Home / Blogs

Why Attribution Is Important for Today's Network Defenders

Josh Ray

It makes me cringe when I hear operators or security practitioners say, "I don't care who the attacker is, I just want them to stop." I would like to believe that we have matured past this idea as a security community, but I still find this line of thinking prevalent across many organizations — regardless of their cyber threat operation's maturity level.

Attribution is important, and we as Cyber Threat Intelligence (CTI) professionals, need to do a better job explaining across all lines of business and security operations how the pursuit of attribution, manifesting itself in adversary analysis, can be employed to improve an organization's resource allocation and security posture.

Performing adversary analysis can benefit organizations in the following ways:

  • Prioritize incidents effectively based on adversary impact
  • Identify internal high-value targets and programs based on adversary intent and collection requirements
  • Proactively block threat infrastructure
  • Monitor threat communications to provide advance warning
  • Drive intelligence-driven red teaming based on threat tactics
  • Support internal business cases for IT security resource allocation based on what adversaries are targeting within your business

It is true that definitive attribution is very difficult to achieve, but most threat action leaves behind tangible elements; after all, cyber-attacks ultimately stem from a person or persons. They have motivations, develop code, abide by operational procedures or styles, have egos, attend university, have jobs, receive tasking, maintain blogs, administer forums, leverage social media, conduct security research, register infrastructure, and use tools.

A few basic examples of questions I've found useful in the past in conducting this type of analysis are:

  • Have the actors authored any publications, conducted vulnerability research, or developed tools, exploits or other code development notes?
  • What email address, blogs, URLs, handles, IP addresses or domains are associated with the actor?
  • Do any group affiliations exist (what is the actor's role, group's name, stated mission, other individuals in the group, etc.)?
  • What is the educational background of the actor (dates, curriculum, contact information, other classmates, etc.)?
  • What Web 2.0 technologies are leveraged by the actor (i.e., what is the nature of communication? Is it discussion focused)?

CTI professionals should work to create internally developed questions (read Six Approaches to Creating an Enterprise Cyber Intelligence Program) to drive research, collection and analysis across all of the aforementioned facets in order to provide a holistic view of the threat at the tactical, operational and strategic levels. The ultimate goal of adversary analysis should be to provide our stakeholders with intelligence that supports a security control, maps threat intent to organizational high-value programs/targets, changes an organization's behavior, creates a course of action and supports the case for proper security resource allocation. These are just a few reasons to care.

To learn more about cyber intelligence, visit iDefense Security Intelligence Services.

By Josh Ray, Vice President of Cybersecurity Intelligence at Verisign
Follow CircleID on
Related topics: Cybersecurity
SHARE THIS POST

If you are pressed for time ...

... this is for you. More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Vinton Cerf, Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Share your comments

To post comments, please login or create an account.

Related

Topics

IP Addressing

Sponsored byAvenue4 LLC

Cybersecurity

Sponsored byVerisign

Domain Names

Sponsored byVerisign

New TLDs

Sponsored byAfilias

DNS Security

Sponsored byAfilias