I've heard a lot of talk about attackers purposefully planting misleading information in code to make it less likely...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
that they'll be suspected if an attack is discovered. Are there ways to cut through such misattribution techniques, or does attack attribution even matter? Do you think attribution brings any value to the table?
Ask the expert!
SearchSecurity expert Nick Lewis is standing by to answer your questions about enterprise security threats. Submit your question via email. (All questions are anonymous.)
For reasons related to law enforcement and politics, attribution does matter in certain attacks, though there is always the danger of misattributing an attack to an innocent party. For enterprises, there is minimal value in attributing the source of most malware or attacks unless they were targeted at an individual or clearly crafted to infiltrate a specific enterprise.
Still, there is some value to be had for attribution. For example, the efforts needed to attribute an attack can lead to a better understanding of an attacker's method, which could be useful in determining how to prevent similar attacks in the future. One way this could play out is by identifying common signatures based on the attack, especially if there are members of the information security community that have researched similar attacks. Some attack techniques are used widely, but depending on the attack, there might be unique techniques that could be shared to help identify particular attackers. If an enterprise is investigating multiple advanced attacks, attribution efforts could be used to identify the scope of the different attacks or identify if any of the attacks are related.
There might also be value in knowing what attackers are targeting a specific industry and the methods they tend to employ. Such knowledge could help identify additional controls that might be effective in blocking or detecting the attacks. If a particular group, such as China's 2nd Bureau of the People's Liberation Army from Mandiant's APT1 report, is targeting an industry, using the Mandiant indicators of compromise (which are based on attribution) might be useful for preventing future attacks from the source.
Though there are benefits to attack attribution, keep in mind that the time a security team spends tracking down the source of an attack is time not spent on mitigating other attacks, fine-tuning systems and so on. Unless your enterprise has significant resources available to devote toward in-depth attack analysis, there might be better uses for finite security resources.
Dig Deeper on Malware, Viruses, Trojans and Spyware
Related Q&A from Nick Lewis
Locky ransomware has borrowed features from Dridex malware, which focused on attacking banks. Expert Nick Lewis explains Locky's techniques and how ...continue reading
The Mazar malware can wipe an entire Android device once it has been installed. Expert Nick Lewis explains how this malware works, and how attacks ...continue reading
MouseJack, a wireless mouse and keyboard security flaw, allows attackers to type malicious commands. Expert Nick Lewis explains how enterprises can ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.