The Attribution Question: Does It Matter Who Attacked You?

Everyone will ask whodunnit, but how can an organization put that information to practical use during disaster recovery and planning for the future?

In normal life crises, the jump to assess blame is often the emotional reaction, but rarely the appropriate reaction. Assessing blame for who hit you with a cyberattack, however -- if not the individual, at least the general classification -- could be effective, if not essential to your recovery efforts, according to speakers at a
Dark Reading Virtual Event
Tuesday.
We asked speakers flat-out, does attribution matter?
Does it matter?
It depends, said Mark Potter, principal systems security officer for Strategic Health Solutions. It really depends, on the size and budget of your organization, the value and type of the assets, and types and frequency of attacks.
If you dont have the internal skill set to go hunting for an attacker or the funds to hire outside contractors, says Potter, then its more important to get the business back to normal.
If youve got the resources, though, there are areas where accurate attacker attribution can help.
For one: damage assessment. Attribution is key to trying to understand the extent of the damage and where else you should be looking, said Toni Gidwani, director of research operations at ThreatConnect. To make sure youve found all the places the attackers have reached, infected, damaged or stolen from, she said, the forensics team can be helped by the extra context, like knowing what particular exploit kits to hunt for.
Dmitri Alperovitch, CTO and Co-founder of Crowdstrike, added that attribution helps assess the damages from a business perspective. If your data has been stolen, who has it -- is it a competitor or is it a cybercriminal who may resell that data? ... Whos coming after and you and why can be a very important question.
Some businesses have begun to ask, said Alperovitch, to know more about about the character of certain ransomware operators. When deciding whether or not to pay a ransom request, victims want to whether this is an operator with a history of delivering on their promise to restore access to locked data or the type that just takes the money and runs.
Knowing the identity of attackers also impacts the design of security programs going forward. According to Alperovith and Gidwani, the difference between an opportunistic attacker and a targeted attacker or the difference between a destructive attacker and an intellectual property thief will change the sort of decisions you make about your defense. Some attackers move on quickly, while others come back if they didnt finish a job. They may aim for a variety of data, systems, or users.
The better you know, the better you can allocate those funds to protect those assets, said Andrew Wild, chief security officer of Lancope. Knowing this information can also be used to get better buy-in and smarter investment from above, according to Wild.
Why did we get better at attribution?
There is still a lot of progress to be made in attribution -- some are still announced with only low or moderate confidence. However, there has been a great deal of progress made in the past couple years: why?
Attribution is getting better because security got better, says Alperovitch. It used to be that adversaries were inside networks for literally years. Now were catching more and more intrusions, were actually building up an encyclopedia, if you will, of tradecraft on what weve seen for different adversaries, he said, how they operate, what their motivations are. And you start building the profiles and the modus operandi for the adversary so when you see them again, you know who youre dealing with.
Better attribution, however, has had its own impacts. Knowing with high confidence that one nation-state launched a cyberattack on another can create or exacerbate socio-political conflicts, and not all regions have equal attribution capabilities (
according to Richard Bejtlich
in a Dark Reading interview last year).
Alperovitch commented that it was really remarkable to watch cybersecurity become the top issue of a meeting between two world leaders, when President Barack Obama and President Xi Jinping of the Peoples Republic of China met last year.
Gidwani added that better attribution is starting to open up these non-technical responses for our political leaders.
The ability to respond to cyber espionage or destructive attacks with trade sanctions, for example, is, says Gidwani, a step forward.
Related Content:
More Evidence of Link Between Bank Attacks and North Korean Group
Who Took the Cookies from the Cookie Jar?
Attribution and the Nation-State Malware Market

Black Hat’s CISO Summit
Aug 2 offers executive-level insights into technologies and issues security execs need to keep pace with the speed of business.
Click to register.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps