The IT Pro Podcast: Does threat attribution matter?

The IT Pro Podcast: Does threat attribution matter?

There is a vast universe of threats facing modern businesses, from opportunistic lone hackers and organised criminal gangs, to state-backed intelligence units working for nations such as Russia and China. Attempting to divine which of these groups is behind a given cyber attack has almost become an industry in and of itself, with numerous tools being leveraged by analysts and researchers to assign blame.

But is there any actual value for businesses in knowing exactly which individuals are responsible for cyber crimes targeting them? Outside of law enforcement organisations attempting to bring the perpetrators to justice, what do we gain from the process of cyber threat attribution? We’re joined this week by Don Smith, Vice President of SecureWorks' counter-threat intelligence unit, to learn more about the clues that can inform attribution, and whether or not CISOs and security professionals need to worry about it in the first place.


“It's very, very important to attribute to a degree; attribute to what, in the old days, we used to call intrusion sets, to these names that security companies come up with. Attributing beyond that clustering, to individuals or organisations or countries, is much, much harder… And the benefit is, bluntly, not as tangible to us in terms of our effort. So what you will find is, there's an awful lot of effort goes into attributing to the clusters, less so to attributing to individuals - with the one notable exception of governments, where it's very important to have attribution for some of these attacks.”

“I think the biggest misconception is that out there is a structured blank jigsaw waiting for people to put the right piece in the right box... And that just doesn't exist. I know how my team attributes different intrusions. I know we use the diamond model, I know we have a high threshold for crossover of tooling in particular because of tool reuse. And we look for real uniqueness before we bucket things into into particular groups.”

“I think it's important on a day to day basis that a CISO knows that the people behind Emotet are a large scale, highly organised criminal organisation that have been going for over a decade and aren't going to give up; that their intent is criminal money making. But it's not, two guys in hoodies, hunched over a laptop somewhere in Russia. So that kind of day to day operational understanding of who the actor is, in a general sense, I think is important for CISOs.”

Read the full transcript here.




ITPro is a global business technology website providing the latest news, analysis, and business insight for IT decision-makers. Whether it's cyber security, cloud computing, IT infrastructure, or business strategy, we aim to equip leaders with the data they need to make informed IT investments.

For regular updates delivered to your inbox and social feeds, be sure to sign up to our daily newsletter and follow on us LinkedIn and Twitter.