Cyber Attribution Difficulties, Risks, & Benefits
Cyber attribution or cyber attack attribution is the process of identifying the entity responsible for a cyberattack. Attribution has benefits, but they don’t come easily; there are many difficulties and risks. Cyber threat intelligence analysts should be familiar with these uses and challenges.
Cyber Attribution Benefits
Attackers can be held responsible for their actions.
The fear of being identified and held responsible, or even simply suffering reputational damage, is a deterrent against attack.
Attribution helps organizations better defend their networks, because they learn about their attackers and their targets. It also helps defenders prioritize their efforts.
A government associated with the victim can take actions against the government associated with the attacker, such as imposing sanctions or enforcing regulations.
Attribution fills the need people have to know who to blame for an attack.
After attributing an attack to a country, an accusing government can rally its allies for support against the accused country.
By attributing, a government can show its citizens that it has the ability to track the attacker.
By attributing, a government can show an attacker that it has the ability to track them.
Public attribution can cause attackers to stop using devices and infrastructure to avoid future tracking, which can slow them down.
When the government publicly attributes, private companies can be motivated to contact and collaborate with the government in their information security efforts.
Attribution can help private companies determine which law enforcement organizations to contact, and what their legal options are.
Private firms gain publicity by publicly attributing attacks, so it serves a marketing purpose.
Cyber Attribution Difficulties & Risks
It’s practically impossible to attribute with 100% certainty, so attribution can be contested.
Attackers take steps to hide their activity.
Attackers plant false flags to misdirect analysts and frame others (e.g., using malware created by others, using computers owned by others, embedding a language they don’t speak). Many technical indicators are easily spoofed.
It’s difficult to determine if attackers are officially affiliated with a government, or if they’re acting independently. It’s easy for countries to deny their involvement.
If a government misattributes an attack and takes actions (e.g., imposing sanctions) against the wrong government, innocent civilians suffer.
If a government misattributes an attack and takes actions (e.g., imposing sanctions) against the wrong government, the wrongly accused government could take actions against the accusing government. These actions can escalate the conflict.
Under Article 2(4) of the UN Charter, non–state actors (e.g., individuals, organized groups, and terrorist organizations) must be related to a state to bear responsibility. If non-state actors aren’t related to a state, then the government associated with the victim will not be able to hold another government responsible. Governments can outsource their attacks to private contractors.
Attackers can route their traffic through multiple countries, thereby involving multiple countries in an attack.
If the public isn’t convinced by the case for attribution, they may view any response to the attack as illegitimate.
The data required for attribution is often split up among multiple public and private entities, making it difficult to analyze. Because organizations have limits on what data they can share, collaboration is difficult.
Attribution requires digital forensic work that takes significant time (weeks or months), making rapid response to an attack nearly impossible. Also, attackers are emboldened by knowing that much time will pass before attribution occurs, if it happens at all. This lessens the deterrent effect of attribution.
Attribution requires digital forensic work that takes significant resources. These may be resources that could have been applied to remediation or defense.
If a government attributes an attack but doesn’t follow it with other actions, it will likely appear weak.
Public attribution can inform an attacker that they’ve been observed, which can interfere with active law enforcement or intelligence investigations.
Public attribution can cause an attacker to change their TTPs, which can make future tracking and defense more difficult.
Public attribution can put a company and its employees at risk of being targeted by the attacker.
Countries don’t agree about definitions, such as what constitutes a cyberattack and what counts as critical infrastructure.
Public attribution can reveal the intelligence sources and capabilities of a government or organization, and attackers can use that info to avoid future detection.
Attribution can cause analysts to be biased in their analysis, interpreting evidence in a way that fits the attribution. This can mislead analysts.
Additional Resources
This page contains one or more affiliate links. As an Amazon Associate, I earn from qualifying purchases.
Cyber Attribution: Challenges and Opportunities for Multi-Disciplinary Analysis (PDF)
Private Sector Attribution of Cyber Incidents: Benefits and Risks to the U.S. Government (PDF)
