September 15, 2020

The Trouble with Attribution in Cyber Threat Intelligence (Part 1)

Written by: Josh Campbell

Within the field of cyber threat intelligence (CTI), there are few more contentious topics than that of attribution. Just the word evokes such a wide range of emotions from individuals in cyber security: from fascination, to mystery, to rolling of eyes, frustration, anger, right through to a physical twitch. Such a diverse number of responses would indicate that the concept of attribution doesn’t mean the same thing to all people and that the industry, as a whole, struggles with how attribution fits into the overall security cycle.

The first reaction from many, on learning of a breach or attack, is to ask, “who did it?” This reaction is not without merit, as knowing the who begins to fill in the conceptual gaps around the event. What is curious, however, is that often, the questions stop, instead of start, there. The other questions about what, when, where, why, and how often seem to fall by the wayside because the who has been answered. As such, many have taken to associating attribution in threat intelligence with simply attaching a name – which is often designed more for marketing purposes than for intelligence analysis – to a set of activities, an attack, or a breach. It is important to state from the outset that, while such activities are a part of attribution, it is not the totality of attribution.

Attribution is a component of cyber threat analysis which seeks to answer the question of who, using specific elements of observed activity, including:

  • Employed tradecraft (the how)
  • Infrastructure & Tools and Malware (The where, how and what)
  • Intent, (the why)
  • Targeting, and (the where, when and why)
  • Indications and Warnings (I&W) (Additional supported reporting)

Image generated by the Avalon platform from King & Union


Upon completion of this collection, what follows is an incredibly manual process of reviewing and analyzing that data to collate and correlate connections, overlaps, and observed behaviors to existing datasets in order to attribute the activity to a particular country, entity, or persona.

Attribution, however, is not simply a minimal and definitive statement of fact (e.g. “This activity was carried out by Actor X”), and any report which presents it in this manner should be looked at with extreme scrutiny. Instead, attribution should be presented in terms of a balance of facts and evidence against opposing evidence, known intelligence gaps, and blind spots. Additionally, that attribution should be presented with a confidence level that conveys clearly to the readers the certainty an organization has, preferably using standardized terms, such as words of estimative probability.

Initial attribution, however, is not where this process stops. Indeed, attribution for the sake of attribution, is a bit of a self-licking lollipop, that is, a rather large waste of time and resources. Instead, that information must then be woven into a broader body of knowledge within an organization, in order for intelligence and security professionals to operationalize that attribution data, a task that is often overlooked in the broader discussion about the usefulness of attribution.

That this is overlooked is also one of, in this author’s opinion, the key elements leading to the derision of attribution amongst security professionals. However, what operationalization of attribution does look like is not standard and will likely depend on the maturity of the organization doing it.

First and foremost, one of the key components of operationalizing attribution data will be at the tactical and operational levels. That is, intelligence professionals, should be preparing assessments regarding who is conducting activity, and whether an organization is at risk of being targeted. Note though that “who” in this case is merely a conceptual placeholder for all of the other data around that actor:

  • Why are they targeting us?
  • What are they after?
  • What tools are they likely to use?
  • Where are they likely to target us?
  • How are they likely to attack us?
  • How can we detect them?

Image generated by the Avalon platform from King & Union


Attribution data can also be critical during incident response engagements. If suspected attribution can be established during an investigation – even if it is multiple possible actors – it can help drive the incident responders to look for specific artifacts or methodologies that might not have been readily apparent, especially in the early stages, or during the remediation phase. This can be critical, especially when dealing with more advanced adversaries.

Another area where attribution data, especially threat profiles, can be leveraged heavily is in what is commonly referred to a cyber threat emulation (CTE). CTE is often described as a set of highly specific red team engagements that mimic the known TTPs and methodologies of actors known to target an organization or vertical. The objective of these types of engagements is twofold: to ensure that organizations are capable of detecting these types of attacks, and perhaps more critically, that security analysts and existing processes are able to identify, triage, and respond to these types of attacks effectively.

However, that attribution data can certainly be used for strategic business decisions as well, especially when organizations are deciding upon improvements to their existing security posture. For instance:

  • Who are the actors that are most likely to target a given organization or vertical?
  • Do existing security controls allow for those organizations to reliably detect those actors and their specific TTPs?
  • Are there visibility gaps, and could those gaps pose problems for future detection of those actors and their known toolsets or methodologies?
  • Do products, services, and solutions that are currently being evaluated improve these specific gaps?

In that regard, attribution data can not only help inform, it can also help drive evaluation during the purchasing process by enabling decision makers to set up a subset of key criteria for evaluation purposes. These of course are only a sample of possible uses for operationalizing attribution data; however, the key takeaway is that attribution – that is attaching a name to the activity – does not merely end when an organization has answered the who question, rather that is typically where it starts.

The concept of attribution continues to be controversial within the discipline of cyber threat intelligence. As organizations continue to be inundated with reporting, much of which presents attribution as a product- or service-driven marketing element, rather than a well-reasoned and supported intelligence component, attribution continues to be looked at with suspicion or even derision. However, as organizations intelligence capabilities mature, it is vital for their existing intelligence programs to leverage attribution data for what it can provide from a tactical, operational, and strategic perspective, as well as how it can be used for the purposes of training, as well as supporting business-oriented decision makers.

About the Author