Cyber attribution: Vigilance or distraction?
Cyber attribution is a process by which security analysts collect evidence, build timelines and attempt to piece together evidence in the wake of a cyberattack to identify the responsible organization/individuals. Cyber threat attribution stems from the core psychology of a human being. Fritz Heider, who is considered to be the father of attribution theory, explained it as the way humans “reconcile perceptions and observations in their quest for understanding”.
Attribution is not a problem limited to the cyber sphere. Other experts also place build theories based on evidence that might not be real. One of the most recent examples is a rare Gauguin statue titled ‘Head with Horns’, purchased by The Getty museum for $3-5 million, which turned out to be fake.
So, why do we do attribution? Ultimately, as human beings, we need to blame someone for our problems, and organizations are no different – they need to blame someone because it means it’s not their fault. Many cyber professionals state that attribution is vital to their organizations, yet they can’t explain the exact reason. The challenge is that organizations usually go down the path that suits their narrative. It’s much easier to come up with the hypothesis and chase the dream of “who” and “why” instead of the more immediate concerns of “what”, “when”, “where”, and “how”.
Attribution as a distraction and disturbance
As with any forensic process, getting to the root of a cyberattack is time- and resource-consuming, involving a significant amount of educated guesswork. In addition, people are biased, which means results can often be subjective and difficult to back up with hard evidence.
Governments are not good at cyber attribution, either. Governments and agencies can take years to attribute a cyberattack. For example, the US Department of Justice took over four years to blame two Chinese nationals for the health insurance giant Anthem breach, yet the motives behind it are still unknown. This is because attribution can lead to counterattacks and escalate the tension between two governments, so agencies have to be careful when making direct claims. At the same time, governments are usually not held accountable for making attribution claims due to secrecy clauses and security policies.
When a cyberattack happens in an organization, security teams are always seen to be at fault. However, the root of the problem is that most security teams are overworked, with tiny budgets and limited tools. Moreover, there is a global shortage of cybersecurity experts as the IT skills gap climbs to 3.4 million workers worldwide. Therefore, cybersecurity experts should ask themselves, “Are there better things I can be doing than attribution?”
When attribution matters, and why CTI matters more
In some situations, effective attribution can be a valuable source of intelligence for organizations that suffered a cyber breach. Threat actors go to great lengths to cover their tracks, and any evidence and facts gathered through attribution can bring organizations closer to catching the perpetrators. Deploying a good Cyber Threat Intelligence (CTI) program helps organizations understand which current or future threats can impact their business operations.
Some organizations don’t treat threat intelligence seriously because they already have their “go-to” to blame, or they simply believe no one will attack a small organization. During the Wannacry attack, we witnessed a prime example of a poor interpretation of threat intelligence, when organizations and ISPs started blocking access to a sinkhole URL discovered by security researcher Marcus Hutchins. Rather than being a malicious website, devices connecting to the URL prevented the malware’s payload from activating, so blocking it resulted in further infections.
Organizations need to dig deeper, looking at their threat profile, understanding more about their verticals, and educating their senior leaders using layperson’s terms. This would help understand their risks, how easily they can be attacked and what they have of interest that would encourage someone to attack them.
It may sound obvious, but the worst possible time to embark on a CTI program is in the middle of an incident. Organizations should create business-level requirements for the program, such as goals, measurements, feedback loop and reports. Cyber teams must be able to tell stories with threat intelligence, not simply list everything they have. Organizations also need a great root cause analysis (RCA) method to help them analyze known issues and define the causes. Understanding what went wrong and what could have gone wrong are the best places to understand gaps and prioritize solutions.
If security teams can get their CTI programs right and educate senior business leaders, attribution becomes less of an issue. Security teams can get better at telling stories, increasing their security measures, and keeping organizations’ attack surface small. In this scenario, a good CTI program becomes a priority over attribution.
Attribution rarely makes a massive difference unless you are a government, Europol or a cyber insurance company. In fact, there are several anecdotes of organizations attempting not to attribute the breach to anyone due to perceived insurance issues. Cyber insurance companies now claim they won’t pay out if an incident was classed as a nation-state attack, as essentially, these claims are seen as an act of war.
The importance of attribution comes down to the organization involved and whether it can see an investigation through. With investigations taking significant amounts of time and resources, it shouldn’t be an organization’s priority in the event of a breach.
With security teams already stretched thin, it’s better to dedicate their time to understanding the attack, the reason behind it and improving processes so that attacks like these don’t occur. Equally, threat intelligence shouldn’t be just about purchasing a threat intelligence platform (TIP) and throwing feeds at it. Having strategic, tactical and operational CTI programs is critical in helping organizations improve their security posture against emerging cyber threats.