Why We Should Focus on ‘How,’ not ‘Who,’ of Cyberattacks
Organizations often don’t understand what they need to be protecting themselves from when it comes to costly cyberattacks. The threat landscape is becoming ever more evolved and it’s now rare for a day to go by without a new form of cyberattack hitting the headlines.
Interventions by hacking groups into foreign affairs, such as reports that Russian hackers targeted 21 U.S. states during the election campaign and the recent Olympic Destroyer malware, which targeted the Pyeongchang Winter Olympic Games, highlight how cyberattacks can influence and affect not only individuals and organizations, but also global events, economies and political outcomes.
It has become increasingly challenging to effectively track these attacks, protect against them and identify the perpetrator. Researchers have recently detected a shift in the toolkit used by Hades, the advanced persistence threat (APT) group believed to be behind Olympic Destroyer. The shift seems to make it likely that most of the group’s operations will remain under the radar, which surely does not facilitate attribution.
So where exactly should organizations be focusing their efforts?
Attribution: Achieving the Impossible
It’s incredibly rare that we can categorically say whether a specific actor was definitively behind a cyberattack. Anyone using the internet has some form of identifying information associated with their online activity, be it an IP address, user-agent or login credential, so it stands to reason that we can identify malicious actors through patterned usage of those features. However, careful use of certain tools, online tradecraft and encryption services (such as VPNs) can be used to mask a user’s online identity. Online anonymity is a double-edged weapon, protecting both legitimate users and malicious ones, and this complexity means it’s very difficult to gather all the facts and accurately find the actor.
As analysts we are essentially trying to identify an actor’s signature, some uniquely identifiable component of their activities online which gives their identity away. As previously explained, it’s a very complex picture and we have to use structured threat intelligence in a threat intelligence platform to identify the key attributes that might provide clues. This can be anything from the way they write their malware, time-zone analysis or even specific commands they use when accessing networks. Even then, however, attribution rarely is 100 percent accurate.
Skepticism is key to all good analysis and it’s important that companies that are interested in threat actor attribution explore assertions with healthy challenge. Keep challenging, and back up assertions with good evidential chains captured in a structured threat intelligence platform.
The ‘Who’ vs. the ‘How’
There are both good and bad reasons behind attribution and our desire to discover the actors responsible for cyberattacks.
When an attack takes place, it’s human nature to want to have someone to blame. Yet often, attribution is too little, too late when it comes to keeping safe—the damage has already been done. Alongside this, the seeming obsession many people have with identifying threat actors often leads to finger-pointing, which could have a very large impact on the current geopolitical climate if a nation-state is suspected to be involved. An understanding of an actor’s intents or modus operandi are clearly valuable for an investigator to respond to an incident, but that value should not be mistaken for an opportunity to gossip.
Instead of focusing on attribution—which could be deemed as closing the stable door after the horse has bolted—I believe the most important thing should be a specific focus on tactics, techniques and procedures (TTPs). It shouldn’t be about the ‘who’ but the ‘how.’
By moving the focus away from attribution and more toward TTPs, we will be better prepared to prevent more cyberattacks than at present. By knowing and understanding all the potential TTPs that could be used in an attack, it is possible to close off the back doors to criminals while those concentrating on attribution leave themselves open to cybercriminals and further attacks.
While TTPs are almost the only reliable way to track this sort of threat, analysts should not ignore attribution altogether. It’s important for them to take note of the Diamond Model, ensuring a holistic approach to data collection. It’s important to make sure your pursuit of attribution is to improve your understanding of the motivations behind the attack and to be able to compare/contrast those motivations with the tools used. If the motives don’t fit the crime or the tools used, then allow yourself to explore alternative hypotheses and don’t get caught up with finger-pointing.
And finally, it’s vital to ensure sure the basics of network defense are covered first and foremost. Instead of getting too obsessed with the ‘who,’ organizations should ensure all systems are up to date, patches are deployed and standards are adhered to. By doing this, businesses and governments can most effectively protect against the most commonly used TTPs and use their resources more effectively.
