Lior Div in Network World: Attack attribution does little to improve enterprise security

After every major data breach, the security community engages in a game of whodunit and attempts to figure out what entity or nation state carried out the attack. The North Koreans were behind the Sony breach, while China carried out the attack on the Office of Personnel Management (OPM). Meanwhile, hackers linked to the Iranian government hacked a small dam in New York as well as the networks of AT&T, Bank of America and the New York Stock Exchange, among other major U.S. businesses. 

And now Russia is being singled out for supporting hackers who nfiltrated the Democratic National Committee’s computers and disclosed sensitive files and emails.

While people want some sort of closure after a crime has been committed and to see the perpetrators brought to justice, it’s time to reconsider the benefits of attributing cyber attacks. Having a corporate security team attempt to figure out who is behind a hack is complicated, is time consuming and does very little to improve an enterprise’s defenses, which should be a company’s priority after an attack. And, perhaps most important, many attributions are just guesses or completely wrong.

When laws are broken in the physical world, there’s irrefutable evidence that links the guilty party to the crime. Maybe it’s fingerprints or a strand of hair or surveillance footage from a security camera. Whatever the evidence, it’s tangible and hard to manipulate. In the cyber world, however, evidence can be easily altered, making the task of figuring out who pulled off an attack much more difficult and sometimes impossible.

To understand why attribution does not work, think like the people who are behind the operation. They have invested significant time and resources masking their identity prior to the operation’s start. They employ basic precautions like making sure their tools never communicate with a server based in the country where the attack originated. Instead, they’ll make the communic appear to originate from another nation and buy domain names in different countries.

The hackers also want to avoid establishing any link between them and the hardware and software used in the operation. This means instead of purchasing equipment with credit cards connected to the hackers, they will use bitcoins or stolen credit cards.

A company’s limited security resources are better spent understanding how the attackers infiltrated the network and their capabilities and using this intelligence to prevent future attacks.

Deception is always a major part of an attack. The attackers want to make sure that if the operation is discovered, any evidence that’s unearthed points toward someone else. Russian hackers, for example, may include Chinese in the malware’s code to make it appear that China played a role in the attack. Or nation state hackers will employ tactics and techniques typically used by cyber-crime groups in an effort to pin the attack on a criminal organization instead of a nation state. In recent years, the sophisticated attack techniques used by nation state attackers have been adopted by cyber criminals, making attack attribution very tricky.

Even if a security team correctly identifies an attacker, the return may not be worth the investment. Figuring out who hacked a company may fill security professionals with pride, but how can they retaliate against the group or nation that executed the attack? While the U.S. government can take action against the country behind a data breach, as it did with North Korea with the Sony hack and imposed sanctions, federal officials don’t and can’t seek retribution after every attack. I suspect the U.S. government lacks the ability to investigate all cyber attacks. Additionally, going after every attacker doesn’t seem like a sound cybersecurity policy.

When an attack has been attributed, prosecution by the U.S. government rarely happens. Extraditing hackers to the U.S. for trial is not an option in many cases, as seen with the Iranian attackers. If the hackers don’t reside in the U.S., federal prosecutors have little legal recourse against them.

My main concern is that the effort spent on attributing an attack distracts organizations from fully remediating a breach. A company’s limited security resources are better spent understanding how the attackers infiltrated the network and their capabilities and using this intelligence to prevent future attacks. Having corporate security teams focus on attack attribution does nothing to protect their company from getting hacked again.

This column previously appeared in Network World. Lior Div is the CEO and co-founder of Cybereason.

Lior Div
About the Author

Lior Div

Lior Div, CEO and co-founder of Cybereason, began his career and later served as a Commander in the famed Unit 8200. His team conducted nation-state offensive operations with a 100% success rate for penetration of targets. He is a renowned expert in hacking operations, forensics, reverse engineering, malware analysis, cryptography and evasion. Lior has a very unique perspective on the most advanced attack techniques and how to leverage that knowledge to gain an advantage over the adversary. This perspective was key to developing an operation-centric approach to defending against the most advanced attacks and represents the direction security operations must take to ensure a future-ready defense posture.

All Posts by Lior Div