The Mystery of Cybersecurity Attribution

Let’s examine attribution and its relation to information systems and crime. In my ongoing blog series “Hacker Mindset,” I explore an attacker’s assumptions, methods and theories, including how information security professionals can apply this knowledge to increase cybervigilance on the systems and networks they steward.

Methodology Behind Solving the Case.

When you fire a gun, the bullet is tied to the weapon that discharged it using ballistic science. However, an attack on a network is not as straightforward in cyberspace. Security controls exist within your organization to prevent system disruption, unauthorized data disclosure, destruction and alteration.

While cybersecurity professionals rely on administrative and technical instruments to achieve this goal, a complicated scenario plays out when an attack takes place from outside the network of an administrator’s control. Tracking down responsibility to attribute actions to an individual or group is a difficult task without significant resources and visibility into the connecting networks that serve internet traffic to your business.

For this reason, it’s a job that requires research produced by experts looking into the latest threat actors and the resources they are leveraging for their attacks, including known bot networks, command and control IP addresses, malware, and other malicious code.

Image Source: Creative Commons

If I Can Connect to You, and You Can Connect to Me, Then They Can Connect to Us.

Through a series of techniques, including VPNs, botnets and IP source address forgery, an attacker can conceal his or her identity. For this reason, many experts believe hacking the hacker runs afoul with legal and ethical dilemmas, leading to victimizing computer systems not under the actual owner’s control. Approach this strategy with care within your organization.

Our connected society generates data at a rate of 2,500 petabytes each day. This staggering amount of information needs protection mechanisms ensuring the proper containment and recovery of systems should they fall victim to attack.

Incident response teams need a clear policy and set of procedures to handle each network violation to capture and maintain valuable knowledge regarding system intrusions while restoring production processing as quickly as possible. The technical data needed for placing the suspect behind the keyboard includes IP address, logs, memory acquisition, data examination, and a host of other artifacts that provide an incident responder or forensic investigator clues and information regarding the attack.

Even then, it’s not easy to obtain that information. That’s because the modus operandi adopted by hackers commonly includes the use of intermediary networks of bot hosts that are controlled by an intruder to mask the origin of the human orchestrator.

Not all is lost, however. Reverse engineering malware can reveal clues about the attackers that help complete the puzzle of what’s going on, and valuable information is learned when incident response teams perform reverse-malware analysis on infected network systems. It helps the team understand how the attack vector worked, what is needed to stop and remediate it, and what indicators can be used to detect future intrusions.

Cyberspace in the Real World.

Just as the cost for shoplifting increases the price of retail items, cybersecurity lapses affect consumers and taxpayers alike. It’s detrimental to our technological society to permit cybercrime to run rampant. With that in mind, attribution is critical to solving cybercrime. Without it, no cyberjustice exists.

Finding the responsible party allows law enforcement to bring justice to the perpetrators. With threat information tied to a particular hacker, an organization’s security team can respond more efficiently by knowing what methods are best to counter the network intrusion. Knowing how determined and sophisticated the attacker is allows business leaders to invest in the proper security controls to reduce organizational risk exposure.

Successful cybercrime attribution requires access to the information at or near the attack origin. Many times, this plays out in the form of international treaties and law enforcement cooperation. Attacks that originate in countries that lack warm ties with the United States are notoriously difficult to solve. That’s why critical industry cooperation is essential in the war to take back the Internet from cybercriminals.

Each organization needs an information sharing policy that specifies how a security team should communicate with outside agencies during and after network attacks. The Department of Justice has information on resources for reporting computer crime and intellectual property theft. Involvement and partnering with law enforcement agencies are often an option depending on your locality.

After crafting smart policies coupled with functional processes and procedures, you can arm your organization to respond and mitigate emerging threats. Sensible risk management and cybersecurity acumen are vital in a world filled with billions of devices waiting to connect — directly to you.

What do you think? Have anything to add? I welcome your feedback and ideas of how you handle your organization’s security and combat the hacker mindset.

Originally published at www.tripwire.com on November 23, 2016.