2nd Edition

Tracking the trends and news for IT and IT Security

Paul

Threat intelligence: Why Attributing Cyber-Attacks Matters

Threat intelligence: Why Attributing Cyber-Attacks Matters
Info Security Magazine – Kevin Poireault
Cyber attribution is a sensitive subject, not least because of the potential political fallout. Even when cybersecurity experts observed an explosion of wiper malware attacks targeting Ukraine during the current conflict, many did not venture to point the finger directly at the Russian state.

First, many argue that attribution is valuable for the victimâs immediate incident response.

Cybersecurity firm Trend Micro explains in a blog that attribution can help identify if victims are a target or collateral damage, better understand the tactics, techniques and procedures (TTPs) used during an attack to enhance detection and response, and help the board see the investment value in new security tools. say in literature posted

Cross-Checking Data To acquire this knowledge, Jamie Collier, an EMEA senior threat intelligence advisor at Mandiant, explained: CTI analysts need first to work hand in hand with incident response teams to identify two types of data: evidence on the âcrime sceneâ (who has been targeted by an attack, what devices have been accessed by third parties, which part of the system has been infected, what the indicators of compromise (IOCs) are, etc.), and intelligence about the perpetrators (what their TTPs are, what tools they are using, what infrastructure they are using, what level of sophistication is the attack on, what their motivations can be, etc.).

Temporary Attributions While each vendor has its own attribution process, one thing is common to all: it can take months, if not years, to identify a specific threat group behind an attack or a series of cyber incidents.

One of the workaround techniques to overcome this challenge is to use temporary naming codes. Mandiant, for instance, first attributed an âUncategorizedâ â or UNC â codename to a cluster of threat activity. Microsoft uses a similar process, attributing a temporary DEV number, which stands for ‘Development group,’ for clusters of threat activity they haven’t fully identified yet.

A Game of Cat and Mouse Another challenge for CTI analysts is choosing the right time to publish their findings, and how much to share.
Link: https://www.infosecurity-magazine.com/news-features/cti-attributing-cyberattacks/

Categories:

Tags: