happens. Extraditing hackers to the U.S. for trial is not an option in many cases, as seen with the Iranian attackers. If the hackers don’t reside in the U.S., federal prosecutors have little legal recourse against them.

My main concern is that the effort spent on attributing an attack distracts organizations from fully remediating a breach. A company’s limited security resources are better spent understanding how the attackers infiltrated the network and their capabilities and using this intelligence to prevent future attacks. Having corporate security teams focus on attack attribution does nothing to protect their company from getting hacked again.

Copyright © 2016 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)