Why is the attribution of hacking so difficult?
Law enforcement can face many significant challenges when it comes to solving crimes in the physical world; witness testimony is subjective and often conflicting, physical evidence may be limited, and constitutional protections can, at times, prevent certain paths of investigation.
However, when it comes to determining who is responsible for a hack, the challenge is even bigger. For starters, the criminal is never physically present with the victim, making defining the scene of the Internet crime a legal, jurisdictional, and philosophical challenge.
The evidence left behind after a hack is the primary material used in an investigation and includes things like log data from firewalls, servers, IDS/IPS systems, endpoint EDR/AV, full packet capture archives, and anything else that provides insight into the network and server/host level activities of the hacker. In some of the most widely publicised breaches, including the recent breach of the Democratic National Committee’s (DNC) mail servers, this process analyses the malware used during the attack.
Information made public by CrowdStrike as a result of their Incident Response work with the DNC concluded that two different Russian intelligence groups were responsible for the attack. Their findings leverage research on two Advanced Persistent Threats (APTs) found within the DNC network: APT28 aka ‘Fancy Bear’ and APT29 aka ‘Cozy Bear’.
CTO at cyber security firm eSentire, Mark McArdle said: "While CrowdStrike’s reported evidence and observations seem like a reasonable conclusion to reach, we cannot dismiss the fact that none of this evidence is 100% reliable.
“If we think about the very high level of design, engineering, and testing required for such a sophisticated attack, is it reasonable to assume that the attacker would leave behind these breadcrumbs? Yes, it’s possible, but it’s also possible that these things can be used to misdirect attention to a different party. Is this evidence the result of sloppiness, or careful misdirection?
“Attribution of attacks is very difficult. Finding irrefutable evidence that links an attacker to an attack is virtually unattainable, so everything boils down to assumptions and judgement. It’s never been more important to have visibility into the unusual activities going on in a company’s network and have the ability to investigate and respond. This is what research firm Gartner calls ‘Managed Detection and Response (MDR)’ – an effective way of keeping small breaches from turning into headline-making hacks."
Featured products
MAX17793
Analog Devices Inc.
3V to 80V, 3A, High-Efficiency, Synchronous Step-Down DC-DC Converter
| SKU: | MAX17793 |
|---|---|
| Stock: | 9316 |
| Cost: | $3.64 |
MAX22516
Analog Devices Inc.
IO-Link Data Link Controller with Transceiver and Integrated DC-DC
| SKU: | MAX22516 |
|---|---|
| Stock: | 8000 |
| Cost: | $5.42 |
