Attack Attribution: Looking Back to Look Forward
Part 1 of 2
Lest we see only doom and gloom in the cascade of data breach disclosures, it’s worth acknowledging some of the outstanding work being done on the good guys’ side in the cyber wars. We’re going to take a two-part look at this, starting with some discussion of attack attribution and adversary analysis, and continuing by looking at some timely analysis of the actors behind the recent Anthem Healthcare breach.
To begin, let’s consider a debate at play in some circles about the value (or not) of attack attribution–that is, identifying the person(s) or organization(s) behind malicious or suspicious activity. From the standpoint of recourse against the criminal, it’s sometimes tempting to ask “why bother?” since many cybercriminals operate from outside of jurisdictions that have any real authority (or, in some cases, interest) to take action. However, narrowly viewing attribution this way misses some very important concepts. Specifically, attribution really comes into its own as a way of understanding the enemy–its methods, its aims, its habits. And the portrait of the threat actor is invaluable in every phase of security, from planning to defending to monitoring to responding. It’s naive to say “it doesn’t matter who the attacker is, as long as I can stop them,” since we are manifestly not stopping attackers as well as we should be. Knowing more about them can help close the gap.
Adversary analysis as a proxy for risk
Kevin Mandia, founder of leading security firm Mandiant (later acquired by FireEye), put it well when he characterized attack attribution as a proxy for risk: knowing more about threat actors helps us gauge the level of risk that their past, present, and future activities carry. An attack by a script kiddie working alone is a very different matter from a coordinated nation-state or organized crime effort. Attribution of an attack can be expanded into the broader endeavor of adversary analysis.
The debate about attribution’s value—and some very thoughtful responses to it—is nicely summarized here.
In the article, Josh Ray, a senior intelligence director at Verisign iDefense, makes a convincing case for adversary analysis. He sees it as vital for improving an organization’s security posture and for properly allocating the right level of resources to the response. He specifically cites URLs, domain names, IP addresses and email addresses as important inputs to that process, which is precisely what some of DomainTools’ most sophisticated customers are using our data and services for today.
Here are specifics that Ray calls out in the article, with tips on how DomainTools can help:
- Prioritize incidents effectively based on adversary impact: DomainTools “reverse” tools can shed light on adversary intent and find new IOCs (Indicators of Compromise) by surfacing relationships that you might not have known were already in play in your network. If original attack domain A turns out to be connected to domains B…Z, those other domains bear much deeper scrutiny.
- Identify internal high-value targets and programs based on adversary intent and collection requirements: Where the above focuses on the incident, this pivots the emphasis to the target(s). DomainTools helps in the same way, though.
- Proactively block threat infrastructure: Expansion by Reverse Whois et al. exposes the larger threat infrastructure (which you can then feed into firewalls, IPS, etc): Registrant Monitor monitor flags new domains set up by the actor, which can be proactively blocked (firewalls etc. again) before they have done harm.
- Monitor threat communications to provide advance warning: Expanding the original domain to the larger threat network gives you more places to look/listen.
- Drive intelligence-driven red teaming based on threat tactics: The better you understand the adversary, the better you can align your valuable resources with their current and likely activities.
- Support internal business cases for IT security resource allocation based on what adversaries are targeting within your business: Similar to the above, but with a focus specifically on financial resources.
In the next installment, we’ll move from the theoretical to the actual: one of DomainTools’ key partners, ThreatConnect, recently released an excellent blog post walking through their analysis of the recent Anthem breach. It’s an example of cyber threat forensics at its best, and given the magnitude of the breach, the importance of that analysis is hard to overstate.
For now, happy exploring, and stay safe out there.