Been hacked? Now to decide if you chase the WHO or the HOW

Marketers want the bad guys named. Security pros aren't sure they're right

Lock 'em up

"Think about attribution this way," a defence official tells El Reg on the condition of anonymity. "If a government can work out who the hackers are, and who they are working for, it helps form a diplomatic response."

Think the mass hacking against the US pinned on Beijing's Comment Crew (APT1), or the hosing of Sony Pictures said to be the work of Pyongyang flacks; identifying those countries, defence and intelligence bods say, helps further political agendas and can help inform discussions around kinetic responses.

"If a hack is really bad, like really bad, a government might need to take out a data centre," one former Australian Government intelligence bod told us. "It is a legitimate consideration." But both men acknowledge the immense difficulty in determining fault with 100 per cent accuracy.

For the enterprise, attribution is obviously critical if they want to ensure hackers are locked up. It can also reveal those hacks that are inside jobs, and present opportunities for investigators to make life harder for attackers.

Actor attribution is not always worth the resources but it pays off in strategic attacks, Asymmetric Security's Kayne Naughton says.

"If you're dealing with a regular crime like cryptolocker or something that is a chance attack, attribution is just marketing. But if you're dealing with something you believe is strategic - say you're buying another company and someone is trying to get up into your Exchange server - if you don't understand their goals then you don't know what they're after and how you should focus your defences," Naughton says. It could be distilled further: "Perhaps even only care about an attacker specifically if they care about you."

Kayne Naughton image.

Kayne Naughton.

The Melbourne, Australia security bod is skilled in identifying operational security shortfalls and in following bread crumbs that can lead to the unmasking of real identities. He has used those skills working for major institutions and now tracks threat groups under his consultancy.

Even giving a group a name can help. The TPPs of a skilled tiered group of Chinese hackers would be difficult to pin down even for well-resourced organisations; smaller companies may not have a chance. But by finding TPP indicators a security bod might be able to join the dots and link their attackers to a previously named group.

"If you realise they use the same hosting provider and company to register their domain; if you realise those things are linked, you may identify a group and see things you would have otherwise missed instead of treating everything in isolation," Naughton says.

Those linkages, and the ensuing ability to predict future attacks is something of a security nirvana.

Alex Holden, of security investigation firm Hold Security, points out that actor attribution can help an organisation reduce the scope of a data breach when it would otherwise declare total pwnage.

"Let's consider a situation where a system administrator finds a backdoor on one of their systems. How do you quantify the loss? Where do you start? Do you declare a total loss? Regulations may suggest so."

"In some cases, when you can attribute a breach to a group, understand how the hackers operated, and determine what they targeted; you can then feasibly identify the stolen data thus, perhaps minimising the scope of the loss." That is no easy feat, however.

Hold says companies that lack the resources to run full-scale attribution investigations with third-party assistance should consider it a risk management exercise. "Sometimes when it is hopeless to minimise the loss or prosecute the offenders, there is no viable benefit to attribute the breach."




Biting the hand that feeds IT © 1998–2018