Do you find the public discussions about attribution after a breach useful or a needless distraction?
I know I've been on both sides of the issue. Sometimes the value of a concept -- in this case, attribution -- is lost in the debate. Then I met Levi Gundert (LinkedIn, Twitter), VP of Information Security Strategy, from Recorded Future.
Levi's career as an information security professional includes unique operational and leadership experience in government (U.S. Secret Service), threat intelligence providers (Team Cymru and Recorded Future), and multi-vertical Fortune 500 enterprises (IBM, Cisco Systems, Union Bank, and Fidelity Investments).
Our discussion revealed when and how attribution matters. It starts by getting the definition right.
You pointed out that the definition of attribution matters. What does a security leader need to consider when it comes to attribution?
The definition is critical. Attribution is often mis-understood to mean the identification of an individual or group with associated real name, address, and other personally identifiable information. In contrast, within a business context, attribution is obtaining general intelligence to address the "who" and "why" of nefarious activity.
As a former federal agent, I needed specific and detailed attribution of malicious online activity to establish probable cause and drive a subsequent indictment. Similarly, part of the intelligence community's mandate is to understand online adversarial activity and the specific people instigating it. A business's goals are quite different - one of the primary objectives is to minimize operational risk.
Businesses that are committed to reducing operational risk need to understand the value of general attribution. Simply, motivation informs methodology. If the business doesn't understand the actor(s) behind an attack or unauthorized event, then they are at risk of a stunted remediation effort that may lead to continued resource drain.
Consider a large financial services company that recently became the victim of a website compromise and defacement claimed by a previously unknown threat group. To deliver an incident report full of technical indicators and a dearth of information about the attack group is irresponsible, because the group's motivation and history may lead to additional attack methodologies and victims that are essential to addressing future threats from the same group.
Expand on "motivation informs methodology." How does this help a security leader?
General attribution informs senior business leaders' critical decisions, especially during an incident. Beyond crisis moments, security leaders need to effectively communicate general attribution information to help executives and the board meet the daily challenges of information security program resource allocation.
Effort and resources spent attempting to identify specific attacker names and corresponding details is ill-advised because it doesn't add any value to security control strategy. Rather, understanding a threat actor's basic history and motivations leads to methodology pattern identification that helps narrow potential techniques likely to be used against the business in the future. General attribution becomes valuable business insight through security policy and controls.
Sign up for Computerworld eNewsletters.