Cyber attribution is the process of tracking, identifying and laying blame on the perpetrator of a cyberattack or other hacking exploit.
Cyberattacks can have serious consequences for businesses in terms of public relations, compliance, reputation and finances. In the wake of an attack, an organization often conducts investigations to attribute the incident to specific threat actors in order to gain a complete picture of the attack, and to help ensure the attackers are brought to justice. These cyber attribution efforts are often conducted in conjunction with official investigations conducted by law enforcement agencies.
Cyber attribution can be very difficult because the underlying architecture of the internet offers numerous ways for attackers to hide their tracks.
Challenges of cyber attribution
Companies often lack the resources or expertise needed to track down cybercriminals, so organizations that need to do cyber attribution usually hire outside information security experts. However, cyber attribution can be challenging, even for cybersecurity experts.
To determine the actor or actors responsible for a cyberattack, experts often conduct extensive forensic investigations, including analyzing digital forensic evidence and historical data, establishing intent or motives, and taking into account the overarching situation.
However, one of the challenges of cyber attribution is that hackers don't typically carry out attacks from their own homes or places of business, but launch cyberattacks using computers or devices owned by other victims that the attacker has previously compromised.
Identifying an attacker is also made more difficult because attackers can spoof their own IP addresses or use other techniques, such as proxy servers, to bounce their IP addresses around the world to confuse attempts at cyber attribution.
Additionally, jurisdictional limitations can hinder attribution in cross-border cybercrime investigations because every time a law enforcement agency has to undertake an investigation that crosses borders, it must go through official channels to request help. This can hamper the process of gathering evidence, which must be collected as soon as possible.
In some cases, cyber attribution efforts are further hampered when attacks originate in nations that refuse to cooperate with U.S. law enforcement investigations. Jurisdictional issues can also affect the integrity of the evidence and the chain of custody.
Cyber attribution techniques
Cybercrime investigators have many different, specialized techniques available for performing cyber attribution, but definitive and accurate cyber attribution is not always possible.
Investigators use analysis tools, scripts and programs to uncover critical information about attacks. Cybercrime investigators are often able to uncover information about the programming language and related information, including the compiler used, compile time, libraries used and order of the execution of events related to a cyberattack. For example, if investigators can determine a piece of malware was written using a Chinese, Russian or some other language keyboard layout, that information can help narrow down suspects for cyber attribution.
Investigators attempting to do cyber attribution also analyze any metadata connected to the attack. The metadata, including source IP addresses, email data, hosting platforms, domain names, domain name registration information and data from third-party sources can help make the case for attribution because systems used for cyberattacks often communicate with nodes outside the network being targeted. However, these data points can also be easily faked.
Investigators may also analyze metadata collected from multiple attacks targeting different organizations. Doing so enables experts to make some assumptions and assertions based on the recurrence of falsified data they identify. For example, security professionals may be able to trace an anonymous email address from an attack and link it back to the attacker based on domain names used in the attack that were previously identified as being used by a specific threat actor.
Another approach for investigators is to examine the techniques, procedures and tactics used in an attack, because cyberattackers often have their own distinctive and recognizable styles. Investigators are sometimes able to identify perpetrators based on clues related to attack methods, such as social engineering tactics or reuse of malware used in prior attacks.
Knowing what's happening within certain industries or certain companies can also help cybercrime investigators predict attacks. For instance, companies in the natural gas industry spend more money on exploration when gas prices increase and, consequently, are at a higher risk for theft of geospatial data.
Understanding the attacker's motives can also aid in cyber attribution. Security experts work to understand the perpetrators' objectives, because it's not always about money. Investigators aim to figure out if the cybercriminals are just lurking or if they've been spying for a long time. They also try to discover whether the hackers are looking for specific data during their attacks, and how they try to use what they find.
Although cyber attribution isn't an exact science, these attribution techniques can help cybercrime investigators identify the attackers beyond a reasonable doubt.