Attribution in Cyber Security

October 22, 2021
3 minute read

This is a text I posted some years ago on Linkedin. I still think this may be valuable so I’m reposting here even though the examples may appear a bit outdated.

What use is attribution of cyber attacks?

Each new breach makes everyone ask for attribution. I have to admit that I also follow all these blog posts attributing headline grabbing cyber attacks to different threat actors. A prime example for me is the attack on a German government network.

This is a perfectly normal human reaction. If I’d come home to find that someone broke into my house I’d ask the same. Similarly if a pickpocket successfully stole my wallet I’d ask who that was.

However there are at least two reasons this alone is insufficient:

Does that mean we should stop doing that and following all these blog posts merely means we felt mainly prey to security marketing stunts?

Not at all if we look at it slightly differently. I suggest we look not so much at the question “who has done it?” but rather ask “how did they do it?”. Again look at my previous examples of pickpockets or burglars: if I know I’ll be travelling in an area full of pickpockets I better adapt by not bringing much cash and securing my wallet. Looking at how burglars break into house may help me to decide whether I should first secure my backdoor better or add an alarm.

That is we need to focus on the “Tactics, Techniques and Procedures” (TTPs) input from threat intelligence to improve the security posture. That is the real value of investigating cyber threats. It’s not a simple unfortunately as reading up a few blog posts or adding indicators of compromise (IoC) to a SIEM though you should definitely do both.

To really derive value requires continuously incorporating threat intelligence into your IT risk management and have it drive the decisions you make for further evolution of your security architecture and processes:

Doing this continuously not only improves the security posture it also helps you build better business cases for your investments and shows the required due diligence of your work.

Share on:

If your security architecture is largely based on protective measures, think again

September 3, 2023
3 minute read

Using SSH Agent on Windows

November 10, 2021
2 minute read
security software

Adapt security to cloud-native environments

January 24, 2021
4 minute read
security cloud