Opinion, advice, and analysis by the TNW community

It doesn’t matter ‘who’ hacked your business

Attribution is noise: It doesn’t matter who’s behind the latest cybersecurity attack

Untitled design(7)
J.J. Thompson
Story by
J.J. Thompson

Senior Director of Managed Threat Response, SophosJ.J. Thompson is among the earliest pioneers in the field of cybersecurity known today as Managed Detection and Response (MDR). An industry veteran with a 20-year entrepreneurial track record of succ… (show all) J.J. Thompson is among the earliest pioneers in the field of cybersecurity known today as Managed Detection and Response (MDR). An industry veteran with a 20-year entrepreneurial track record of success, J.J. joined Sophos to lead strategy for managed service offerings following the acquisition of his company Rook Security in 2019.

j_j_thompson

China. North Korea. Russia. Iran. Why does it matter to your security posture if any of these countries are behind the latest cybersecurity attack? 

In most cases, it doesn’t, and as a business leader, it probably shouldn’t matter to you. 

News attaching specific criminal groups to cyberattacks – and perhaps human nature – are driving a need for attribution and understandably prompting organizational leaders to believe it matters who conducted the attack. Attributing WannaCry ransomware to North Korea or NotPetya to Russia is certainly important to law enforcement, but is best left to intelligence agencies. 

For business leaders, attribution can be an unnecessary distraction – instead, the focus needs to be on protecting against an attack in the first place, neutralizing threats so that organizations can return to business as usual as fast as possible, and taking steps to ensure it doesn’t happen again.

Attribution is a red herring

Attributing attacks by iconifying virtual boogeymen with catchy names like “putrid goshawk 623” may be appealing, but attribution is ridden with mistakes. 

For instance, when we hear that an investigation revealed the “source” of an attack is a particular IP address (or TTPs – Tactics, Techniques and Procedures – for that matter), that doesn’t necessarily mean that the IP owner was responsible for, or carried out, the attack. It simply means that’s where the digital breadcrumbs at the cybercrime scene appear to trace back to.

Unless you can tie the IP address to an actual person who was using the computer or device connected to that IP address at the time the attack happened, all you know is where the criminal launched the attack from, not who did it. 

What does this attribution chase do for businesses? In most cases, absolutely nothing. Targets for attacks lose time by focusing on what is perceived as exciting, not what actually matters: determining the course of action to respond to the attack, and acting decisively. 

A wild goose chase

Even if there is considerably strong evidence that a certain threat actor was indeed the one who carried out an attack – based on fieldwork that ties the actor to an asset and IP address at the time of the attack – this is only the first hoop. 

What follows is coordination with law and federal enforcement (assuming the case meets their guidelines), confirming that they have a legal attaché or diplomatic relations in the country from which the attack allegedly took place, and having their team confirm the evidence points to the foreign IP address in question. 

It can take weeks or even months for federal law enforcement authorities to obtain the results of their evidence request – then, businesses have to hope that results are complete and that they’re useful. This whole process is time-consuming and redirects energy away from solving the problem in search of obtaining information that’s, ultimately, irrelevant.

It’s good to catch cybercriminals. But it doesn’t help businesses recover from an incident. That is a separate path altogether. 

Neutralizing a cyber attack

Figuring out the best course of action after experiencing an attack requires a streamlined approach. First, determine what is true. Ask the following questions:

What is the symptom? When did it start? What caused it? Is it still happening? What was the root cause? What damage did, or could, it do? What options are there? What makes the most business sense? 

Here’s a look at that approach in action. Imagine that a ransomware attack hits your organization. Your IT team has been dealing with the fallout for a few days, but now, with the ransomware deadline approaching, it’s time for the tough decision of whether it makes sense to pay the $100,000 ransom. 

So far, the IT team has been unable to verify what ransomware they are dealing with, nor can they identify how it got there. But they are enamored with the idea that the FBI should be involved and that they are dealing with APT group ‘putrid goshawk 623’ from North Korea. In the meantime, they have tried to restore from backups, but were continually re-infected. 

At this point, worrying about a nation-state attack is wasting time. Businesses need to take steps to get back online and evaluate if the cost of abandoning systems and conducting clean re-installs, including direct and in-direct operational recovery costs, is less than paying the ransom. Push the attribution questions aside and focus on the issues at hand to make decisions that will make immediate positive impact. 

Questions worth asking

When considering the value of attribution, here are a few things to keep in mind:

  • How would knowing the actor help you?
  • What are the costs of being wrong?
  • Are you sure you’re not exhibiting any confirmation bias?
  • Does the benefit of knowing outweigh the potential costs of being wrong?

So other than the fact that we are psychologically wired to desire resolution through attribution, is there any real benefit to attribution? 

Perhaps the best defense for the risky game of attribution is in its potential to aid in prediction or prevention. For example, if a string of banks have been targeted by an identified threat actor, then other banks could prioritize indicators related to that actor. Does that mean that businesses in other sectors, such as retail, should ignore those indicators? 

As an early detection capability, threat intelligence derived from previous attribution efforts can be helpful. Known malicious IP addresses or TTPs, such as the methods that actors use to determine if you are vulnerable to their favorite attack, can be useful to prevent being compromised. Threat intelligence derived from previous attribution cases can be valuable for prevention and detection if you have good intelligence, know how to use it, and are actively monitoring for the actionable alerts. 

Keeping an eye on what truly matters

Business leaders aren’t cybersecurity experts – and they don’t need to be. What’s important is that they know to ask the right questions before, during and after an incident. 

Before an incident, organizations should ask: “Do we know our security prevention and detection capabilities, limitations, and residual risk?”

During an incident, ask: “What do we know? What assumptions are we making? Have we traced the symptom of the threat to identify the root cause or attack vector and have we removed the weaknesses that were exploited? What access did the intruder have? Are we able to see what they accessed, modified and exfiltrated?” 

Afterwards: “What steps should we take prevent this from happening again?”

Set direction and guide security teams toward threat prevention, detection and response. Address active compromises, neutralize threats and determine root causes to prevent future attacks, but don’t let attack attribution influence security strategy. With this approach, organizations are better placed to restore operations and will improve cyber defenses, so that business leaders can prioritize growing their business. 

Published October 22, 2019 — 11:00 UTC