Does attribution matter to security leaders?

Do you find the public discussions about attribution after a breach useful or a needless distraction?

I know I’ve been on both sides of the issue. Sometimes the value of a concept — in this case, attribution — is lost in the debate. Then I met Levi Gundert (LinkedIn, Twitter), VP of Information Security Strategy, from Recorded Future.

Levi’s career as an information security professional includes unique operational and leadership experience in government (U.S. Secret Service), threat intelligence providers (Team Cymru and Recorded Future), and multi-vertical Fortune 500 enterprises (IBM, Cisco Systems, Union Bank, and Fidelity Investments).

Our discussion revealed when and how attribution matters. It starts by getting the definition right.

You pointed out that the definition of attribution matters. What does a security leader need to consider when it comes to attribution?

The definition is critical. Attribution is often mis-understood to mean the identification of an individual or group with associated real name, address, and other personally identifiable information. In contrast, within a business context, attribution is obtaining general intelligence to address the “who” and “why” of nefarious activity.

As a former federal agent, I needed specific and detailed attribution of malicious online activity to establish probable cause and drive a subsequent indictment. Similarly, part of the intelligence community’s mandate is to understand online adversarial activity and the specific people instigating it. A business’s goals are quite different — one of the primary objectives is to minimize operational risk.

Businesses that are committed to reducing operational risk need to understand the value of general attribution. Simply, motivation informs methodology. If the business doesn’t understand the actor(s) behind an attack or unauthorized event, then they are at risk of a stunted remediation effort that may lead to continued resource drain.

Consider a large financial services company that recently became the victim of a website compromise and defacement claimed by a previously unknown threat group. To deliver an incident report full of technical indicators and a dearth of information about the attack group is irresponsible, because the group’s motivation and history may lead to additional attack methodologies and victims that are essential to addressing future threats from the same group.

Expand on “motivation informs methodology.” How does this help a security leader?

General attribution informs senior business leaders’ critical decisions, especially during an incident. Beyond crisis moments, security leaders need to effectively communicate general attribution information to help executives and the board meet the daily challenges of information security program resource allocation.

Effort and resources spent attempting to identify specific attacker names and corresponding details is ill-advised because it doesn’t add any value to security control strategy. Rather, understanding a threat actor’s basic history and motivations leads to methodology pattern identification that helps narrow potential techniques likely to be used against the business in the future. General attribution becomes valuable business insight through security policy and controls.

Additionally, general attribution provides opportunities for operational security practitioners to learn and institute new “plays” to improve future malicious activity detection efficacy.

Lastly, general attribution is the glue in a serious incident narrative. A security leader needs to distill events into a story for the executives and the board, and a briefing devoid of general attribution leaves everyone asking “why?”. Simply answering that question with hard data is the quickest way to instill confidence in the remediation effort and long term plan to address program shortcomings. Briefing the Board of Directors on an incident without general attribution and motive is going to cause unnecessary FUD (fear, uncertainty, and doubt).

How important is context?

It’s essential. We’ve been discussing the value of attribution during and after an attack, but it’s also a critical proactive exercise to understand adversaries before they impact the business. This is one facet of threat intelligence, which is the act of formulating an analysis based on the identification, collection, and enrichment of relevant information.

Large streams of threat information (indicators of compromise) with little relevance to a business are marginally useful when automated at the operational level. Mature threat-centric security teams are working to identify threat actor(s) and their associated behaviors (TTPs — tactics, techniques, and procedures) in a tangible and measurable way (such as the number of reports influencing a business decision). The resulting intelligence helps decision makers understand macro and micro threat activity based on strategic asset exposure (employees, vendors, applications, infrastructure, etc.), industry peer exposure, and/or all enterprise exposure.

Let’s talk about officers and directors. Does the board care about attribution? Should they? And what does that mean for security leaders?

I’ve personally witnessed a board that is very engaged and thoughtful when the agenda turns to information security. Boards are quickly increasing their security IQs, and they are asking the right questions. Gone are the days of INFOSEC’s strict cost center perception. Today the board is asking “Are we spending enough? Do we have the correct resources? Do we have the right people?”. Even if strong INFOSEC isn’t quite regarded as a competitive advantage and industry differentiator, it’s less expensive than sustaining a targeted attack, primarily because so many resources are diverted away from achieving the company’s goals, and in some industries, customer confidence is the most valuable currency.

The board does care about attribution. They want the full story which includes “who” and “why.” Lacking attribution leaves stakeholders with doubts. Everyone wants to be able to discuss a difficult subject intelligently, and general attribution allows the officers and directors to articulate the situation clearly. Preparing for a board meeting with only the “what”, “when”, and “how” is a mistake.

The board may also want to involve law enforcement in specific situations. I know from experience that typical policies and procedures resist law enforcement involvement, and there are often good business reasons for doing so, but when necessary, documenting and summarizing general attribution is a worthwhile endeavor to assist law enforcement. Certainly they want all available evidence preserved and unadulterated during and following an attack, but they also need as much proactive assistance as possible to achieve specific attribution.

What does a security leader need to do to get this? What can someone do today to start building the capability — and boost the value of their leadership?

Obviously the first step is defining the goals and objectives for attribution along with repeatable metrics. A basic priority could be generally locating the top ten threat actors or groups that are likely to target the company along with their history and TTPs. This is a lengthy and resource-intensive exercise if performed properly. Again, the goal is understanding methodology and behaviors, not physical name and address. An adversary ranking exercise will help identify threat information source gaps and the INFOSEC team can develop a powerful proprietary capability for attribution reporting deliverables.

It’s the TTP identifications that help peer teams within information security. This type of proactive identification compliments a risk/audit framework approach because threat actors and their temporal behaviors accelerate the learning cycle. Instead of waiting for the next version of ISO 27001 or NIST Cyber Security Framework (CSF) to be released, companies can still map their progress to the framework while also making incremental improvements, especially in the “prevention” and “detection” framework phases, based on near real-time attacker attribution.