Manage Learn to apply best practices and optimize your operations.

For enterprises, does attack attribution offer any value?

What matters more: finding the source of an attack, or simply stopping it? Expert Nick Lewis details the potential benefits of attack attribution.

I've heard a lot of talk about attackers purposefully planting misleading information in code to make it less likely that they'll be suspected if an attack is discovered. Are there ways to cut through such misattribution techniques, or does attack attribution even matter? Do you think attribution brings any value to the table?

Ask the expert!

SearchSecurity expert Nick Lewis is standing by to answer your questions about enterprise security threats. Submit your question via email. (All questions are anonymous.)

For reasons related to law enforcement and politics, attribution does matter in certain attacks, though there is always the danger of misattributing an attack to an innocent party. For enterprises, there is minimal value in attributing the source of most malware or attacks unless they were targeted at an individual or clearly crafted to infiltrate a specific enterprise.

Still, there is some value to be had for attribution. For example, the efforts needed to attribute an attack can lead to a better understanding of an attacker's method, which could be useful in determining how to prevent similar attacks in the future. One way this could play out is by identifying common signatures based on the attack, especially if there are members of the information security community that have researched similar attacks. Some attack techniques are used widely, but depending on the attack, there might be unique techniques that could be shared to help identify particular attackers. If an enterprise is investigating multiple advanced attacks, attribution efforts could be used to identify the scope of the different attacks or identify if any of the attacks are related.

There might also be value in knowing what attackers are targeting a specific industry and the methods they tend to employ. Such knowledge could help identify additional controls that might be effective in blocking or detecting the attacks. If a particular group, such as China's 2nd Bureau of the People's Liberation Army from Mandiant's APT1 report, is targeting an industry, using the Mandiant indicators of compromise (which are based on attribution) might be useful for preventing future attacks from the source.

Though there are benefits to attack attribution, keep in mind that the time a security team spends tracking down the source of an attack is time not spent on mitigating other attacks, fine-tuning systems and so on. Unless your enterprise has significant resources available to devote toward in-depth attack analysis, there might be better uses for finite security resources.

This was last published in March 2014

Dig Deeper on Malware, virus, Trojan and spyware protection and removal

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.