If an organization suffers an online attack the CSO probably doesn’t care who’s behind it — at least not immediately. The first priority is protecting the enterprise.
But after the dust settles the questions will be asked: Was this done by an amateur or someone after particular assets? Criminals or a foreign country? If domestic can the perpetrators be arrested?
In the digital era attribution for an attack isn’t easy, and some would say almost impossible. But at a time when security analysts are urging organizations to delve into the Dark Web to look for signs of an impending attack and governments are willing to publicly point fingers we want to know if it can be done.
Two articles show the problems involved. CSO Online has a piece on the division in the security industry, with some experts arguing that the weaknesses in any IT system that make it easy to attack also make it easy to trace the source. The piece quotes Stewart Baker, a partner at the U.S. law firm Steptoe & Johnson who has also held high-level security positions in Washington, as saying “in the end, those flaws will compromise the anonymity of cyberspies.”
But there are others who insist finding the culprits behind a cyber attack can’t be done only by analyzing their digital tracks alone: Some human help (a turncoat or a person trapped into giving up information) is needed. “If you’re a nation-state-level attacker and want an adversary to believe that another nation state is doing it, there is nothing that can stop that,” Gary McGraw, CTO of Cigital, is quoted as saying.
This debate ends up fighting over attributing the recent Sony Pictures attack, which Washington insists was done by North Korea. But the speed at which it was willing to point the finger has some analysts suspicious — despite a New York Times article claiming the U.S. knows because it has hacked North Korean servers.
The detective work involved in tracing attacks can be seen in a lengthy piece by security blogger Brian Krebs, who reports that the beginning of the just discovered breach at U.S. health care provider Anthem Inc. could lead back to April, 2014, with some clues point to a China-based group of hackers.
Groups are identified in part by the consistency of tools (or derivatives) they use. Last November a security vendor published a chart of servers and tools used by a group dubbed Deep Panda. One Internet address is similar to the former corporate name of Anthem, which changed last April.
There are other clues which are suspicious, fishy, or, perhaps, coincidence. You be the judge.