Attribution can be a tricky process. In the case of a DDoS attack, threat actors often employ botnets to direct a high volume of traffic to a target, overwhelming that network and disrupting its service.
After outages at X caused allegedly by a DDoS attack, plenty of people asked who was responsible. Elon Musk cast blame on Ukraine, Politico reports. Cybersecurity experts pushed back against that assertion. Meanwhile, Dark Storm, a pro-Palestinian group, claimed responsibility, further muddling attempts at attribution.
“A botnet is generally a network of compromised computers. In essence, they [a victim] are being hit from different IP addresses, different systems. So, you really can’t actually pinpoint that it came from this specific location, which makes it difficult to identify root cause,” explains Vishal Grover, CIO at apexanalytix, a supplier onboarding, risk management, and recovery solutions company.
How should CIOs and CISOs be thinking about attribution and their own approach when they are faced with navigating the aftermath of a cyberattack?
Vishal Grover
Vishal Grover
The Importance of Attribution
Attribution is important. But it isn’t necessarily the first priority during incident response.
“The … concern that I probably would have as a CISO is addressing the vulnerability that allowed them in the door in the first place,” says Randolph Barr, CISO at Cequence Security, an API and bot management company.
Once an incident response team addresses the vulnerability and ensures threat actors aren’t lingering in any systems, they can dig into attribution. Who executed the attack? What was the motivation? Getting the answers to those questions can help security teams mitigate the risk of future attacks from the same group or other groups that leverage similar tactics.
Of course the larger the company and the more widespread the disruption, the louder the calls for attribution tend to be. “When you have a large organization like X, there’s going to be a lot of people asking questions. When other folks get involved, then attribution becomes important,” says Barr.
For smaller organizations, attribution may be a lower priority as they leverage more limited resources to work through remediation first.
How to Tackle Attribution
In some cases, attribution may be quite simple. For example, a ransomware gang is likely to be forthright about their identity and their financial motivations.
But threat actors that step into the limelight aren’t always the true culprits. “Sometimes people claim publicly that they did it, but you can’t really necessarily confirm that they actually did it. They just may want the eyes on them,” Barr points out.
Attribution tends to be a complicated process that takes a significant amount of time and resources: both technical tools and threat intelligence. Whether done internally or with the help of outside experts, the attribution process typically culminates in a report that details the attack and names the responsible party, with varying degrees of confidence.
Sometimes you might not get a definitive answer. “There are times when you won’t be able to determine the root cause,” says Grover.
Attribution and Information Sharing
Attribution can help an individual enterprise shore up its security posture and incident response plan, but it also has value to the wider security community.
“That’s one of the primary reasons that you go and attend a security conference or security meeting. You definitely want to share your experiences, learn from their experiences, and understand everybody’s perspective,” says Grover.
Threat intelligence and security teams can collaborate with one another and share information about the groups that target their organizations. Threat intel teams might also pick up information about planned attacks on the dark web. Sharing that information with potential targets is valuable.
“We build those relationships so that we know that we can trust each other to say, ‘Hey, if our name comes up, please let us know,’” says Barr.
Not all companies have a culture that facilities that kind of information sharing. Cyberattacks come with a lot of baggage. There’s liability to worry about. Brand damage. Lost revenue. And just plain embarrassment. Any one of those factors, or a combination thereof, could push enterprises to err on the side of silence.
“We’re still trying to figure out, as security professionals, what is it that would allow for us to have that conversation with other security professionals and not worry about exposing the business,” says Barr.