Attribution Using 20 Characteristics

My post Attribution Is Not Just Malware Analysis raised some questions that I will try to address here. I'd like to cite Mike Cloppert as inspiration for some of this post.

Attribution means identifying the threat, meaning the party perpetrating the attack. Attribution is not just malware analysis. There are multiple factors that can be evaluated to try to attribute an attack.

  1. Timing. What is the timing of the attack, i.e., fast, slow, in groups, isolated, etc.?

  2. Victims or targets. Who is being attacked?

  3. Attack source. What is the technical source of the attack, i.e., source IP addresses, etc.?

  4. Delivery mechanism. How is the attack delivered?

  5. Vulnerability or exposure. What service, application, or other aspect of business is attacked?

  6. Exploit or payload. What exploit is used to attack the vulnerability or exposure?

  7. Weaponization technique. How was the exploit created?

  8. Post-exploitation activity. What does the intruder do next?

  9. Command and control method. How does the intruder establish command and control?

  10. Command and control servers. To what systems does the intruder connect to conduct command and control?

  11. Tools. What tools does the intruder use post-exploitation?

  12. Persistence mechanism. How does the intruder maintain persistence?

  13. Propagation method. How does the intruder expand control?

  14. Data target. What data does the intruder target?

  15. Data packaging. How does the intruder package data for exfiltration?

  16. Exfiltration method. How does the intruder exfiltrate data?

  17. External attribution. Did an external agency share attribution data based on their own capabilities?

  18. Professionalism. How professional is the execution, e.g., does keystroke monitoring show frequent mistakes, is scripting used, etc.?

  19. Variety of techniques. Does the intruder have many ways to accomplish its goals, or are they limited?

  20. Scope. What is the scope of the attack? Does it affect only a few systems, many systems?

As you can see, there are many characteristics than can be assessed in order to determine if an incident is likely caused by a certain party. Mature security shops use profiles like this to make their own intelligence assessments, often confidentially collaborating with others sharing the same problems.


Nope said…
This is great, thanks. It really provides a framework to better consider 'Advanced Persistent Threats'.
Rocky DeStefano said…
I find when I'm thinking about Incidents - I want to learn about "Why" just as much as "How". Why is much more squishy at times, but can be very valuable in learning alternate detection techniques for the future.

Simple Example:
Why did the intruder use the systems you found evidence on? Was it just an easy target / entry point or is there another reason?

Medium Example:
Why did they take "x" data (assuming they didn't take everything).

Why didn't they mess with the integrity of the data on your system?

and if you're really devious... Why did they let themselves be caught?

Understanding "how" AND the motivations (beyond financial gain) helps profile their skill, persistence and to a certain extent the overall impact of the incident.
H. Carvey said…
Interesting framework, and I can definitely see the value in having something like this; however, my concern is that in many cases, these attributes are filled in more with speculation and less with hard data.

In instances that I'm familiar with, my concerns have been that attributes such as delivery mechanism and exploit used are "determined" not based on analysis beyond detecting the initial malware, but speculation. The same is true with Professionalism and even Scope.
greylogic said…
Great post, Richard. As you know, I've long advocated the necessity for looking beyond the technical details of an attack to determine attribution. I'm preparing a methodology for that process now and will be referring to yours and Mike Cloppert's innovative work as well.
Anonymous said…
Good, well thought through post. Tom Parker noted many of these attributes as sources of data which may be used to provide quantitative means to narrow the source attribute attacks in his adversary characterization book from 2004. Additionally, further speaks to a means of 'rating' the adversary for comparative purposes.
Greg Hoglund said…
This is a really good framework, good breakdown. It's important for a large Enterprise to know the differences in intent of the attacker. Sorry to say, but most enterprises don't care about ID theft, but they will really care about IP theft.

To be more blunt, our customers have only two buckets - they ask "is it Russian, or is it Chinese". Funny, but more truth in that than humor.

What's up Tom, dont you still owe Jamie for that bottle of Vodka?
Keydet89 makes an excellent point about the potential for speculation in assessing some of the traits.

Also, deception by the attackers could be an issue in some cases. This could especially be a risk if the likely analysts are already swinging towards assumptions of suspects & motivations.

By the way, linguistic traits could be added to the framework. Sometimes, there may be qualities of texts and messages that may point towards the primarily language of the attacker. (E.g., a particular worm generated English & German language emails. One of English language subject lines said, "I have become your e-mail", which *could* reflect thinking in German, trying to write in English. Bekommen=to receive. But, again, there is a risk of speculation or deception if relying heavily upon the linguistic traits alone. BTW, language is not same as nationality or such. So if the linguistic clues, like dropping "the" and other articles in sentences hints of Russian, do not jump to conclusion the writer is Russian national.
ekse said…
This post is referenced in the "Shadows in the Cloud" report from the Information Warfare Monitor. The report is available here :

Popular posts from this blog

Zeek in Action Videos

New Book! The Best of TaoSecurity Blog, Volume 4

MITRE ATT&CK Tactics Are Not Tactics