Attribution in Cyber Threat Intelligence: Techniques and Challenges

Understanding the importance and methods of the cyber attribution from a strategic point of view

Introduction

image source

Why the attribution is so important in the cyber field?

  • Intelligence gathering: Attribution can help to gather intelligence about the motivations, capabilities, and tactics of cyber attackers, which can be used to better protect against future attacks.
  • Prioritization: Attribution can help organizations to prioritize their defensive efforts by identifying the most significant threats and allocating resources accordingly.
  • Legal and policy implications: Attribution helps to determine who is responsible for a cyber attack, which can have legal and policy implications for how the attack is handled and responded to.
  • Deterrence: Attribution can help to deter future attacks by holding individuals or organizations accountable for their actions and making it clear that cyber attacks will not be tolerated.
  • Threat hunting: Attribution can help to identify the group or individual behind an attack, and enables threat hunting, which is the process of proactively searching for and identifying potential security threats.
  • International relations: Attribution can have international relations implications, depending on the origin of the attack and the target.

What are the best ways to attribute a cyber attack?

  • Technical indicators: Analyzing technical indicators such as IP addresses, command and control infrastructure, hashes, domains, malware or abused malicious software to identify patterns and connections that may be unique to a particular Threat Actor.
  • Behavioral analysis: Analyzing the tactics, techniques, and procedures (TTPs) used in the attack to identify behavioral patterns that may be associated with a particular group. You can use the MITRE framework to find the commonalities in the abused techniques and procedures or analyze the network traffic identifying patterns of communication and infrastructure that are associated with a particular threat actor.
  • Geopolitical context: Analyzing the political and economic context of the cyber attack to identify potential motivations or factors that may be associated with a particular actor.
  • Deception: Identifying the source of an attack by using deception and misdirection to mislead the attacker into revealing their true identity.
  • Legal means: Identifying the source of an attack by using legal means such as search warrant, subpoena, or other legal process.
  • Forensic analysis: Identifying the source of an attack by investigating the digital evidences left behind.
  • Open-source intelligence (OSINT): Identifying the source of an attack by analyzing publicly available information, such as social media posts, news articles, and other open-source data.

How a correct attribution can make the difference during a cyber attack / IR?

  • Tailored response: Attribution can help incident responders to quickly and effectively respond to a cyber attack by providing information about the attackers’ TTPs, tools, and motivations, allowing a tailored response to the specific incident.
  • Enhancing incident reporting and communication: Attribution can help to provide context and background information about the attack, which can be used to improve incident reporting and communication with external stakeholders such as law enforcement, industry partners and other organizations.
  • Intelligence requirements: a correct attribution can help into defining the priority intelligence requirements. This can help an organization to focus on specific threat actors and prioritize all the mitigation strategies against their TTPs.
  • Facilitating legal and policy decisions: Attribution can help to determine who is responsible for a cyber attack, which can have legal and policy implications for how the attack is handled and responded to.
  • Supporting international relations: Attribution can have international relations implications, depending on the origin of the attack and the target, correct attribution can avoid misunderstandings, and facilitate cooperation and coordination among countries.
  • False flags: Attribution can help to identify potential false flag operations, where an attacker may use techniques and tools that are designed to mislead investigators into attributing the attack to a certain Threat Actor group.

What are the 7 steps to create a new threat actor cluster when the attribution is not clear?

  1. Data collection: Collecting and analyzing data from various sources, such as the internal incident response reports, FW/IDS/IPS/DNS logs, honeypots and open-source intelligence, to gather information about potential cyber threats.
  2. TTP analysis: Analyzing the tactics, techniques, and procedures (TTPs) used by the potential threat actors to identify patterns of behavior and commonalities between different incidents.
  3. Cluster identification: Identifying potential threat actors by grouping together incidents that share similar TTPs and characteristics.
  4. Verification: Verifying the threat actor cluster through additional research and analysis, such as reviewing IP addresses, malware samples, and other technical indicators to confirm the linkages between the incidents.
  5. Attribution: Attempting to attribute the cluster to a known or unknown group, individual or nation-state.
  6. Profile creation: Creating a profile of the threat actor cluster, including information such as known TTPs, tools, techniques, and potential motivations.
  7. Sharing: Sharing the information with relevant stakeholders, such as incident responders, security teams, and law enforcement agencies to help them protect against and respond to the threat.

Conclusion

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store