Attribution is often regarded as a primary goal within a cybersecurity investigation but as I’ll explore here, conclusive attribution should at times exist as a secondary consideration - one abandoned if the ROI doesn’t justify its expense. The answer to when attribution should be pursued to its ultimate end depends, as it often does, on the totality of the circumstances.
Over the course of my career in federal law enforcement and the private sector, my answer to this question has differed. While in the FBI, attribution was central to our work. We were concerned with prosecuting individuals, which entailed establishing culpability, including the requisite criminal intent. In that context, attribution revealing “who” was the indispensable goal. “How” often proved incidental to the more core question of “who.” But my focus on attribution shifted as I entered the private sector where my legal responsibilities and the options to which I had recourse differed significantly. Below I suggest questions to consider when determining whether to apply the time, energy and resources required to determine the “who” in the wake of an attack.
1. Is Attribution Critical to Incident Response?
Across my career, there were times when we absolutely had to know who exfiltrated our information because only by identifying the malicious actor could we establish conclusively whether we’d lost the “source code.” And in situations where an insider was suspected, identifying that employee was critical. But often, attribution becomes an endeavor of diminishing returns. That’s especially the case when identifying the responsible party requires utilizing tactics only available to law enforcement and doesn’t provide information to take any further meaningful action.
One of the things I missed most, after moving to the private sector, was the power of “search and subpoena,” e.g. powers needed to compel an ISP to disgorge information. Engaging law enforcement invokes its own set of complications that demand significant time and energy. Business leaders demanding attribution must understand how quickly the ROI for such an investigation decreases. That time and energy might instead be better spent thoroughly investigating and understanding the “how” or manner of a cybersecurity attack, bolstering and strengthening the environment against future attacks.
2. Is Probable Attribution An Acceptable Outcome?
Conclusively establishing the “fingers on keyboard” is not the only consideration. In the corporate world, it’s often enough to identify the responsible party approximately. When our team executed a counter strike in the middle of “Chinese New Year” and that counter strike went unanswered until the following Monday, we concluded that the initial attack was likely advanced by a Chinese nation-state attacker at the direction of the government with whom we were then negotiating. The fact that they did not respond during the Lunar New Year – when most government employees are home with their families – positioned us advantageously as we resumed those delicate negotiations.
3. What Are the Consequences of Misattribution?
Attribution with an approximate degree of confidence is an option when the consequences of possible misattribution are light. In the China example, a rough approximation was sufficient because it told us that they were likely after our negotiation strategy. In an inter-governmental situation in which responses can go “kinetic,” definitive confirmation is important to avoid a mistaken military strike against a perceived adversary who may have been the victim of a well-executed spoofing operation. This is especially important as the boundary between the cyber and physical worlds grows ever more porous and what is deemed to merit a kinetic military response more expansive.
Closing Thoughts
When I began in cybersecurity, the industry was dominated by the “not if, but when” mentality. But the advent of artificial intelligence and machine learning models means proactive prevention is possible. In this evolving context, attribution discussions may be rendered moot, because the event never happens, or subject to a vastly different set of circumstances. And as we more robustly deploy the strength of AI, it’s possible that continuous authentication, allowing perpetual attribution, becomes the de-facto standard in cybersecurity.