Attribution is the action of ascribing an event or task to a subject. *yawn* I prefer to describe attribution as pointing fingers and laying blame when and where it is undue. Often talked up as a critical aspect of cybersecurity, where identifying how is as important as identifying the who, which theoretically allows for the identification of the perpetrator, permitting for justice to be served.
I pose a couple questions which I will explore in my musings below:
- Is attribution worth the time and effort and can we get it right?
- Is it possible to be certain beyond a reasonable doubt with attribution in the digital world?
TL; DR? Skip to the nest page ‘Where does attribution fit into the value chain?’
So, you got compromised?
Let’s set up a hypothetical and completely theoretical scenario.
A service is exposed to the Internet, perhaps SSH or HTTP, web application or database, and it gets compromised. Malware is loaded, runs successfully and spreads laterally resulting in the organisation’s systems becoming members of a massive botnet. The threat actor uses the botnet as a backdoor to the environment and obtains critical data regarding the victim. The threat actor also damages the core business platform (energy, financial, safety, etc…), which results in catastrophic failure and the inability of the business to deliver reliable and functional resources (and therefore profit). Loot (intellectual property) is taken and sold on the dark web. Some months pass, the organisation has recovered (mostly), the loot is leaked, and the victim company no longer has any private intellectual property… they’ve lost competitive advantage and probably have not removed the bots from their environment…Click here to read full article.