Attribution Using 20 Characteristics
My post Attribution Is Not Just Malware Analysis raised some questions that I will try to address here. I'd like to cite Mike Cloppert as inspiration for some of this post.
Attribution means identifying the threat, meaning the party perpetrating the attack. Attribution is not just malware analysis. There are multiple factors that can be evaluated to try to attribute an attack.
As you can see, there are many characteristics than can be assessed in order to determine if an incident is likely caused by a certain party. Mature security shops use profiles like this to make their own intelligence assessments, often confidentially collaborating with others sharing the same problems.
Attribution means identifying the threat, meaning the party perpetrating the attack. Attribution is not just malware analysis. There are multiple factors that can be evaluated to try to attribute an attack.
- Timing. What is the timing of the attack, i.e., fast, slow, in groups, isolated, etc.?
- Victims or targets. Who is being attacked?
- Attack source. What is the technical source of the attack, i.e., source IP addresses, etc.?
- Delivery mechanism. How is the attack delivered?
- Vulnerability or exposure. What service, application, or other aspect of business is attacked?
- Exploit or payload. What exploit is used to attack the vulnerability or exposure?
- Weaponization technique. How was the exploit created?
- Post-exploitation activity. What does the intruder do next?
- Command and control method. How does the intruder establish command and control?
- Command and control servers. To what systems does the intruder connect to conduct command and control?
- Tools. What tools does the intruder use post-exploitation?
- Persistence mechanism. How does the intruder maintain persistence?
- Propagation method. How does the intruder expand control?
- Data target. What data does the intruder target?
- Data packaging. How does the intruder package data for exfiltration?
- Exfiltration method. How does the intruder exfiltrate data?
- External attribution. Did an external agency share attribution data based on their own capabilities?
- Professionalism. How professional is the execution, e.g., does keystroke monitoring show frequent mistakes, is scripting used, etc.?
- Variety of techniques. Does the intruder have many ways to accomplish its goals, or are they limited?
- Scope. What is the scope of the attack? Does it affect only a few systems, many systems?
As you can see, there are many characteristics than can be assessed in order to determine if an incident is likely caused by a certain party. Mature security shops use profiles like this to make their own intelligence assessments, often confidentially collaborating with others sharing the same problems.
Comments
Simple Example:
Why did the intruder use the systems you found evidence on? Was it just an easy target / entry point or is there another reason?
Medium Example:
Why did they take "x" data (assuming they didn't take everything).
Harder:
Why didn't they mess with the integrity of the data on your system?
Paranoid:
and if you're really devious... Why did they let themselves be caught?
Understanding "how" AND the motivations (beyond financial gain) helps profile their skill, persistence and to a certain extent the overall impact of the incident.
In instances that I'm familiar with, my concerns have been that attributes such as delivery mechanism and exploit used are "determined" not based on analysis beyond detecting the initial malware, but speculation. The same is true with Professionalism and even Scope.
To be more blunt, our customers have only two buckets - they ask "is it Russian, or is it Chinese". Funny, but more truth in that than humor.
What's up Tom, dont you still owe Jamie for that bottle of Vodka?
Also, deception by the attackers could be an issue in some cases. This could especially be a risk if the likely analysts are already swinging towards assumptions of suspects & motivations.
By the way, linguistic traits could be added to the framework. Sometimes, there may be qualities of texts and messages that may point towards the primarily language of the attacker. (E.g., a particular worm generated English & German language emails. One of English language subject lines said, "I have become your e-mail", which *could* reflect thinking in German, trying to write in English. Bekommen=to receive. But, again, there is a risk of speculation or deception if relying heavily upon the linguistic traits alone. BTW, language is not same as nationality or such. So if the linguistic clues, like dropping "the" and other articles in sentences hints of Russian, do not jump to conclusion the writer is Russian national.