Cyber Security
Cyber-Attribution does not matter
A By Daniel Marsh
ttribution is the action of ascribing an event or task to a subject. *yawn* I prefer to describe attribution as pointing fingers and laying blame when and where it is undue. Often talked up as a critical aspect of cybersecurity, where identifying how is as important as identifying the who, which theoretically allows for the identification of the perpetrator, permitting for justice to be served. I pose a couple questions which I will explore in my musings below: ⢠Is attribution worth the time and effort and can we get it right? ⢠Is it possible to be certain beyond a reasonable doubt with attribution in the digital world? TL; DR? Skip to the nest page âWhere does attribution fit into the value chain?â
So, you got compromised? Letâs set up a hypothetical and completely theoretical scenario. A service is exposed to the Internet, perhaps SSH or HTTP, web application or database, and it gets compromised. Malware is loaded, runs successfully and spreads laterally resulting in the organisationâs systems becoming members of a massive botnet. The threat actor uses the botnet as a backdoor to the environment and obtains critical data regarding the victim. The threat actor
18 | Australian Cyber Security Magazine
also damages the core business platform (energy, financial, safety, etcâŚ), which results in catastrophic failure and the inability of the business to deliver reliable and functional resources (and therefore profit). Loot (intellectual property) is taken and sold on the dark web. Some months pass, the organisation has recovered (mostly), the loot is leaked, and the victim company no longer has any private intellectual property⌠theyâve lost competitive advantage and probably have not removed the bots from their environment.
Detection and Response We carry from that scenario, in a reasonably secured network the attack was identified, and detection systems alerted key personnel who would act to contain the threat and then eradicate the threat. Working against them was the automatic propagation of the malware and protection systems that were not configured in such a way that would prevent the attack. This included misconfigured antimalware with incomplete endpoint protection deployments, IPS was still in learning mode and the firewalls were not strategically placed. Now, everything above is just boring guff to get you in the right headspace. We have an active threat actor in the environment, and we work through the phases of incident response to contain, respond, recover, and learn. 1. The threat was successfully identified. 2. Personnel responded in accordance to the incident management procedure.
