Don’t Make Haste! The Downside of Rushing Attribution

istock 1144604245

There are any number of bad actors behind cyber attacks these days. From enterprising criminals to nation-states to hacktivists to malicious insiders, there are multiple possibilities of who is behind it when a system is compromised and data is breached.

Compromised organizations sometimes rush to point fingers at who is responsible for attacks and threats because it is gratifying.

“Researchers and vendors sometimes rush to attribution,” said Mat Gangwer, Senior Director of Managed Threat Response at Sophos. “It can often be because they want to be the first to make claims that it was a specific group or nation state. And some organizations may do it as a way to reveal the sophistication of the attack they are facing.”

But when the wrong indicators of compromise (IOCs) are collected, it can lead to false information and an erroneous attribution that actually does more harm than good.

“Pointing fingers and attributing things to organizations, or individuals, or entire countries that ultimately are not responsible, is dangerous for a number of different reasons,” said Gangwer. “Particularly when we talk about politics and the global landscape.”

Rushing attribution means the wrong party may get blamed, political tensions could escalate, and the actual group or individual behind the attack could be missed entirely – allowing them to further do damage elsewhere.

“Misinformation is dangerous from a defender’s standpoint,” he said. “We have a duty to report on these things and make sure that the stuff we identify and convey is accurate information to customers.”

Correct attribution is also essential for future defense, said Gangwer. Ransomware attacks are a good example of where historical and contextual information is key. Defenders can look for specific elements gathered from previous, correctly-attributed attacks to observe and identify them in order to mitigate an attack before it occurs.

“For example, if we know a particular threat group leverages a certain open source tool, like an advanced port scanner, we can monitor for the usage of that in our customer environments and that might be an early indicator that they have been breached by one of these adversaries, but they have just not had the ransomware payload deployed yet.”

Because so many criminals use open source tools, it is easy for them to imitate others, which is another reason not to attribute in haste, said Gangwer.

“Who is to say a threat actor isn’t mimicking another?” he said. “Don’t let attribution sidetrack you. Just because something appears to be similar in terms of attack technique, doesn’t necessarily mean it ties back to the same group or individual.”

If your organization finds itself in the middle of a security incident, take it slow when it comes to gathering IOCs. Ensure you are using the right tools for threat hunting and intelligence so you can make a thoroughly-informed decision if and when you choose to pin the compromise on a group or individual.

Sophos can help with threat intelligence and IOC gathering for proper threat attribution. Learn more at


Copyright © 2021 IDG Communications, Inc.