I've heard a lot of talk about attackers purposefully planting misleading information in code to make it less likely that they'll be suspected if an attack is discovered. Are there ways to cut through such misattribution techniques, or does attack attribution even matter? Do you think attribution brings any value to the table?
Ask the expert!
SearchSecurity expert Nick Lewis is standing by to answer your questions about enterprise security threats. Submit your question via email. (All questions are anonymous.)
For reasons related to law enforcement and politics, attribution does matter in certain attacks, though there is always the danger of misattributing an attack to an innocent party. For enterprises, there is minimal value in attributing the source of most malware or attacks unless they were targeted at an individual or clearly crafted to infiltrate a specific enterprise.
Still, there is some value to be had for attribution. For example, the efforts needed to attribute an attack can lead to a better understanding of an attacker's method, which could be useful in determining how to prevent similar attacks in the future. One way this could play out is by identifying common signatures based on the attack, especially if there are members of the information security community that have researched similar attacks. Some attack techniques are used widely, but depending on the attack, there might be unique techniques that could be shared to help identify particular attackers. If an enterprise is investigating multiple advanced attacks, attribution efforts could be used to identify the scope of the different attacks or identify if any of the attacks are related.
There might also be value in knowing what attackers are targeting a specific industry and the methods they tend to employ. Such knowledge could help identify additional controls that might be effective in blocking or detecting the attacks. If a particular group, such as China's 2nd Bureau of the People's Liberation Army from Mandiant's APT1 report, is targeting an industry, using the Mandiant indicators of compromise (which are based on attribution) might be useful for preventing future attacks from the source.
Though there are benefits to attack attribution, keep in mind that the time a security team spends tracking down the source of an attack is time not spent on mitigating other attacks, fine-tuning systems and so on. Unless your enterprise has significant resources available to devote toward in-depth attack analysis, there might be better uses for finite security resources.
Dig Deeper on Malware, virus, Trojan and spyware protection and removal
Related Q&A from Nick Lewis
Cloud penetration testing presents new challenges for information security teams. Here's how a playbook from the Cloud Security Alliance can help ... Continue Reading
Island hopping attacks create enterprise risk by threatening their business affiliates. Here's how to create an incident response plan to mitigate ... Continue Reading
Many cloud providers are tight-lipped about internal security control details. Learn how to evaluate cloud security providers with certifications and... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.