Attribution – One size doesn’t fit allPOSTED BY JONATHAN COUCH
When you’re a victim of a crime it’s human nature to want to know who is responsible. You call and report it. The police come. They conduct an investigation. And hopefully they can track down the guilty party so they can be brought to justice. The same instinct holds true for victims of cybercrime. But how far should you go? How much time and effort should you spend trying to get an individual’s name, and to what end?
When it comes to security operations, you need to consider what level of attribution the different teams involved in protecting your organization need to be successful. Often knowing the group responsible or the campaign used is sufficient.
The intel team is typically the group assigned to determine attribution and is responsible for pulling all this information together. They provide the information about the indicators and codebase involved, the malware and campaigns, the infrastructure used, typical targets by geography or industry if available, and then tie that information together to identify adversary groups. Other teams then tap into that attribution information for their needs.
The incident response team needs context around campaigns to validate that something bad is really happening and not a false positive so that they can scope and remediate incidents and breaches. Campaigns can be grouped by attribution. When you have these groupings, it allows the incident response team to start with an indicator found on the network and learn more about the attack so they can look for related indicators that those adversaries use. Knowledge of how adversaries and campaigns operate and the infrastructure used can help them accelerate response and make sure it doesn’t happen again. For example, if an adversary typically targets the HR department and expands across the organization through the mail server, the team knows where to look and how to scope and prevent future attacks. Information about related campaigns – those executed by the same adversary – can help the team do intel pivoting to see if they have missed any similar attacks in the past and remediate.
The vulnerability management team needs to know which vulnerabilities are being targeted in the wild, if there is an exploit that is being deployed, and if any groups have successfully targeted that vulnerability in the past. This information provides the team with some level of confidence that someone is targeting the organization and raises the risk so that they can prioritize patching accordingly.
The security operations center is looking to threat intelligence for validation and verification. For example, with attribution grouped according to a campaign and how that campaign operates down to the C&C server, the exfiltration server and a specific type of malware, the team knows exactly how the adversary operates. Instead of wasting time trying to determine if an alert is a false positive or not, they have the intelligence and high level of confidence that an attack is occurring and can quickly take action.
The hunt team takes the attribution information, in particular the details of campaigns being run, to determine if they have seen that type of activity before. Understanding what an adversary targets, how they execute, their motivation, and any specific industries affected, they can look to see if there is some activity the SIEM may have missed.
Attribution doesn’t come easy, and the law of diminishing returns comes into play. There is a cost associated with attribution and – as with most endeavors – you can get 80% of the way there for 20% of the cost. So with minimal time and effort you can get some basic but important information that can help the different teams that make up your security operations do their job better and secure your business.
With intelligence grouped in a logical manner they can build confidence around knowing exactly what these attackers are doing, how, when, and to whom. Whether it’s knowing what to look for or understanding what they are seeing, with the right level of attribution they can then launch a better fight and apply a better fix. And isn’t that what’s really important?