Is there any way organizations can determine if seemingly separate attacks are related (e.g., sent from the same...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
attacker or criminal organization)? And if so, are there any benefits to actually linking attacks in such a way, or is it ultimately insignificant as long as the attacks are stopped?
Ask the Expert
SearchSecurity expert Nick Lewis is standing by to answer your questions about enterprise security threats. Submit your question via email . (All questions are anonymous.)
An organization can determine if seemingly separate attacks are related by using attack attribution analysis techniques and comparing the technical details of the attacks.
Many times these tools and techniques leave telltale network or system signatures that can be used to identify an attacker. For example, a system sending IP traffic to another system using an unidentified and encrypted protocol on a specific port signature could be used to check other parts of the network for systems communicating over similar ports. The systems in question could be checked for hashes or fuzzy hashes to identify if similar files are identified as part of the same attack.
Stopping attacks that are underway is important, but it is not sufficient. Organizations must aim to stop attackers and prevent future attacks that rely on complex geo-political issues to evade prosecution and use secure or trusted systems. However, even if all current political issues or technical issues are resolved, there would still be attacks and still be the need for sufficient law enforcement resources for investigations. In the same token, even where one might expect the most secure of systems, the human element will always find a way to compromise it.
While some may say there is limited value in attack attribution, identifying common features or methods between different attacks can help identify other areas under attack and be extremely useful when shared with others in the information security community, as attackers will often reuse familiar attack methods.
Dig Deeper on Malware, Viruses, Trojans and Spyware
Related Q&A from Nick Lewis
IP devices like multifunction printers and faxes may be an attack vector. Expert Nick Lewis explains the vulnerabilities, and how to secure them ...continue reading
AceDeceiver is a Trojan that can install itself on iOS devices without any certificates. Expert Nick Lewis explains how it works, and how enterprises...continue reading
USB Thief, a new type of stealth malware, leaves no trace on air-gapped targets. Expert Nick Lewis explains how the malware works and how enterprises...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.