Skip to content ↓ | Skip to navigation ↓

I’m trying to put down some thoughts on this because I’ve recently been pressed as to why, as a defender, I’d even care at all.

It seems malware analysts have stopped sharing their own opinions as to potential attributions – maybe they share this within their own companies, maybe they have special mailing lists, but for sure it’s not a very public disclosure. Moreover, sharing about attribution on social media may have negative consequences for these professionals.

Hence, attribution is a much hidden and avoided but yet an interesting subject to many. Security researcher Franki Li delivered a presentation at Black Hat this year on APT Attribution and DNS Profiling. Attribution was also nearly achieved in this report on the APT1 group initially reported on by Mandiant.

In this report, Malware researchers from dig into the Poison Ivy RAT infrastructure and manage to take control of a number of CNC servers, using this access to profile the operators of the infrastructure.

Technically, we can do attribution using a number of existing reliable techniques, yet we can’t speak about attribution due to the fact that the attribution isn’t “bullet proof” or in some cases even very reliable.

The forensics experts/RE’ers out there who look at malware in-depth often find themselves with an opinion about attribution for a given piece of malware, but due to the limitations of attribution in this domain, can’t voice this.

But isn’t attribution superfluous anyway? Don’t we defenders just need to prevent, detect, remediate and improve? Should we care about attribution at all?

Yet, I find myself caring about attribution. This is why I believe attribution is important for enterprise defenders in the cyber domain:

Organizations need to be able to respond in a meaningful manner to all risk/threats, including external threats to their IT environments.

To not mismanage handling of this risk in the respect of potential and actual breaches, a Board of Directors (BoD) and CEO’s should know to ask for a meaningful and accurate assessment of who was trying to penetrate/had penetrated their organization and why.

For example, a major US bank could be able to scale the Incident Response to a breach differently where credit card information was stolen – depending on whether or not attribution would be made to someone who would:

  1. Be likely to abuse credit cards for financial gain
  2. Have little interest in abusing credit card information directly

Another example of why attribution matters in building an accurate, timely and proportionate Incident Response could be a CNI provider assessing the motives behind an attack more correctly.

I may very well be wrong. If so, please don’t hesitate to tell me, but what I’m saying is that for Incident Response and Risk Management purposes, attribution is not only important but in fact critical.

IT, including security, is always on a budget and similarly, so is the business.  In the case of stolen credit card information, the cost associated with replacing them (or not) requires at least some certainty that these cards can or will be abused by the attacking party.

Although I don’t necessarily like the business decision involved here, not making an informed and accurate assessment would probably be construed as bad or unsound management practices.


About the Author: Claus Cramon Houmann is addicted to everything Infosec and is trying to contribute to the community by adding a “defending SMB’s in today’s evolving threat environment” POV. Claus currently runs an IT Consulting company plus works as Head of IT for a bank in Luxembourg. Claus previously worked in the IT outsourcing industry for many years.

Claus is acutely aware of the need to improve lingo and understanding of Information Security and all the issues and challenges this involves and has been working for many years to improve his own lacking communication skills in this regard. Claus actively supports initiatives that aim to improve security for us all, most notably the iamtheCavalry movement and The Analogies project, which he hopes to help spread to Europe/Globally. Claus runs a security twitter feed of aggregated infosec news and events which he mostly uses to learn more personally. Claus is an active blogger, blogging for Information Security Buzz and Peerlyst.

Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.


picThe Executive’s Guide to the Top 20 Critical Security Controls Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].

Image courtesy of ShutterStock.