Corporate Security

A5 Guide To Cyber Attack Attribution

…or Anthem-inspired Amateur Attack Attribution Aid

Anthem Back when the Anthem breach was first being discussed (FUDdified) on Twitter, I spotted an informed, good humoured and slightly weary sounding exchange between Brian Honan, Professor Alan Woodward and Rowenna Fielding.
Prof Woodward kicked it off:
[tweet 563453074141118465 hide_thread=’true’ width=’700′]
Rowenna (insightful as always)…
[tweet 563604947418509312 hide_thread=’true’ width=’700′]
…before the good natured cynicism kicked in from Brian and the Prof:

[tweet hide_thread=’true’ width=’700′]

[tweet 563629019091197952 hide_thread=’true’ width=’700′]

[tweet 563629878223056896 hide_thread=’true’ width=’700′]

[tweet 563630607499272192 hide_thread=’true’ width=’700′]

[tweet 563631116075413504 hide_thread=’true’ width=’700′]

[tweet 563631419474575360 hide_thread=’true’ width=’700′]

So hopefully my amateur artwork at the top now makes sense…weeble – 3VIL? No? Ahh well.

Frustration at the attribution-go-round we see with all high profile breaches

Sometimes muddied by corporate notification delay, hesitation about revealing details (understandable to some extent), or governments getting involved. More often opaque because attribution IS tough and many in-house and even consulting forensic investigators struggle.
Hardest of all to pin down, even when you’ve dug the digital depths, is motive.  Ok, sometimes it’s bleeding obvious, but when it’s not, most folk don’t have an in-house psychic. Closely followed by all the contributions to the kill chain made by accidents and coerced, poorly educated or just plain daft staff.
No-one in security enjoys reporting to an overexcited client or CXO with only half-baked theories, a new exploit logo and populist pap from the papers in hand.
Don’t get me wrong, please, take your time. But if you’re not someone working to find and verify facts, feel free to keep the high profile ‘whodunnit’ hoo-ha to yourself. Not just to clear muddy waters, but, (depending on your ethics and perspective), to avoid creating pain by irresponsibly flagging exploits and vulnerabilities to hoards of wannabes.
And now (as this is far from my core area of expertise) here is some very much less amateur advice and commentary:

0 replies »

Leave a Reply