Cyber Attribution Difficulties, Risks, & Benefits
Cyber attribution or cyber attack attribution is the process of identifying the entity responsible for a cyberattack. Attribution has benefits, but they don’t come easily; there are many difficulties and risks. Cyber threat intelligence analysts should be familiar with these uses and challenges.
Cyber Attribution Benefits
Attackers can be held responsible for their actions.
The fear of being identified and held responsible, or even simply suffering reputational damage, is a deterrent against attack.
Attribution helps organizations better defend their networks, because they learn about their attackers and their targets. It also helps defenders prioritize their efforts.
A government associated with the victim can take actions against the government associated with the attacker, such as imposing sanctions or enforcing regulations.
Attribution fills the need people have to know who to blame for an attack.
After attributing an attack to a nation, an accusing government can rally its allies for support against the accused nation.
By attributing, a government can show its citizens that it has the ability to track the attacker.
By attributing, a government can show an attacker that it has the ability to track them.
Public attribution can cause attackers to stop using devices and infrastructure to avoid future tracking, which can slow them down.
When the government publicly attributes, private companies can be motivated to contact and collaborate with the government in their information security efforts.
Attribution can help private companies determine which law enforcement organizations to contact, and what their legal options are.
Private firms gain publicity by publicly attributing attacks, so it serves a marketing purpose.
Cyber Attribution Difficulties & Risks
It’s practically impossible to attribute with 100% certainty, so attribution can be contested.
Attackers take steps to hide their activity.
Attackers plant false flags to misdirect analysts and frame others (e.g., using malware created by others, using computers owned by others, embedding a language they don’t speak). Many technical indicators are easily spoofed.
It’s difficult to determine if attackers are officially affiliated with a government, or if they’re acting independently. It’s easy for nations to deny their involvement.
If a government misattributes an attack and takes actions (e.g., imposing sanctions) against the wrong government, innocent civilians suffer.
If a government misattributes an attack and takes actions (e.g., imposing sanctions) against the wrong government, the wrongly accused government could take actions against the accusing government. These actions can escalate the conflict.
Under Article 2(4) of the UN Charter, non–state actors (e.g., individuals, organized groups, and terrorist organizations) must be related to a state to bear responsibility. If non-state actors aren’t related to a state, then the government associated with the victim will not be able to hold another government responsible. Governments can outsource their attacks to private contractors.
Attackers can route their traffic through multiple countries, thereby involving multiple countries in an attack.
If the public isn’t convinced by the case for attribution, they may view any response to the attack as illegitimate.
The data required for attribution is often split up among multiple public and private entities, making it difficult to analyze. Because organizations have limits on what data they can share, collaboration is difficult.
Attribution requires digital forensic work that takes significant time (weeks or months), making rapid response to an attack nearly impossible. Also, attackers are emboldened by knowing that much time will pass before attribution occurs, if it happens at all. This lessens the deterrent effect of attribution.
Attribution requires digital forensic work that takes significant resources. These may be resources that could have been applied to remediation or defense.
If a government attributes an attack but doesn’t follow it with other actions, it will likely appear weak.
Public attribution can inform an attacker that they’ve been observed, which can interfere with active law enforcement or intelligence investigations.
Public attribution can cause an attacker to change their TTPs, which can make future tracking and defense more difficult.
Public attribution can put a company and its employees at risk of being targeted by the attacker.
Nations don’t agree about definitions, such as what constitutes a cyberattack and what counts as critical infrastructure.
Public attribution can reveal the intelligence sources and capabilities of a government or organization, and attackers can use that info to avoid future detection.
Attribution can cause analysts to be biased in their analysis, interpreting evidence in a way that fits the attribution. This can mislead analysts.
This page contains one or more affiliate links. As an Amazon Associate, I earn from qualifying purchases.
The attribution problem in cyber attacks - Infosec Resources
This article examines the problem of attribution of cyber attack from all sides. The attribution of activities carried…
Cyber Attribution: Essential Component of Incident Response or Optional Extra - Exabeam
In the wake of a data breach, is cyber attribution a fundamental step in incident response (IR) or merely a "nice to…
Tipping the scales: the attribution problem and the feasibility of deterrence against cyberattack
Cyber attackers rely on deception to exploit vulnerabilities and obfuscate their identity, which makes many pessimistic…
Cyber Attribution Is More Art Than Science. This Researcher Has a Plan to Change That
When Timo Steffens got his first job in threat intelligence more than a decade ago, with Germany's Federal Office for…
The US is unmasking Russian hackers faster than ever
Skip to Content The White House was quick to publicly blame Russia for a cyberattack against Ukraine, the latest sign…
The Problem of Cyber Attribution Between States
Attributing responsibility to who perpetrated an attack against a state and, even more importantly, who ordered it, is…
Is Naming and Shaming a Legitimate Strategy in Cyberspace? - TechNative
Does attempting to name and shame hostile cyber activity count as a valid deterrence strategy? In January 2018, the…
What's the value in attack attribution?
For those who pursue forensic analysis with the hope of identifying and prosecuting an attacker, they likely will find…
Why accurate attack attribution is critical in cybersecurity
By Igor Baikalov, chief scientist at Securonix Read this article on SC Magazine UK The Internet favours anonymity by…
The Attribution Problem and Cyber Armed Attacks | American Journal of International Law | Cambridge…
In late 2018, the U.S. Secretary of Homeland Security suggested that "cyber-attacks now exceed the risk of physical…
The Problems with Seeking and Avoiding True Attribution to Cyber Attacks
Attribution to cyber attacks means different things to different audiences. In some cases analysts only care about…