Attack attribution is always difficult as criminal groups often share code and techniques, and nation-state actors excel at deception. Here, security researchers share their techniques and common pitfalls.
Attributing cyberattacks to a particular threat actor is challenging, particularly an intricate attack that stems from a nation-state actor, because attackers are good at hiding or erasing their tracks or deflecting the blame to others.
The best method for arriving at a solid attribution is to examine the infrastructure and techniques used in the attack, but even then, researchers can often get it wrong, as Paul Rascagneres and Vitor Ventura of Cisco Talos illustrated in a talk at the VB2020 conference on September 30.
Researchers typically rely on three sources of intelligence, Rascagneres said: open-source intelligence (OSINT), which is publicly available information on the internet, technical intelligence (TECHINT) that relies on malware analysis, and proprietary data available only to the organizations involved in the incident.
Nation-state intelligence agencies serve as another source of intelligence because they have more information and additional resources than the private sector, but intel agencies are often secretive about their methods. “In public sectors, they don’t give everything,” Rascagneres said. “They don’t explain how they get all the detail. How does it make the link?”[This article appeared in CSO Online. To read the rest of the article please visit here.]