Picture this: Your company's network is facing a DDoS attack, but you have no idea who is responsible or what their motivation might be. Without this knowledge, you can't tell if they want money in exchange for stopping the attack or if the attack is a diversion to occupy your security team while your network is being penetrated and commercial secrets are stolen.
In the aftermath of a network breach it can also be incredibly useful to know some information about the likely attackers. That's because knowing who they were — or just where they were from — can help you carry out a more accurate damage assessment exercise. This knowledge can guide you where to look for signs of data compromise, and what other specifics (such as exploit kits or Trojans that may have been left behind) to search for.
Knowing who you have been attacked by can also shed some light on why they may have attacked you, what they were after and what the likely consequences for your business may be. For example, a common cybercriminal may be after any data that they think they can resell (such as customer credit card details), while a foreign competitor or so-called "state-sponsored" hackers may be after specific technical information.
"If you can attribute an attack to a particular adversary you can understand their motivations, their capabilities and their infrastructure," says Kyle Ehmke, a threat intelligence analyst at Virginia-based security company ThreatConnect. "If you can understand the 'how' and the 'why' then that can be very valuable information."
Perhaps most importantly, knowing who has attacked you can help you formulate your future security plans and decide how best to allocate your security budget going forward. For example, if you believe that you were the victim of a targeted attack and the hackers did not succeed in exfiltrating everything that they were after, then you may decide to beef up your security specifically to protect those assets that you think they are most likely to come back for.
The ability to attribute an attack to a particular group becomes even more important when it comes to major security breaches. Attacks like the 2014 Sony breach — which the FBI attributed to hackers connected to the North Korean government — can be cause for national security concerns and can also have major political repercussions.
So how do security experts go about identifying hackers and where they are from?
Foraging in forums
The first thing to understand is that attribution is very hard. You can't just look at the apparent source of an attack, because it will almost certainly be passing thought at least one proxy, perhaps on a compromised server on the other side of the world from the attackers. Or, in the case of DDoS attacks, the traffic will come from thousands of compromised machines that may be part of a global botnet.
Sign up for Computerworld eNewsletters.