Navigating the Trade-Offs of Cyber Attribution
Attribution matters, but to what extent? The game of cyber whodunit is often perceived as a clean and binary question, where threat activity is either attributed or it is not. Yet, it is typically a more complex process that regularly involves difficult trade-offs.
Different forms of attribution—ranging from simply linking threat clusters together to identifying the names and faces of an adversary—present vastly different challenges and resource requirements. Analysts making attribution judgements must also weigh up several competing priorities, including the deadlines set by stakeholders, the completeness of data, and the confidence level behind their assessments.
This blog post lifts the lid on the messy realities behind attribution. We will outline the different trade-offs involved in the process and provide practical advice for network defenders navigating the topic.
The Three Tiers of Threat Actor and Attribution Analysis
Security researchers rarely attribute threat activity to named individuals or organizations. More commonly, attribution involves clustering discrete indicators such as IP addresses or domains that are in some way related. This is commonly known as tactical attribution.
Once tactical attribution is achieved, researchers can begin extrapolating characteristics from these activity clusters to achieve operational profiling. Examples of operational profiling include statements such as “a loosely-affiliated group of mostly amateur individuals” or “a coordinated group of criminals with access to sophisticated tools”. By extrapolating out these capabilities, behaviors, motivations, and other characteristics, researchers can get ahead of the threat because they can anticipate if, how, and why an actor may act.
Finally, once operational attribution is achieved, researchers may then look to establish strategic attribution. That is, the identity of a threat group or threat actor. This may include an individual’s name or associations, or this identity may only be defined by the sponsor, or ultimate beneficiary, of the threat operations.
No level of attribution can be achieved without first establishing tactical attribution, as this is the evidence base upon which all future analysis rests. Security teams must then ask themselves whether there is value in continuing to invest time and resources in establishing a higher level of attribution.
This decision should be based on the underlying question of what level of attribution is necessary to best protect my network and/or achieve my security goals? In other words, what actions can the security team take based on its capacity, tools, and capabilities, and what level of attribution is necessary to facilitate those actions?
Trade-offs of Attribution
Making attribution assessments comes with several tradeoffs and thorny decisions for security leaders, some of which are outlined as follows.
The different tiers of attribution require vastly different levels of resource. While many CTI functions can realistically pivot off attacker infrastructure to perform tactical attribution, strategic attribution requires far more resources, including:
- Additional headcount and analyst time.
- Granular threat visibility and high-quality collection data.
- A greater need for formalized process and workflow patterns to ensure a consistent process.
Smaller organizations focused on detecting and blocking malicious activity may not need to ever move beyond tactical attribution. Meanwhile, organizations with robust hunt and intelligence teams may want to develop an operational profiling capability so they can proactively identify threat groups of concern and take actions to protect against their TTP’s. Finally, government actors may be concerned with strategic attribution to take political action against identified threat actors, themselves.
In all cases, it is crucial that security teams first understand their own requirements and limitations before deciding on which level of attribution to pursue, as this allows for an agile “just enough” approach to security.
Various entities weigh in on attribution, including CTI vendors, government agencies, and independent researchers. This poses a question on how much we should trust others?
Ignoring all third-party intelligence in the pursuit of complete independence would mean neglecting valuable insight. Conversely, sloppy clustering between threat actors tracked by different entities can quickly lead to confusion and imprecision. For example, the threat actor dubbed “Winnti” became increasingly vacuous due to inconsistent methodologies, dubious clustering, and a lack of collaboration between different security organizations.
Mandiant naturally pays attention to threat research published by a wide variety of entities and our analysts will explore whether we have overlapping visibility within our own collection universe. However, we are also committed to developing attribution judgements that are firmly based on our independent analysis and primary-source collection data.
CTI functions should avoid making rash attribution judgments, yet an overly cautious approach can stymie action. Ultimately, if the bar to merging threat clusters is too high, stakeholders will struggle to tackle key threats in a timely fashion.
Mandiant Intelligence practices a flexible approach through the use of uncategorized threat clusters (referred to as UNC groups). This enables us to reveal useful insight on threats quickly and without having to complete a lengthy attribution process straight away.
For example, shortly after the 2020 SolarWinds supply chain compromise, Mandiant Intelligence released details on the threat actor behind the campaign: UNC2452. This uncategorized group was eventually merged with APT29 many months later but the use of an UNC group allowed Mandiant to publish actionable intelligence as quickly as possible. This also means that Mandiant Intelligence analysts do not need to rush attribution and merging processes. This can take a long time due to the analytical rigor required to independently verify based on our own data sets.
Mandiant also exposes lower confidence attribution judgements within Mandiant Advantage, where we detail both merged threat clusters and those where there is a suspected link. This allows customers to follow Mandiant’s attribution assessments as they evolve over time.
Threat intelligence teams should also distinguish between confidence levels and specificity. For example, a threat intelligence team might have high confidence that a cyber operation was tied to a Russian state sponsor but have lower confidence on the specific Russian cyber threat actor involved.
While everyone loves a juicy CTI blog post lifting the lid on the latest APT campaign, publicizing threat research involves multiple equities including: source sensitivities, a victim’s reaction, the current geopolitical context, implications for ongoing response engagements, and a threat actor’s potential reaction.
Ultimately, whether you are a government releasing cyber sanctions or a CTI vendor calling out an APT group, a thoughtful and considered approach is crucial.
Structured techniques play an important role in improving the rigor and quality of analytical assessments. However, they can also be cost, time, and resource-intensive.
The role of analytical techniques is therefore best seen as a sliding scale that can be ramped up or down accordingly. For instance, CTI functions may want to ramp up their use of analytical techniques for important attribution judgements with significant implications for their organization or when dealing with poor collection quality.
What Flavor of Attribution is Right for You?
Attribution presents plenty of difficult decisions and complex tradeoffs. But, attributing cyber activity should always be seen as an enabler rather than a straitjacket.
Attribution trade-offs can pose awkward questions for a security function, yet the answer is usually obvious when we simply ask: what is best for our organization? That is because the attribution process thrives when it is linked to clear organizational requirements, use cases, and outcomes. This might not be quite as glamorous as trying to replicate government intelligence agencies, but it will be a whole lot more effective for your organization and stakeholders.