Tom Wang - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

Experts unsure if cyber attribution research will yield results

Georgia Tech received a contract to research the science of cyber attribution, but experts disagree on whether it is possible to succeed in this endeavor.

The Georgia Institute of Technology has received a research contract to study cyber attribution, with the intent of providing better proof of involvement by threat groups.

The U.S. Department of Defense sponsored the $17.3 million contract that will fund a project led by Georgia Tech researchers in collaboration with other academic institutions. However, the researchers admit the study of cyber attribution is unlikely to result in individual attribution.

"While the tools and techniques to be developed during the four-and-a-half-year effort won't point directly to the individuals responsible, the initiative will provide proof of involvement by specific groups, identifiable by their methods of attack, consistent errors and other unique characteristics," wrote John Toon, director of research news at Georgia Tech, in a press release. "Such attribution could support potential sanctions and policy decisions -- and discourage attacks by providing transparency for activities that are normally hidden."

Hank Thomas, COO at Strategic Cyber Ventures, a venture capital firm specializing in cybersecurity based in Washington, D.C., said identifying threat groups is already possible.

"Attacks and attackers' activities leave traces in the digital data exhaust. By utilizing distributed computer infrastructure, it is now possible to sift through massive amounts of data to identify patterns that can lead to discovering indicators, links and properties of attackers eventually leading to more precise attribution," Thomas told SearchSecurity. "Good technical intelligence teams working with all-source cyber intelligence analysts can do this."

Igor Baikalov, chief scientist at Securonix Inc., a security analytics company based in Los Angeles, said even attribution of a specific group may not be possible.

"We are getting pretty good at recognizing the vehicle: botnet or some random computer used in the attack, or even command-and-control server behind them; we can also recognize familiar tactics, techniques and procedures, or even unseen-before malicious behavior based on anomalies. But what we cannot be sure about is an ultimate driver behind it all," Baikalov told SearchSecurity via email. "Too many degrees of separation to untangle the chain of command before the attacker disappears, erasing all traces of his actions, or even reshuffling them to point to a completely different direction."

Manos Antonakakis, an assistant professor in Georgia Tech's School of Electrical and Computer Engineering and the project's principal investigator, said one goal of the project is to automate the cyber attribution process.

"We have a limited number of people working in cybersecurity and attacks occur every day, so we need to be able to optimize the forensic analysis that would lead to attribution," Antonakakis said. "In this project, we will use machine learning and algorithms to scale up the attribution process to help companies and the government protect against those bad actors. We will provide a systematic and scientific way to deal with the attacks."

Thomas said machine learning can help uncover hidden patterns in data and link various indicators and properties of attacks to a common entity, but other experts said the value of machine learning in cyber attribution wasn't as clear.

Tim Prendergast, CEO of, a cloud security company based in Dublin, Calif., said machine learning is more useful in other aspects of cybersecurity.

"Information is good for honing in on who might be creating problems, but unless the machine learning system is hacking back, you're not going to find anyone that way," Prendergast told SearchSecurity. "The better use for machine leaning would be to use it to automate other parts of cyber security, so that the skilled professionals can use their time for old-fashioned detective work."

Baikalov said we need more than machine learning to succeed at cyber attribution.

We need some capabilities of a full-blown artificial intelligence, such as inference and reasoning, an ability to make decisions based on a limited amount of imperfect data, and -- most important -- act on them in near-real time," Baikalov said. "I believe in AI substantially augmenting human researchers' abilities to track down the perpetrator, but I'm not holding my breath on AI being able to make a 'gut call' anytime soon. Well-founded human intuition is going to be behind most of the attribution attempts and, unless direct forensic evidence is available, the attribution will remain a gray area."

Michael Farrell, associate director of attribution for the Institute for Information Security & Privacy at Georgia Tech, said better cyber attribution could be instrumental in deterring threat actors.

"Deterrence is virtually impossible if you're unable to identify the adversary," Farrell said. "Attribution is the linchpin for deterrence in cyberspace, and the U.S. government is in need of a repeatable and releasable way forward."

But experts noted deterrence is only possible with individual cyber attribution.

John Bambenek, threat systems manager at Fidelis Cybersecurity in Bethesda, Md., told SearchSecurity: "Deterrence, by definition, requires you to dissuade individuals from making the wrong choice. If there are no consequences because you cannot identify them, there is no deterrence, and that is the core of the growing cybercrime problem. Crime, in this case, does pay."

Cris Thomas, strategist at Tenable Network Security in Columbia, Md., said an adversary won't be subject to repercussions if they cannot be identified, "meaning deterrence is nearly impossible in these cases."

"However, law enforcement has had a pretty good record of finding cybercriminals when they want to find them," Thomas told SearchSecurity. "Criminals, cyber or otherwise, eventually make mistakes. These mistakes usually enable law enforcement to identify them. The hard part for law enforcement is the global nature of cybercrime, making cooperation among different agencies critical in bringing cybercriminals to justice."

Next Steps

Learn more about the cyber attribution system being built by DARPA.

Find out why cyber attribution relies more on human intelligence than technical info.

Get info on the pros and cons of cyber identity and attribution.

Dig Deeper on Information Security Incident Response-Information