Knowing Your Enemy: Attack Attribution in Cybersecurity

In the The Art of War, Sun Tzu states “If you know the enemy and know yourself, you need not fear the result of a hundred battles.” Two and a half millennia later and this best practice still applies to a totally new type of battle: The world of cyber-attacks. 

Despite the importance of attack attribution in cyber-attacks, new research from CrowdStrike’s Global Security Survey has revealed that only 19 per cent of UK respondents believe it’s critical to understand which threat actors are attacking them and what their goals and tactics are.

Even more alarmingly, only 20 per cent placed importance on where the attacker was located and 34 per cent felt it was critical to understand threat actors motives. While attack attribution doesn’t appear to be a priority for many organizations, knowing the location, motive and type of threat actor challenging your organization is a best practice that many UK firms cannot afford to overlook. Understanding the adversary the key to protecting against attacks because, while you can’t foresee all attacks, you can at least use intelligence from the past to inform possible future assaults and help mitigate consequences.

Consuming adversary intelligence is important to enterprises because in order to protect, one needs to know both who will come after you and how they will come after you.

This information is indispensable in helping businesses improve their defenses and prepare for future attacks. Whether they be nation-states or cyber-criminals, the anonymity provided by the internet is a useful tool for adversaries who can veil their methods and targets, as well as insulate themselves from legal repercussions.

In other words, the “who, what, where, how” that allows organizations to respond to attacks remains unknown. In the direct aftermath of an attack, it is this information that will allow organizations to recover their assets, limit damage and restore security to the environment

In order to implement this best practice, organizations need to review whether their current processes will enable such a practice. Through linking malicious activity to specific groups, organizations are empowered to identify patterns of behavior that can be used to understand what attack vectors are being used, by who and what it is they are pursuing. Even the basics of understanding if an attack is targeted or commodity can offer much needed insights.

In the midst of chaos there is also opportunity
When trying to attribute attacks, the main ‘fingerprints’ left behind for forensic analysis are indicators of compromise (IOCs) such as malware file hashes, virus signatures, domain names and IP addresses of command and control (C&C) servers. These IOCs can then be matched against code similarities and known tools or infrastructure of tracked threat actors.

However, the maturity of current threat actors has created several obstacles to this method. As attackers learn to incorporate polymorphic designs, dynamic attack infrastructure and code obfuscation it becomes increasingly difficult to identify attackers via IOCs.

Moreover, with high-profile bad actors frequently avoiding the use of custom tools and instead relying on off-the-shelf tools, IOCs are yet more obsolete. Another consideration is that attackers frequently attempt to throw forensic analysts off the trail by inserting false flags in their wake.

To navigate these challenges, organizations have now turned to behavioral models that use, for instance, language indicators leftover in compiled code, time zones in modified files or accidental access to the C&C that reveal the adversaries’ IP. This presents problems as savvy attackers deliberately misdirect analysts through manipulating this evidence.

To best position themselves in identifying adversaries, organizations should avoid detection latency which can give attackers the chance to eliminate assets, dissolve attack infrastructure and scrub any evidence of their intrusion. With the average breakout time placed at 4h 37min, minimizing detection time will ensure that there is more evidence for defenders to use in attribution.

The 1-10-60 rule whereby breaches should be identified in one minute, investigated in ten and remediated in 60, may be ambitious for organizations used to measuring response times in days, however, it stands as a sound benchmark for those looking to achieve a robust security posture. Other areas for organizations to focus on are minimizing gaps in monitoring and increased logging.

The greatest victory is that which requires no battle
Although it proposes a considerable challenge, for forward-thinking organizations there is a pressing need to prioritize attack attribution. As Sun Tzu goes on to say, “If you know neither the enemy nor yourself, you will succumb in every battle.” In other words, understanding your adversaries and their motivations is a key component of developing future cyber strategy.

Knowing why you were targeted, what was being targeted and how they attempted to compromise your defenses is invaluable in future-proofing for the battles of tomorrow. Deep understanding of the adversary allows organizations to plan to defend their information and systems into the future.

What’s Hot on Infosecurity Magazine?