What does cyber attribution really mean? Is it just pointing a finger at the bad guy? This article explores the meaning of cyber attribution, the benefits, and how to leverage security tools to help your attribution efforts.
What is cyber attribution?
Cyber attribution is the process of tracking and identifying the perpetrator of a cyberattack or other hacking exploit, which enables organisations to gain a complete picture of an attack and enhance their cybersecurity strategy for the future.
Does cyber attribution really matter?
Attribution is undeniably important, but it certainly comes with challenges. For example, it can be difficult to drill down into “whose fingers were on the keyboard in the first place” or “who directed these people to put their fingers on the keyboard in the first place.” Another challenge is that attribution can take a long time and may not provide immediate value during a cyber incident.
Evidently, there are several barriers to overcome to define attribution, but it is critical for many reasons including taking law enforcement actions, international relationships, and future-proofing your enterprise security strategy.
Benefits of cyber attribution
1. Identify if you are a target or collateral damage
We’ve seen a shift in ransomware actors targeting more lucrative victims instead of hitting as many companies as possible, but that doesn’t mean your organisation was the initial intended target. Knowing whether your enterprise was specifically targeted helps develop an attacker profile—why did they pick your organisation and what are they after?
For example, right before Russia’s invasion in Ukraine, it was reported that at least six distinct actors launched more than 237 malicious attacks, which namely targeted financial, government, energy, and IT organisations.
As previously mentioned, organisations may be unable to identify the “who” during an attack. However, making the attribution can help in similar situations in the future. For instance, if tensions rise between two countries, security teams should be aware of potential attacks from adversaries and prioritise investigation into their specific techniques, tactics, and procedures.
2. Better understand the TTPs used during an attack to enhance detection and response
During incident response, it’s crucial to quickly understand the “how” of a cyberattack. Furthermore, sussing out the TTPs can help point you toward the “who” down the road. With an understanding of their preferred methods of attack, you can assess and prioritise your vulnerabilities and react more effectively, which limits the scope of an attack.
For example, the aforementioned attacks against Ukraine were usually “wiper attacks” focused on disrupting, infiltrating, or destroying critical infrastructure. These attacks used phishing, infecting upstream IT service providers, and exploiting unpatched vulnerabilities to gain initial access. In some cases, specific destructive malware was identified such as CaddyWiper, WhisperGate, and Industroyer2. This kind of information is invaluable for security teams, as it guides their investigation and response efforts.
3. Help the board see the investment value in new security tools
Sometimes you may successfully attribute a cyberattack but be unable to limit its scope due to ineffective security tooling. But convincing the board that an investment needs to be made can be its own challenge.
Attribution helps to quell any doubts or uncertainty the c-suite may have. By mapping out the attacker profile and chain of the attack, you can clearly demonstrate to the board how your defences simply fell short.
Your report should also include any financial losses and how investing in a new unified cybersecurity tool can minimise cyber risk. Potential savings could be allocated toward the organisation’s overarching business goals, which shows the board that security is an enabler of business.
While attribution can be complex, there are tools and frameworks that can help streamline the process. The MITRE ATT&CK Framework is effective at identifying TTPs, methodologies, and threat groups, enabling security teams to visualise and prioritise more effectively against specific threat groups.
According to MITRE, “the first step to creating and using ATT&CK analytics is to understand what data and search capabilities you have.” To put it simply, you can’t analyse what you can’t see. Comprehensive visibility across the attack surface is critical, especially in hybrid-cloud environments, and unfortunately disconnected point products can lead to data gaps.
Trend Micro Vision One™, part of our unified cybersecurity platform Trend Micro One, uses market-leading extended detection and response (XDR) capabilities to collect and correlate deep threat data across endpoints, networks, clouds, workloads, and email. XDR helps security teams connect the dots of the attack surface lifecycle, making attribution more efficient. It also leverages threat knowledge from our global Trend Micro Research team in combination with the Trend Micro™ Smart Protection Network to provide deep insight into evolving cyberattacks.
Trend Micro Vision One features MITRE ATT&CK Mapping to help security teams understand and respond to the tactics, techniques, and procedures used in an attack. It also enables them to drill down into specific nodes of the attack, so they can respond and remediate vulnerabilities faster.
New to Trend Micro Vision One is the Executive Dashboard – built with CISOs for CISOs to help them understand, communicate, and manage cyber risk using a risk scoring framework. This comprehensive score is based on the dynamic and continuous assessment of risk factors, including threat exposure, attack risk, and security configuration risk. The reporting features helps security leaders present critical information to the board in a succinct and understandable way.
For more information about the benefits of a unified cybersecurity platform, check out the following resources: