When discussing the latest targeted attack campaign, the question invariably arises, “Who was behind it?” It’s a simple question, but one which has become increasingly difficult and complex to answer.
Attribution of cyber attacks has never been an exact science. Security researchers typically cluster attack incidents together and try to attribute them to known attack groups based on similarity of digital fingerprints, such as code similarities, shared tools and shared infrastructure. However, attribution using such methods is becoming increasingly difficult with the trend of attackers “living off the land,” eschewing custom tools in favor of using standard operating system features and off-the-shelf tools to compromise their targets. There’s also the classic problem of attackers inserting false flags including purposeful misdirection, obfuscation, and fake clues designed to mask their identities.
Despite these challenges, attribution remains an important part of attack analysis. By tying activity to specific groups, we start to see patterns of behaviour that allow us to better understand the attackers’ motivation, their target profile, and the assets they’re pursuing. Generating this intelligence is critical to protecting our customers, as well as assisting law enforcement, an area where Symantec has a significant history.
But there are limits to how far we can go with attribution. Even if we can tie specific incidents to a known attack group, identifying who or what organisation is directing or funding that activity is not in the scope or focus of what we do. This level of attribution requires the substantial resources and access to information that is generally available only to law enforcement or government intelligence agencies.
These agencies have demonstrated growing success in this area, such as the US government attributing the 2016 election interference campaigns to the Russian government. More recently, the Department of Justice filed charges against a North Korean hacker for the WannaCry attacks and other campaigns. This outcome was achieved through collaboration with members of the security industry, including Symantec. Symantec regularly supports and collaborates with law enforcement and intelligence agencies by sharing our attack data to support their investigations.
Our focus continues to be on researching the methods, tools, and techniques used by targeted attackers so that we can develop entirely new capabilities to protect our customers. Symantec’s Targeted Attack Analytics is just one recent example of a new innovation that’s developed to help customers to automate the discovery of entirely new and sophisticated attacks.