In cybersecurity, attribution refers to identifying an adversary likely responsible for malicious activity.
It is typically derived from collating many types of information, including tactical or finished intelligence, evidence from forensic examinations, and data from technical or human sources.
Attribution and the public disclosure of attribution are not the same thing.
Attribution is the identification of a potential adversary organization, affiliation, and actor.
The decision to disclose that attribution publicly - through indictments, sanctions, embargos, or other foreign policy actions - is a desired outcome and instrument of national power.
Attribution of those activities was years in the making.
Standards of Proof When attributing a cyber incident to a threat actor, there are several standards of proof mechanisms at play.
One element of attribution - and particularly when deciding how to act upon the results of your analysis - is understanding the importance of confidence levels and probability statements.
Intelligence Standards In the intelligence community, Intelligence Community Directive 203 provides a standard process for assigning confidence levels and incorporating probability statements into judgements.
Judicial Standards Another factor is that intelligence assessments do not use the same standard of proof as the rules of evidence in judicial process.
The type of court system determines the level of proof you need to support your case.
The FBI, being both an intelligence agency and a law enforcement agency, may have to use intelligence standards, the judicial system, or both.
If a national security case results in an indictment, the DoJ must convert intelligence judgments to judicial standards of proof.
Technical Standards There are also technical indicators related to attribution.
Indicators must be assessed and constantly evaluated for relevancy as they have a half-life; otherwise, you will spend most of your time hunting down false positives.
Even worse, if they are not implemented properly, indicators can produce false-negative mindsets.
An indicator without context is often useless, as an indicator in one environment may not be found in another.
A good formula is: 1) an investigation produces artifacts, 2) artifacts produce indicators, 3) context is indicators accompanied by reporting, 4) the totality of the indicators can highlight tactics, techniques, and procedures, and 5) multiple TTPs show threat patterning over time.
Why Attribution Is Important Recently, a friend asked me why attribution matters.
A company can better defend itself from future aggression if they know 1) why they were attacked, 2) the likelihood of the attacker returning, 3) the goals of the attacker, and 4) the attacker's TTPs. Knowing who perpetrated an attack can also help remove uncertainty and help you come to terms with why it happened.
This Cyber News was published on www.darkreading.com. Publication date: Tue, 12 Mar 2024 14:05:26 +0000