Garrett O’Hara is the Chief Field Technologist, APAC at Mimecast having joined in 2015 with the opening of the Sydney office, leading the growth and development of the local team. With over 20 years of experience across development, UI/UX, technology communication, training development and mentoring, Garrett now works to help organisations understand and manage their cyber resilience strategies and is a regular industry commentator on the cyber security landscape, data assurance approaches and business continuity.
If you’ve been targeted by an advanced persistent threat (APT), threat attribution can be a powerful way to investigate the motive behind an attack and discover clues to the attacker’s identity. But cybercriminals are an innovative bunch and are always inventing new ways to avoid getting caught.
As cybersecurity technology matured, hackers have developed their own set of tools and tactics to avoid detection. Nowadays, attackers can just buy low-cost malware tools off the dark web or easily build their own sophisticated software for maximum damage. We’ve seen advanced actors use these tools to camouflage their attacks to look like garden-variety malware infections or plant false flags to lead cybersecurity teams on a wild goose chase while they carry out their evil plans.
Threat attribution and threat intelligence can help, but it’s not for everyone
Threat intelligence watches out for common markers of the tactics that certain attackers use, which means that if similar signs show up in your system, you can get an idea of who is trying to break into your data. This kind of threat attribution can be very useful for a cybersecurity team, as it enables them to quickly come up with an effective counter-strategy. The bigger the scope of your threat intelligence network, the more effective your responses can be.
But it’s not the right answer for every business. The level of security (and attribution) you need depends on the value of the data you hold. It can be a great capability for, say, government agencies, large enterprises or critical infrastructure organisations who have access to shared threat intelligence resources, but may not be feasible to do in-house for mid-sized businesses.
How does threat attribution work?
Identifying cybercriminals is like forensics: it’s slow, methodical, painstaking work. By analysing the attack’s context, and signs and evidence buried deep in the code, researchers can tease out the threat actor’s origins. Analysis can reveal if the attackers are a new group, or if they have carried out similar attacks elsewhere. But while machines can support the analysis, it takes trained human eyes to spot the connections between scattered bits of evidence. With highly sophisticated threats, it can take months or even years of effort to identify a threat actor with any degree of certainty.
To catch the bad guys, look at their behaviour, not their technology
To get better attribution, we need to focus on the actors and their tactics, not just their technical information. Identifying behaviours, rather than IOCs, are what produce more accurate results, and arguably, are more valuable to the cybersecurity team.
But in this cat and mouse game, intelligence and information are the weapons that make all the difference. Leaking our defence plans to the enemy won’t do anyone any good (except maybe the attackers). We need to be more guarded about the specific techniques and tactics we use for attribution and defence.
Attribution and threat intelligence are rapidly evolving fields, and though they have their uses, they also have their limitations. From a business perspective, we need to assess the value of threat intelligence for our specific use case. From a technical perspective, it’s vital to keep our attribution technologies and tactics as confidential as possible. Even a tiny bit of information can give either side an enormous advantage, which is why the art and science of threat attribution is becoming an increasingly important line of defence in the face of unrelenting cyber threats.