GUEST COLUMN
Navigating the trade-offs of cyber attribution It is crucial that security teams first understand their own requirements and limitations before deciding on which level of attribution to pursue, as this allows for an agile “just enough” approach to security.
A
ttribution matters, but to what extent? The game of cyber whodunit is often perceived as a clean and binary question, where threat activity is either attributed or it is not. Yet, it is typically a more complex process that regularly involves difficult trade-offs. Different forms of attribution—ranging from simply linking threat clusters together to identifying the names and faces of an adversary—present vastly different challenges and resource requirements. Analysts making attribution judgements must also weigh up several competing priorities, including the deadlines set by stakeholders, the completeness of data, and the confidence level behind their assessments.
The Three Tiers of Threat Actor and Attribution Analysis Security researchers rarely attribute threat activity to named individuals or organizations. More commonly, attribution involves clustering discrete indicators such as IP addresses or domains that are in some way related. This is commonly known as tactical attribution. Once tactical attribution is achieved, researchers can begin extrapolating characteristics from these activity clusters to achieve operational profiling. Examples of operational profiling include statements such as “a loosely-affiliated group of mostly amateur individuals” or “a coordinated group of criminals with access to sophisticated tools”. By extrapolating out these capabilities, behaviors, motivations, and other characteristics, researchers can get ahead of the threat because they can anticipate if, how, and why an actor may act. Finally, once operational attribution is achieved, researchers may then look to establish strategic attribution. That is, the identity of a threat group or threat actor. This may include an individual’s name or associations, or this identity may only be defined by the sponsor, or ultimate beneficiary, of the threat operations.
68
EC JUNE_2023.indd 68
MEA
Analytical Independence Various entities weigh in on attribution, including CTI vendors, government agencies, and independent researchers. This poses a question on how much we should trust others. Ignoring all third-party intelligence in the pursuit of complete independence would mean neglecting valuable insight. Conversely, sloppy clustering between threat actors tracked by different entities can quickly lead to confusion and imprecision. For example, the threat actor dubbed “Winnti” became increasingly vacuous due to inconsistent methodologies, dubious clustering, and a lack of collaboration between different security organizations. Mandiant naturally pays attention to threat research published by a wide variety of entities and our analysts will explore whether we have overlapping visibility within our own collection universe. However, we are also committed to developing attribution judgements that are firmly based on our independent analysis and primary-source collection data.
Confidence Levels CTI functions should avoid making rash attribution judgments, yet an overly cautious approach can stymie action. Ultimately, if the bar to merging threat clusters is too high, stakeholders will struggle to tackle key threats in a timely fashion. Mandiant Intelligence practices a flexible approach through the use of uncategorized threat clusters (referred to as UNC groups). This enables us to reveal useful insight into threats quickly and without having to complete a lengthy attribution process straight away. For example, shortly after the 2020 SolarWinds supply chain compromise, Mandiant Intelligence released details on the threat actor behind the campaign: UNC2452. This
J U N E 2023
6/16/2023 5:37:16 PM
