Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

10:00 AM
Jonathan Couch
Jonathan Couch
Connect Directly
E-Mail vvv

What's in a Name? Breaking Down Attribution

Here's what you really need to know about adversaries.

In the past few years, the topic of "attribution" has often come up. As more large-scale breaches occur and issues concerning cybersecurity become more mainstream, people want to know who is responsible. Among cybersecurity practitioners, there are two general camps — some believe that identifying the perpetrators is important, and some see this as fruitless.

Those in the former group like associating a face or a specific organization to the problem because it makes the attacker "known" and makes them feel more empowered to fight back. Those on the opposite side don't care about attribution at all. They believe it's a waste of time and money because unless you're a casualty of a major crime spree, with law enforcement engaged to bring down the perpetrator, there isn't much value in knowing an individual's name.

Is there a middle ground? What value does putting a name to an adversary bring to the table? It really comes down to the level of attribution and the trade-offs you must make as you build your dossier, because generally, organizations don't need to be able to pin a photo of their attackers on the wall to stop them.

Levels of Attribution
Sometimes attribution means identifying the actual group or person. You want to know what they look like, where they live and work, their schedules, and how to reach them — either electronically or physically. Other times, attribution can be obfuscated to protect sources and methods. Those with a need to know have access to the full details, while others only hear about "source B" or "sensitive source 12345." Most frequently, attribution is based on what the adversary is actually doing. A code name is assigned to indicate an individual or group responsible for a certain attack, like APT 1, Comment Panda, or Comment Crew. Sometimes a name is assigned to a specific campaign, like Angler, Locky, and Sundown.

Government organizations typically seek the highest level of attribution. But for businesses, the level of attribution should be predicated on what security professionals need to achieve as their end goal: enabling the enterprise to be as secure as possible, given resource limitations, in order to drive business growth.

[Check out the two-day Dark Reading Cybersecurity Crash Course at Interop ITX, May 15 & 16, where Dark Reading editors and some of the industry's top cybersecurity experts will share the latest data security trends and best practices.]

Living by the 80/20 Rule
Attribution doesn't come easy, and the law of diminishing returns comes into play. There is a cost associated with attribution and you can get 80% of the way there for 20% of the cost. So with minimal time and effort, you can get basic but important information.

What starts with raw threat data becomes groups of campaigns and malware families based on the code base or indicators, how the malware and campaigns are used, and the infrastructure involved. Tying adversaries to campaigns and generically named adversary groups is typically sufficient so that multiple teams across the enterprise can utilize the threat intelligence. As you try to get more detail — the base of operations and individual names — costs increase exponentially, but to what end? An arrest is highly unlikely. If the goal is to protect the business, your employees, and customers, this approach of defining campaigns and adversary groups usually works very well.

Know Your User Groups
When it comes to security operations, consider what level of attribution the different groups involved in protecting your organization need to be successful.

  • The intel team is typically the group assigned to determine attribution and is responsible for pulling all this information together. To make the best use of their resources, this team typically creates a one-size-fits-all solution for attribution. They provide the information about the indicators and codebase involved, the malware and campaigns, the infrastructure used, typical targets by geography or industry, and then tie that information together to identify adversary groups. Other teams then tap into that attribution information for their needs. 
  • The incident response team needs context around campaigns to validate that something bad is really happening, and isn't a false positive so that they can remediate incidents and breaches. Campaigns can be grouped by attribution. When you have these groupings, it allows the incident response team to start with an indicator found on the network and learn more about the attack so they can look for related indicators that those adversaries use. Knowledge of how adversaries and campaigns operate and the infrastructure used can help them accelerate response and make sure it doesn't happen again.
  • The vulnerability management team needs to know which vulnerabilities are being targeted, if there is an exploit that is being deployed, and if any groups have successfully targeted that vulnerability already. This information provides the team with some level of confidence that someone is targeting the organization so that they can prioritize patching accordingly.
  • The security operations center is looking to threat intelligence for validation and verification. For example, with attribution grouped according to a campaign and how that campaign operates down to the command and control server, the exfiltration server, and a specific type of malware, the team knows how the adversary operates. This gives the team a high level of confidence that an attack is occurring and lets them quickly take action.
  • The hunt team takes the attribution information — in particular, the details of campaigns being run — to determine if they've seen that type of activity before. Understanding what an adversary targets, how they execute, their motivation, and any specific industries affected, the hunt team can see if there is some activity the SIEM may have missed.

For each of these functions, knowing if the team is fighting Joe or Jane doesn't matter. What matters is having intelligence grouped in a logical manner so that they can build confidence around knowing what these attackers are doing, how, when, and to whom. Whether it's knowing what to look for or understanding what they're seeing, they can then launch a better fight and apply a better fix. Organizations benefit from attribution, but at the level that makes sense for the business. 

Related Content:

As Senior VP of Strategy of ThreatQuotient, Jonathan Couch utilizes his 20+ years of experience in information security, information warfare, and intelligence collection to focus on the development of people, process, and technology within client organizations to assist in ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...