Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

5/2/2017
10:00 AM
Jonathan Couch
Jonathan Couch
Commentary
Connect Directly
LinkedIn
Twitter
RSS
E-Mail vvv
100%
0%

What's in a Name? Breaking Down Attribution

Here's what you really need to know about adversaries.

In the past few years, the topic of "attribution" has often come up. As more large-scale breaches occur and issues concerning cybersecurity become more mainstream, people want to know who is responsible. Among cybersecurity practitioners, there are two general camps — some believe that identifying the perpetrators is important, and some see this as fruitless.

Those in the former group like associating a face or a specific organization to the problem because it makes the attacker "known" and makes them feel more empowered to fight back. Those on the opposite side don't care about attribution at all. They believe it's a waste of time and money because unless you're a casualty of a major crime spree, with law enforcement engaged to bring down the perpetrator, there isn't much value in knowing an individual's name.

Is there a middle ground? What value does putting a name to an adversary bring to the table? It really comes down to the level of attribution and the trade-offs you must make as you build your dossier, because generally, organizations don't need to be able to pin a photo of their attackers on the wall to stop them.

Levels of Attribution
Sometimes attribution means identifying the actual group or person. You want to know what they look like, where they live and work, their schedules, and how to reach them — either electronically or physically. Other times, attribution can be obfuscated to protect sources and methods. Those with a need to know have access to the full details, while others only hear about "source B" or "sensitive source 12345." Most frequently, attribution is based on what the adversary is actually doing. A code name is assigned to indicate an individual or group responsible for a certain attack, like APT 1, Comment Panda, or Comment Crew. Sometimes a name is assigned to a specific campaign, like Angler, Locky, and Sundown.

Government organizations typically seek the highest level of attribution. But for businesses, the level of attribution should be predicated on what security professionals need to achieve as their end goal: enabling the enterprise to be as secure as possible, given resource limitations, in order to drive business growth.

[Check out the two-day Dark Reading Cybersecurity Crash Course at Interop ITX, May 15 & 16, where Dark Reading editors and some of the industry's top cybersecurity experts will share the latest data security trends and best practices.]

Living by the 80/20 Rule
Attribution doesn't come easy, and the law of diminishing returns comes into play. There is a cost associated with attribution and you can get 80% of the way there for 20% of the cost. So with minimal time and effort, you can get basic but important information.

What starts with raw threat data becomes groups of campaigns and malware families based on the code base or indicators, how the malware and campaigns are used, and the infrastructure involved. Tying adversaries to campaigns and generically named adversary groups is typically sufficient so that multiple teams across the enterprise can utilize the threat intelligence. As you try to get more detail — the base of operations and individual names — costs increase exponentially, but to what end? An arrest is highly unlikely. If the goal is to protect the business, your employees, and customers, this approach of defining campaigns and adversary groups usually works very well.

Know Your User Groups
When it comes to security operations, consider what level of attribution the different groups involved in protecting your organization need to be successful.

  • The intel team is typically the group assigned to determine attribution and is responsible for pulling all this information together. To make the best use of their resources, this team typically creates a one-size-fits-all solution for attribution. They provide the information about the indicators and codebase involved, the malware and campaigns, the infrastructure used, typical targets by geography or industry, and then tie that information together to identify adversary groups. Other teams then tap into that attribution information for their needs. 
  • The incident response team needs context around campaigns to validate that something bad is really happening, and isn't a false positive so that they can remediate incidents and breaches. Campaigns can be grouped by attribution. When you have these groupings, it allows the incident response team to start with an indicator found on the network and learn more about the attack so they can look for related indicators that those adversaries use. Knowledge of how adversaries and campaigns operate and the infrastructure used can help them accelerate response and make sure it doesn't happen again.
  • The vulnerability management team needs to know which vulnerabilities are being targeted, if there is an exploit that is being deployed, and if any groups have successfully targeted that vulnerability already. This information provides the team with some level of confidence that someone is targeting the organization so that they can prioritize patching accordingly.
  • The security operations center is looking to threat intelligence for validation and verification. For example, with attribution grouped according to a campaign and how that campaign operates down to the command and control server, the exfiltration server, and a specific type of malware, the team knows how the adversary operates. This gives the team a high level of confidence that an attack is occurring and lets them quickly take action.
  • The hunt team takes the attribution information — in particular, the details of campaigns being run — to determine if they've seen that type of activity before. Understanding what an adversary targets, how they execute, their motivation, and any specific industries affected, the hunt team can see if there is some activity the SIEM may have missed.

For each of these functions, knowing if the team is fighting Joe or Jane doesn't matter. What matters is having intelligence grouped in a logical manner so that they can build confidence around knowing what these attackers are doing, how, when, and to whom. Whether it's knowing what to look for or understanding what they're seeing, they can then launch a better fight and apply a better fix. Organizations benefit from attribution, but at the level that makes sense for the business. 

Related Content:

As Senior VP of Strategy of ThreatQuotient, Jonathan Couch utilizes his 20+ years of experience in information security, information warfare, and intelligence collection to focus on the development of people, process, and technology within client organizations to assist in ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
6 Small-Business Password Managers
Curtis Franklin Jr., Senior Editor at Dark Reading,  11/8/2019
Microsoft Tools Focus on Insider Risk, Data Protection at Ignite 2019
Kelly Sheridan, Staff Editor, Dark Reading,  11/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Dueling Free Throws A riff on the song Dueling Banjos
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprise
Assessing Cybersecurity Risk in Today's Enterprise
Security leaders are struggling to understand their organizations risk exposure. While many are confident in their security strategies and processes, theyre also more concerned than ever about getting breached. Download this report today and get insights on how today's enterprises assess and perceive the risks they face in 2019!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18862
PUBLISHED: 2019-11-11
maidag in GNU Mailutils before 3.8 is installed setuid and allows local privilege escalation in the url mode.
CVE-2019-18853
PUBLISHED: 2019-11-11
ImageMagick before 7.0.9-0 allows remote attackers to cause a denial of service because XML_PARSE_HUGE is not properly restricted in coders/svg.c, related to SVG and libxml2.
CVE-2019-18854
PUBLISHED: 2019-11-11
A Denial Of Service vulnerability exists in the safe-svg (aka Safe SVG) plugin through 1.9.4 for WordPress, related to unlimited recursion for a '<use ... xlink:href="#identifier">' substring.
CVE-2019-18855
PUBLISHED: 2019-11-11
A Denial Of Service vulnerability exists in the safe-svg (aka Safe SVG) plugin through 1.9.4 for WordPress, related to potentially unwanted elements or attributes.
CVE-2019-18856
PUBLISHED: 2019-11-11
A Denial Of Service vulnerability exists in the SVG Sanitizer module through 8.x-1.0-alpha1 for Drupal because access to external resources with an SVG use element is mishandled.