I've heard a lot of talk about attackers purposefully planting misleading information in code to make it less likely that they'll be suspected if an attack is discovered. Are there ways to cut through such misattribution techniques, or does attack attribution even matter? Do you think attribution brings any value to the table?
Ask the expert!
SearchSecurity expert Nick Lewis is standing by to answer your questions about enterprise security threats. Submit your question via email. (All questions are anonymous.)
For reasons related to law enforcement and politics, attribution does matter in certain attacks, though there is always the danger of misattributing an attack to an innocent party. For enterprises, there is minimal value in attributing the source of most malware or attacks unless they were targeted at an individual or clearly crafted to infiltrate a specific enterprise.
Still, there is some value to be had for attribution. For example, the efforts needed to attribute an attack can lead to a better understanding of an attacker's method, which could be useful in determining how to prevent similar attacks in the future. One way this could play out is by identifying common signatures based on the attack, especially if there are members of the information security community that have researched similar attacks. Some attack techniques are used widely, but depending on the attack, there might be unique techniques that could be shared to help identify particular attackers. If an enterprise is investigating multiple advanced attacks, attribution efforts could be used to identify the scope of the different attacks or identify if any of the attacks are related.
There might also be value in knowing what attackers are targeting a specific industry and the methods they tend to employ. Such knowledge could help identify additional controls that might be effective in blocking or detecting the attacks. If a particular group, such as China's 2nd Bureau of the People's Liberation Army from Mandiant's APT1 report, is targeting an industry, using the Mandiant indicators of compromise (which are based on attribution) might be useful for preventing future attacks from the source.
Though there are benefits to attack attribution, keep in mind that the time a security team spends tracking down the source of an attack is time not spent on mitigating other attacks, fine-tuning systems and so on. Unless your enterprise has significant resources available to devote toward in-depth attack analysis, there might be better uses for finite security resources.
Dig Deeper on Malware, Viruses, Trojans and Spyware
Related Q&A from Nick Lewis, Enterprise Threats
Chameleon malware targets insecure wireless access points. Enterprise threats expert Nick Lewis explains how to defend against the malware.continue reading
The Zeus malware is threatening RTF security by embedding itself in the file, which is commonly seen as safer than other file formats such as PDFs. ...continue reading
Enterprise threats expert Nick Lewis explains how to detect and avoid one of the most advanced malware threats: The Mask.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.