The IT Pro Podcast: Does threat attribution matter?

There is a vast universe of threats facing modern businesses, from opportunistic lone hackers and organised criminal gangs, to state-backed intelligence units working for nations such as Russia and China. Attempting to divine which of these groups is behind a given cyber attack has almost become an industry in and of itself, with numerous tools being leveraged by analysts and researchers to assign blame.

But is there any actual value for businesses in knowing exactly which individuals are responsible for cyber crimes targeting them? Outside of law enforcement organisations attempting to bring the perpetrators to justice, what do we gain from the process of cyber threat attribution? We’re joined this week by Don Smith, Vice President of SecureWorks' counter-threat intelligence unit, to learn more about the clues that can inform attribution, and whether or not CISOs and security professionals need to worry about it in the first place.

Highlights

“It's very, very important to attribute to a degree; attribute to what, in the old days, we used to call intrusion sets, to these names that security companies come up with. Attributing beyond that clustering, to individuals or organisations or countries, is much, much harder… And the benefit is, bluntly, not as tangible to us in terms of our effort. So what you will find is, there's an awful lot of effort goes into attributing to the clusters, less so to attributing to individuals - with the one notable exception of governments, where it's very important to have attribution for some of these attacks.”

“I think the biggest misconception is that out there is a structured blank jigsaw waiting for people to put the right piece in the right box... And that just doesn't exist. I know how my team attributes different intrusions. I know we use the diamond model, I know we have a high threshold for crossover of tooling in particular because of tool reuse. And we look for real uniqueness before we bucket things into into particular groups.”

“I think it's important on a day to day basis that a CISO knows that the people behind Emotet are a large scale, highly organised criminal organisation that have been going for over a decade and aren't going to give up; that their intent is criminal money making. But it's not, two guys in hoodies, hunched over a laptop somewhere in Russia. So that kind of day to day operational understanding of who the actor is, in a general sense, I think is important for CISOs.”

Read the full transcript here.

Footnotes

• Conti source code leaked by Ukrainian researcher
• What is NotPetya?
• Ryuk ransomware is now targeting web servers
• Ryuk ransomware earnings top $150 million
• What are the different types of ransomware?
• What is double extortion ransomware?
• Microsoft uses sinkhole to thwart Russian state-backed Fancy Bear attacks
• Should your business worry about Chinese cyber attacks?
• Cyber criminals are spending longer inside business' networks after the initial breach
• The keys to catching a cyber crook
• How do hackers choose their targets?
• US pledges to take a 'hands-on' approach to disrupting cyber criminals
• Five Eyes and US governments finally confirm Russia was behind Ukrainian government, Viasat cyber attacks

Subscribe

• Subscribe to The IT Pro Podcast on Apple Podcasts
• Subscribe to The IT Pro Podcast on Google Podcasts
• Subscribe to The IT Pro Podcast on Spotify
• Subscribe to the IT Pro newsletter
• Subscribe to IT Pro 20/20