Attribution of an attack - don’t waste time on empty calories

Empty calories are those derived from food containing no nutrients. When consumed in excess, they contribute to weight gain, especially if you're not burning them off in your daily activities. Why make more work for yourself?
 
When we are attacked, we feel a sense of outrage and the natural tendency is to want to somehow punish the attacker. To do this, you must first identify the attacker, preferably accurately, or else. This is easier said than done, especially online.
 
Threat researchers have built an industry on identifying and profiling hacking groups in order to understand their methods, anticipate future moves, and develop methods for battling them. They often attribute attacks by “clustering” malicious files, IP addresses, and servers that get reused across hacking operations, knowing that threat actors use the same code and infrastructure repeatedly to save time and effort. So, when researchers see the same encryption algorithms and digital certificates reused in various attacks, for example, they tend to assume the attacks were perpetrated by the same group. 
 
The attacks last year on the Democratic National Committee, for example, were attributed to hacking groups associated with Russian intelligence based in part on analysis done by the private security firm CrowdStrike, which found that tools and techniques used in the DNC network matched those used in previous attacks attributed to Russian intelligence groups.
 
This is, of course, is much harder for the average business that cannot (and should not) spend scarce IT security budget on attribution of an attacker. It's a lot harder than it would seem. This Virus Bulletin reviews cases in which they’ve seen hackers acting on behalf of nation-states stealing tools and hijacking infrastructure previously used by hackers of other nation-states. Investigators need to watch out for signs of this or risk tracing attacks to the wrong perpetrators. Which means that attribution of an attack is hard even for those agencies with limitless funds at their disposal.
 
The WannaCry ransomware outbreak is an obvious example of malware theft and reuse. Last year, a mysterious group known as the Shadow Brokers stole a cache of hacking tools that belonged to the National Security Agency and posted them online months later. One of the tools — a so-called zero-day exploit, targeting a previously unknown vulnerability — was repurposed by the hackers behind WannaCry to spread their attack. 
 
Even assuming you were somehow able to absolutely identify the attacker as "Peilin Gu" located at "He Nan Sheng Zheng Zhou Shi Nong Ke Lu 38hao Jin Cheng Guo Ji Guang Chang Wu Hao Lou Xi Dan Yuan 2206", then what? How would you inflict retribution on this attacker? Likely as a private company, without a presence in China.
 
The rational course of action is instead to study the attack method and the target within your infrastructure and use this information to shore up defenses. You can bet that if this attacker uncovered a vulnerability in your defenses and exploited it then others of his “ilk” would follow course imminently.
 
Are you finding it hard to keep up with all the threats? Co-managed SIEM services can help. Give us a chance to show you how you can avoid empty calories and in the process, breathe a little easier.