3 minute read
Navigating the trade-offs of cyber attribution
from EC-MEA June 2023
It is crucial that security teams first understand their own requirements and limitations before deciding on which level of attribution to pursue, as this allows for an agile “just enough” approach to security.
Attribution matters, but to what extent? The game of cyber whodunit is often perceived as a clean and binary question, where threat activity is either attributed or it is not. Yet, it is typically a more complex process that regularly involves difficult trade-offs.
Different forms of attribution—ranging from simply linking threat clusters together to identifying the names and faces of an adversary—present vastly different challenges and resource requirements. Analysts making attribution judgements must also weigh up several competing priorities, including the deadlines set by stakeholders, the completeness of data, and the confidence level behind their assessments.
The Three Tiers of Threat Actor and Attribution Analysis
Security researchers rarely attribute threat activity to named individuals or organizations. More commonly, attribution involves clustering discrete indicators such as IP addresses or domains that are in some way related. This is commonly known as tactical attribution.
Once tactical attribution is achieved, researchers can begin extrapolating characteristics from these activity clusters to achieve operational profiling. Examples of operational profiling include statements such as “a loosely-affiliated group of mostly amateur individuals” or “a coordinated group of criminals with access to sophisticated tools”. By extrapolating out these capabilities, behaviors, motivations, and other characteristics, researchers can get ahead of the threat because they can anticipate if, how, and why an actor may act.
Finally, once operational attribution is achieved, researchers may then look to establish strategic attribution. That is, the identity of a threat group or threat actor. This may include an individual’s name or associations, or this identity may only be defined by the sponsor, or ultimate beneficiary, of the threat operations.
Analytical Independence
Various entities weigh in on attribution, including CTI vendors, government agencies, and independent researchers. This poses a question on how much we should trust others.
Ignoring all third-party intelligence in the pursuit of complete independence would mean neglecting valuable insight. Conversely, sloppy clustering between threat actors tracked by different entities can quickly lead to confusion and imprecision. For example, the threat actor dubbed “Winnti” became increasingly vacuous due to inconsistent methodologies, dubious clustering, and a lack of collaboration between different security organizations.
Mandiant naturally pays attention to threat research published by a wide variety of entities and our analysts will explore whether we have overlapping visibility within our own collection universe. However, we are also committed to developing attribution judgements that are firmly based on our independent analysis and primary-source collection data.
Confidence Levels
CTI functions should avoid making rash attribution judgments, yet an overly cautious approach can stymie action. Ultimately, if the bar to merging threat clusters is too high, stakeholders will struggle to tackle key threats in a timely fashion.
Mandiant Intelligence practices a flexible approach through the use of uncategorized threat clusters (referred to as UNC groups). This enables us to reveal useful insight into threats quickly and without having to complete a lengthy attribution process straight away.
For example, shortly after the 2020 SolarWinds supply chain compromise, Mandiant Intelligence released details on the threat actor behind the campaign: UNC2452. This
Attributing cyber
uncategorized group was eventually merged with APT29 many months later but the use of a UNC group allowed Mandiant to publish actionable intelligence as quickly as possible. This also means that Mandiant Intelligence analysts do not need to rush attribution and merging processes.
Going Public
While everyone loves a juicy CTI blog post lifting the lid on the latest APT campaign, publicizing threat research involves multiple equities including source sensitivities, a victim’s reaction, the current geopolitical context, implications for ongoing response engagements, and a threat actor’s potential reaction. Ultimately, whether you are a government releasing cyber sanctions or a CTI vendor calling out an APT group, a thoughtful and considered approach is crucial.
Analytic Techniques
Structured techniques play an important role in improving the rigor and quality of analytical assessments. However, they can also be cost, time, and resource-intensive.
The role of analytical techniques is therefore best seen as a sliding scale that can be ramped up or down accordingly. For instance, CTI functions may want to ramp up their use of analytical techniques for important attribution judgements with significant implications for their organization or when dealing with poor collection quality.
Attribution presents plenty of difficult decisions and complex tradeoffs. But, attributing cyber activity should always be seen as an enabler rather than a straitjacket.
Attribution trade-offs can pose awkward questions for a security function, yet the answer is usually obvious when we simply ask: what is best for our organization? That is because the attribution process thrives when it is linked to clear organizational requirements, use cases, and outcomes. This might not be quite as glamorous as trying to replicate government intelligence agencies, but it will be a whole lot more effective for your organization and stakeholders. ë
