Malware Attribution

Your NG-Firewall oder any *Fire*-Product detects a targeted attack that will be missed by the Anti-Virus Industry.

Who can tell who does anything on the Internet and why do we care anyway?

Attribution is the practice of taking forensic artifacts of a cyber attack and matching them to known threats against targets with a profile matching your organization.

If this seems overly complicated, that is intentional. There are degrees of attribution that map to very specific contexts and painting over that context with a simplistic reading accomplishes very little other than frightening decision makers into unnecessary expenditures. Attribution is something every company should care about.

It is a way of checking the assumptions of our threat model against the real world and revise those assumptions accordingly.

  • Attribution is not a smoking gun that will hold up in a court of law.
    Unless you are the a security agency, attempting to establish that link is a waste of time and resources 10 of 10 times – especially if you’re dealing with a common one-off phishing wave rather than a sustained state sponsored infiltration.
  • Attribution is not binary.
    There is no defined state at which you are ‘done’, because again, only an intelligence agency can definitively answer questions of motivation, intent, and capabilities with a simple yes or no answer. Some people take this to mean attribution is not a meaningful pursuit.
  • One forensic artifact is not an attribution make.
    Many seen extensive lists of indicators of compromise (IOCs) definitively attributed to various nation state groups at one point or another, typically by a government agency.
    The idea here is to take a snapshot in time one forensic mug shot and spread it around so defenders can keep their eyes open for similar TTPs within the same timeframe.

    Some organizations have interpreted these lists to mean *any* IOC listed is a hard attribution to a particular nation state, and will commence searching their logs for “attacks.”

    This is a waste of time, money, and presumes an immutability to Tools Tactics and Procedures (TTPs).

The benchmark should be what a preponderance of evidence would cause a reasonable observer to conclude.