Attribution in Cyber Threat Intelligence: Techniques and Challenges

Understanding the importance and methods of the cyber attribution from a strategic point of view

Bank Security
6 min readJan 18, 2023

Introduction

Working in cyber threat intelligence involves a fair amount of activity aimed at attributing cyber attacks.

Since today there is no clear list of the different ways to attribute a cyber attack to a specific criminal group or APT, I have decided to describe below the various steps to do so and describe why it is so important for the cyber security sector from a strategic point of view.

image source

Why the attribution is so important in the cyber field?

  • Intelligence gathering: Attribution can help to gather intelligence about the motivations, capabilities, and tactics of cyber attackers, which can be used to better protect against future attacks.
  • Prioritization: Attribution can help organizations to prioritize their defensive efforts by identifying the most significant threats and allocating resources accordingly.
  • Legal and policy implications: Attribution helps to determine who is responsible for a cyber attack, which can have legal and policy implications for how the attack is handled and responded to.
  • Deterrence: Attribution can help to deter future attacks by holding individuals or organizations accountable for their actions and making it clear that cyber attacks will not be tolerated.
  • Threat hunting: Attribution can help to identify the group or individual behind an attack, and enables threat hunting, which is the process of proactively searching for and identifying potential security threats.
  • International relations: Attribution can have international relations implications, depending on the origin of the attack and the target.

What are the best ways to attribute a cyber attack?

  • Technical indicators: Analyzing technical indicators such as IP addresses, command and control infrastructure, hashes, domains, malware or abused malicious software to identify patterns and connections that may be unique to a particular Threat Actor.
  • Behavioral analysis: Analyzing the tactics, techniques, and procedures (TTPs) used in the attack to identify behavioral patterns that may be associated with a particular group. You can use the MITRE framework to find the commonalities in the abused techniques and procedures or analyze the network traffic identifying patterns of communication and infrastructure that are associated with a particular threat actor.
  • Geopolitical context: Analyzing the political and economic context of the cyber attack to identify potential motivations or factors that may be associated with a particular actor.
  • Deception: Identifying the source of an attack by using deception and misdirection to mislead the attacker into revealing their true identity.
  • Legal means: Identifying the source of an attack by using legal means such as search warrant, subpoena, or other legal process.
  • Forensic analysis: Identifying the source of an attack by investigating the digital evidences left behind.
  • Open-source intelligence (OSINT): Identifying the source of an attack by analyzing publicly available information, such as social media posts, news articles, and other open-source data.

Remember that attribution in cyber intelligence is difficult and often inconclusive because attackers can use various methods to hide their identity, such as proxy servers, VPNs, and other methods of masking their IP addresses and the real identities.

For example, the APT groups often use sophisticated methods to conceal their identity and evade detection, so attribution can be difficult and may require collaboration between multiple organizations and agencies. Additionally, it’s important to consider the possibility of false flag operations, where an attacker may use techniques and tools that are designed to mislead investigators into attributing the attack to a certain APT or Threat Actor group.

How a correct attribution can make the difference during a cyber attack / IR?

  • Tailored response: Attribution can help incident responders to quickly and effectively respond to a cyber attack by providing information about the attackers’ TTPs, tools, and motivations, allowing a tailored response to the specific incident.
  • Enhancing incident reporting and communication: Attribution can help to provide context and background information about the attack, which can be used to improve incident reporting and communication with external stakeholders such as law enforcement, industry partners and other organizations.
  • Intelligence requirements: a correct attribution can help into defining the priority intelligence requirements. This can help an organization to focus on specific threat actors and prioritize all the mitigation strategies against their TTPs.
  • Facilitating legal and policy decisions: Attribution can help to determine who is responsible for a cyber attack, which can have legal and policy implications for how the attack is handled and responded to.
  • Supporting international relations: Attribution can have international relations implications, depending on the origin of the attack and the target, correct attribution can avoid misunderstandings, and facilitate cooperation and coordination among countries.
  • False flags: Attribution can help to identify potential false flag operations, where an attacker may use techniques and tools that are designed to mislead investigators into attributing the attack to a certain Threat Actor group.

Even when attribution is possible, it doesn’t always change the course of action that an organization or an agency should take, as the prevention and mitigation of cyber attacks should be the primary focus.

What are the 7 steps to create a new threat actor cluster when the attribution is not clear?

Sometimes during the attribution process you come across attacks that are unknown to the sources and data at your disposal. At that moment you can create a new cluster of activities attributed to this new unknown group.

Subsequently it is possible that other researchers, private companies or intelligence agencies publish data related to that cluster and by mixing that info with yours you can associate the cluster to one that is already known and attributed.

The process for creating a new threat actor cluster generally involves several steps, including:

  1. Data collection: Collecting and analyzing data from various sources, such as the internal incident response reports, FW/IDS/IPS/DNS logs, honeypots and open-source intelligence, to gather information about potential cyber threats.
  2. TTP analysis: Analyzing the tactics, techniques, and procedures (TTPs) used by the potential threat actors to identify patterns of behavior and commonalities between different incidents.
  3. Cluster identification: Identifying potential threat actors by grouping together incidents that share similar TTPs and characteristics.
  4. Verification: Verifying the threat actor cluster through additional research and analysis, such as reviewing IP addresses, malware samples, and other technical indicators to confirm the linkages between the incidents.
  5. Attribution: Attempting to attribute the cluster to a known or unknown group, individual or nation-state.
  6. Profile creation: Creating a profile of the threat actor cluster, including information such as known TTPs, tools, techniques, and potential motivations.
  7. Sharing: Sharing the information with relevant stakeholders, such as incident responders, security teams, and law enforcement agencies to help them protect against and respond to the threat.

Creating a new threat actor cluster can be time-consuming and requires significant expertise in areas such as cyber threat intelligence, incident response, and malware analysis. Additionally, threat actors are constantly evolving and changing their TTPs so the profile and clustering should be reviewed and updated regularly.

Therefore, organizations should also focus on implementing robust security measures and incident response plans to protect against cyber threats, regardless of their origin.

Conclusion

The process of attributing cyber attacks is crucial for the cyber security sector from a strategic and technical point of view. Attribution helps to gather intelligence about the motivations, capabilities, and tactics of cyber attackers, which can be used to better protect against future attacks. It also helps to determine who is responsible for a cyber attack, which can have legal and policy implications for how the attack is handled and responded to.

Reference:

https://media.kaspersky.com/en/business-security/enterprise/threat-attribution-engine-whitepaper.pdf

--

--