With political institutions, governments, companies under attack from nation states and other cyber criminals, it’s becoming more important for investigators and intelligence analysts to track down those responsible, whether person, group or country. This process is called attribution, but it’s not easy and it’s not always definitive. It’s a skill and a process that requires intense digital detective work.
In any attempt to track down the “bad guys” in criminal activity, assumptions usually have to be made. In cyberattacks and the resulting crimes, the process includes analysis of the digital forensic evidence, consideration of the overarching situation, historical data, and an establishment of potential motives or intent.
As in criminal court in the United States, alleged defendants must be proven guilty “beyond a reasonable doubt.” This is difficult, and it’s why there often isn’t any prosecution of retaliation. Unless there is physical forensic evidence showing that an individual or a group of individuals was on a computer at the exact time an organization was compromised, it’s very difficult to definitively attribute cause and effect. This is one of the reasons “hacking back” on a corporate level usually doesn’t happen.
Six ways attacks can be attributed
Analyzing source data: Attacks often must communicate with nodes outside the targeted network, either for command and control or for relaying data from compromised networks or computers. The metadata can help make the attribution case. This metadata could be things like source IP addresses, domain names, domain name registration information, third-party data from sources like Crowdsource or VirusTotal, email addresses, hashes and hosting platforms. However, these data points can easily be faked. By analyzing these across a series of multiple attacks targeting various—and perhaps geopolitically linked—organizations, certain assumptions and assertions can be made based on the reoccurrence of false data discovered. For instance, an anonymous email address can be traced from an attack and linked back to the perp based on the domain names being used that were previously identified as a specific perp’s command and control habits.
Analysis of tools, scripts and programs: This can provide critical information, and the analysis can include the language of the compiler, the programming language, compile time, the libraries that were utilized, patterns/ordering of execution events and more. Hints abound: Did the “perp” misspell a word that’s replicated across various iterations of the attacker’s software? Was the malware written on a Cyrillic keyboard?
Examining tactics, techniques and procedures: Bad guys sometimes have their own style. Identifying these can often provide clues. This could include the method of delivering the attack (social engineering, for example), the types of malware, how they explored a network for vulnerabilities and the methods they use to cover their tracks.
Trying to get into the attacker’s head: What might the end game be? It’s not always about money. Did they just lurk, spying over a long period of time? Were they looking for specific data during their intrusions? How did they try to use what they found out?
Understanding the business drivers: Every industry encounters cyberattacks, though it can run in cycles. When oil prices rise, companies spend more on exploration—so those organizations are at a higher risk for geo-spatial data theft. When technology firms prepare to roll out innovative devices they might be more likely to be targeted for intellectual property acquisition and theft of data. Thus, knowing what is going on within companies can help predict problems.
Comprehending the geopolitics: Is a certain nation-state going through an energy crisis, making it more likely to infiltrate oil and gas companies to find exploration data? This kind of analysis attempts to determine an actor’s identity by placing their actions under the lens of current events, tying a variety of assumptions over stakeholder motivations to the technical forensics of a cyberattack.
Conclusion: It’s a true “whodunit”
Throughout the attribution process, analysts try to assemble a case by cataloguing who, what, why, when, where and how. On a micro-level, incident response teams are collecting evidence to answer these questions on an investigation-by-investigation basis. On a macro-level, threat intelligence teams get evidence and analysis from multiple different investigations, then put it together to identify patterns. If patterns match across multiple investigations, attacks can be categorized and attribution assumptions can be made.
While attribution isn’t an exact science, we can come close to attribution “beyond a reasonable doubt”—and we should continue trying.