This is a text I posted some years ago on Linkedin. I still think this may be valuable so I’m reposting here even though the examples may appear a bit outdated.
What use is attribution of cyber attacks?
Each new breach makes everyone ask for attribution. I have to admit that I also follow all these blog posts attributing headline grabbing cyber attacks to different threat actors. A prime example for me is the attack on a German government network.
This is a perfectly normal human reaction. If I’d come home to find that someone broke into my house I’d ask the same. Similarly if a pickpocket successfully stole my wallet I’d ask who that was.
However there are at least two reasons this alone is insufficient:
- attribution is extremly difficult as described by Cisco’s Talos intelligence group for the example of Olympic Destroyer.
- unless you have forensically sound evidence that is admittable in a trial and the attacker happens to be in the same jurisdiction you can’t use it anyway.
Does that mean we should stop doing that and following all these blog posts merely means we felt mainly prey to security marketing stunts?
Not at all if we look at it slightly differently. I suggest we look not so much at the question “who has done it?” but rather ask “how did they do it?”. Again look at my previous examples of pickpockets or burglars: if I know I’ll be travelling in an area full of pickpockets I better adapt by not bringing much cash and securing my wallet. Looking at how burglars break into house may help me to decide whether I should first secure my backdoor better or add an alarm.
That is we need to focus on the “Tactics, Techniques and Procedures” (TTPs) input from threat intelligence to improve the security posture. That is the real value of investigating cyber threats. It’s not a simple unfortunately as reading up a few blog posts or adding indicators of compromise (IoC) to a SIEM though you should definitely do both.
To really derive value requires continuously incorporating threat intelligence into your IT risk management and have it drive the decisions you make for further evolution of your security architecture and processes:
- Ask yourself which threat actors are the most relevant for you and your business right now (hint: most often it’s not nation states you should start with!).
- investigate which TTPs were employed in recent attacks by these threat actors or across your industry.
- Evaluate if this informaton translates into new risk or a different weight for existing risks.
- Check if your current security architecture properly addresses these risks or needs adaption.
- Decide if you need to invest into something new or if you rather need to improve your existing processes.
Doing this continuously not only improves the security posture it also helps you build better business cases for your investments and shows the required due diligence of your work.