Attribution Delivers Questionable Security Value

  /     /     /  
Publicated : 22/11/2024   Category : security


Attribution Delivers Questionable Security Value


Sure, politicians have some fodder for their diplomatic cannons, but do companies gain much from identifying their attackers? Experts debate the merits of attribution



The argument for gathering intelligence on attackers goes something like this: If companies can distinguish between opportunistic probes and the early signs of an attack by a nation-state or industrial spy, then they can marshal limited resources to focus on the greater threat.
Internet content and security provider Akamai, for example, has created a security intelligence platform and is currently gathering and analyzing data to help the company get to that ideal, says John Summers, vice president of security products for Akamai Technologies. The companys plans are still more on the drawing board than delivered, but it hopes to start rolling out some capabilities later this year.
This is something that we have built; its in place, and we are collecting all the security events that we see across the platform, Summers says. We will turn it into better security analytics to get closer to that [attribution] Nirvana.
On Tuesday, incident-response firm Mandiant
outed the Chinese military
as the shadowy puppeteer behind a large campaign of espionage attacks stretching back to 2006. The company identified the Peoples Liberation Army group, Unit 61398, operating out of a building near Shanghai, as the source of more than 140 attacks aimed at a broad swath of industries, from information technology and aerospace to government and energy. The company even described what is thought to be three individuals or personas behind different facets of the attacks.
We wanted to move the conversation away from theoretical Chinese hackers who could be anybody to one of reality -- this specific group with this mission and this location -- and we felt like we could do that with this group, says Richard Bejtlich, chief security officer for Mandiant. This group is so prolific and so active that they leave so much evidence behind, and it all points in the same direction.
[Identifying the groups behind attacks is still a dicey proposition, but security firms are collecting more information on attackers techniques and their infrastructure. See
More Data On Attackers, But Attribution Still Dodgy
.]
Mandiants analysis does make a compelling case for the U.S. government to increase pressure on China, rather than focus -- as it has been doing -- on information sharing, says Steven Chabinsky, senior vice president for legal affairs at incident response firm CrowdStrike.
This report to the President and the U.S. Congress; this is the private sector saying, Now what? Chabinsky says. The private sector will be a little bit at a loss if the governments response to this is to ask for more information.
Yet, for enterprises looking to protect their business, the benefits of attribution are less certain. Companies that are the target of nation-states and other persistent adversaries can benefit from discerning which attackers will stop at the perimeter and which ones will seek other ways to compromise their networks, Chabinsky says.
It is helpful because then you get to play better defense in two realms: You know what to defend because you know what they are after, and you can develop patterns on the attackers so you can anticipate them, he says.
To that end, Mandiant has provided
a large appendix
to its report covering thousands of indicators of compromise that could tip off companies that they have been targeted or already infiltrated. Security teams can block requests from certain domains, blacklist certain MD5 hashes or signed code, and look for signs of infections.
Yet attribution can also get in the way of good defense, says John Prisco, CEO of attack-detection firm Triumfant. When a nation-state has been identified as the source of an attack, it almost seems to become a badge of honor, he says. Companies are increasingly reporting that they have been compromised, finding little shame in their security shortfall because they are part of a crowd of other companies. Earlier this month, The New York Times, The Wall Street Journal, and The Washington Post acknowledged that
their networks had been breached
. This week, Facebook and Apple both
detailed attacks
on their own systems that infected employee laptops.
Instead, the companies should be striving for clean networks and hardened systems, Prisco says.
At the end of the day, so what? The Chinese did it, he says. Someone has exfiltrated data for four months, and you know who it is. How does that help you? Its only academically interesting that you can attribute the attacks to China.
Companies should instead look to catch the breach right away. Triumfant focuses on integrity and change detection, especially in volatile memory, to detect malicious and unwanted code.
Yet attribution does not have to just be about technology, says Mandiants Bejtlich. A business that partners with, competes against, or buys from China can expect to be attacked. Knowing for certain that the government is targeting its business could allow company management to make hard choices, he says.
Companies may have to ask, Is this really worth it? Can I protect my information, if I go into this business deal? Bejtlich says. If you combine it with other problems in China, such as labor rights abuses, it may not necessarily be the best place for your business.
In the end, attribution and better security intelligence could lead to more appropriate defenses, but the technology to help the average enterprise is not yet there.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News

▸ Car Sector Speeds Up In Security. ◂
Discovered: 23/12/2024
Category: security

▸ Making use of a homemade Android army ◂
Discovered: 23/12/2024
Category: security

▸ CryptoWall is more widespread but less lucrative than CryptoLocker. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Attribution Delivers Questionable Security Value