Hide And Seek: How To Avoid The Attribution Trap

The almost endless stream of high-end data breaches affecting some of the world’s biggest organisations in the last 18 months highlights the fact that no business is safe from being hacked. From the massive data breach suffered by Target to the high profile leak of Ashley Madison members’ details, it’s clear that every business has to be aware of the latest threats they face from cybercriminals.

We are seeing a surprising shift to attack activity on commercial targets that exhibit characteristics typically observed in nation-state related attacks that aim to disturb economies, disrupt consumer confidence and drive political agendas. For example, health insurance provider Anthem found its name making headlines for all the wrong reasons after cybercriminals stole information on tens of millions of its customers.

Attackers are increasingly going out of their way to disguise their origins, their methods and their sources to gain access to their desired data, with the most popular methods observed:

• Breaking the chain of traceability through the use of the free software TOR (The Onion Router), which enables users to prevent people from learning their location or understanding their browsing habits on web browsers and instant messaging platforms
• Using compromised websites that have been registered by an unrelated third-party to implicate the registrant in the attack, rather than the attacker
• Using bulletproof hosting providers that refuse to cooperate with abuse notifications or law enforcement requests
• Creating a complex series of redirect chains, which are set to function only for the target organisation and only function for a single use
• Recycling codes, meaning the attacker using it is likely not to be the original author of the code
• Deliberate insertion of misleading strings, website addresses and code paths into malicious binary files
• Obscuring DNS paths by using frequently changing IP addresses

The natural reaction for many businesses in the wake of an attack is to seek out who has gone to the huge effort to attack them on such a scale. However, it is particularly difficult to assign attribution correctly given the ease with which hackers can spoof information, circumvent logging and tracking or otherwise remain anonymous, as outlined above.

A further difficulty is that analysis of the same circumstantial evidence can often lead to widely different conclusions and waste valuable business continuity time, especially when implementing a data breach response plan. With that in mind, the attribution process is best left to law enforcement agencies and expert trained third-party organisations.

Rather than being fixated on chasing down the hacker, companies should instead be focusing their attentions on the tools, techniques and procedures of their adversary (TTP). This gives businesses a better chance of defeating the next attack or attacker that uses a combination of the same TTP – especially as malware authors share TTP. Businesses that suspect they are dealing with a nation-state attack could in fact be dealing with a much more junior attacker that has simply acquired tools previously used by nation-state actors.

The need to improve security defences to learn from previous failures and address possible future attacks has to be a high priority that should be taken up appropriately by the IT team, while working with professional investigators with the necessary skills and resources.

Businesses should focus on a forensic investigation that profiles the attacker, but only to the extent of understanding their intent and techniques. They can then adjust their defences and processes to maintain an adaptive security approach and prepare necessary statements for senior management, investors, customers and the public.

Having the right balance between their priorities will maximise IT’s contribution to the organisation and ensure the business is appropriately prepared for future attacks. Businesses must ensure they do not get distracted by chasing attribution breadcrumbs, but instead focus their limited resources on threat prevention and remediation.

Carl Leonard is principal security analyst at Forcepoint

Are you an Internet security expert? Take our quiz to find out!