Challenges in attribution of all targeted cyber attacks
When discussing the latest targeted attack campaign, the question invariably arises, “Who was behind it?” It’s a simple question, but one which has become increasingly difficult and complex to answer.
Attribution of cyber attacks has never been an exact science. Security researchers typically cluster attack incidents together and try to attribute them to known attack groups based on similarity of digital fingerprints, such as code similarities, shared tools and shared infrastructure. However, attribution using such methods is becoming increasingly difficult with the trend of attackers “living off the land,” eschewing custom tools in favor of using standard operating system features and off- the- shelf tools to compromise their targets. There’s also the classic problem of attackers inserting false flags including purposeful misdirection, obfuscation, and fake clues designed to mask their identities.
Despite the challenges, attribution remains an important part of attack analysis. By tying activity to specific groups, we start to see patterns of behaviour that allow us to better understand the attackers’ motivation, their target profile, and the assets they’re pursuing. Generating this intelligence is critical to protecting all customers, as well as assisting law enforcement, an area where Symantec has a significant history.
But there are limits to how far we can go with attribution. Even if we can tie specific incidents to a known attack group, identifying who or what organisation is directing or funding that activity is not in the scope or focus of what Symantec does.
The focus continues to be on researching the methods, tools, and techniques used by targeted attackers so that we can develop entirely new capabilities to protect our customers. Symantec’s Targeted Attack Analytics is just one recent example of a new innovation that’s developed to help customers to automate the discovery of entirely new and sophisticated attacks.