In today’s cybersecurity arena, threat actor intelligence is crucial. It’s no longer enough to know about the types of attacks a threat actor might launch. Security teams also need to know who they are dealing with. Increasingly, they are getting to know their adversaries through threat actor attribution.
What Is Threat Actor Attribution?
Darknet intelligence firm DarkOwl describes threat actor attribution as an investigative strategy for identifying the individuals or groups behind a cyberattack. An attacker could be a lone wolf looking for a score. He could be part of a hacker group or even an analyst working for a rogue nation-state. Threat actor attribution seeks to identify the adversary in order to better defend against him.
It is based on a few key principles:
- An attacker’s technical abilities
- An attacker’s behavior before, during, and after
- Contextual indicators related to individual attacks
The data gleaned through threat actor attribution is aggregated and correlated with data from various sources. All the data is mapped to existing threat profiles to establish confidence. As confidence grows, decision making becomes more effective.
A Basic Outline of Threat Actor Attribution
DarkOwl explains that threat actor attribution is a multi-layered strategy with a lot of moving parts. Doing it properly requires a combination of knowledge, skill, and real-world practice. Here is an outline of its basic concepts:
1. Identifying Key Characteristics
Threat actor profiling rarely produces individual and group names early on. Rather, investigators are looking to determine the behaviors and characteristics of those responsible for attacks. Such data should inevitably lead to an actual identification down the road. Early on, investigators look at:
- IP addresses
- Attack artifacts
- Behavioral traits
- Contextual intelligence
The more data gathered and analyzed, the closer an investigator gets to identification. Sometimes identification comes quickly; other times it takes a while.
2. Relative Attribution
Investigators should always be prepared for some level of ambiguity. Rather than being absolute, attribution often turns out to be relative. Investigations can lead to linking an attack to a broader set of data points, or they could lead directly to an individual or group sponsoring a campaign. The point is that there are never any guarantees.
3. Choosing the Right Tools
Investigators should also be intentional about the tools they use. Security teams have frameworks they can rely on, frameworks like MITRE ATT&CK, the Admiralty System, and the Diamond Model. Each of the frameworks takes a slightly different approach to classifying data, weighing evidence, and establishing attributes.
What the Actual Process Looks Like
The actual process of threat actor attribution is fairly simple to follow once you know what is going on. It begins with investigators collecting data from a variety of sources, including threat intelligence feeds, incident reports, network logs, and attack analyses. All the data is enriched and normalized to create a comprehensive view.
Next, profiling creates links between observed TTPs and known threat actors or groups. Meanwhile, monitoring of ongoing activity creates additional links between known attacks and observed TTPs.
An investigator’s chosen framework creates links between adversaries, capabilities, infrastructures, and victims. Relationships that often escape a purely technical analysis tend to emerge.
A More In-Depth Understanding
Although threat actor attribution typically begins with technical indicators, it moves beyond those indicators to create a more in-depth understanding of threat actors and their behaviors. Security teams can get to know adversaries by getting inside their heads.
It is worth investigating threat actor attribution if only for the ability to truly know who you are up against. Understanding one’s adversary makes it easier to defend against him.
