Why Attribution Doesn’t Matter

In keeping up with the Anthem Healthcare breach, I began to cringe when I saw comments stating things such as, “our children will be impacted for years to come”, or, “these criminals will be perpetuating identity theft, so buy XYZ product immediately!” I also raised an eyebrow when a class action lawsuit was filed against the company because consumers were concerned about identity theft.

ProTip: Don’t wait for a company you’re doing business with or entrusting your information to, to announce they are breached, before protecting yourself. If you’re truly concerned, buy an identity monitoring service and/or lock your credit reports now. Do you really want to risk a company first identifying a breach and then notifying you in a timely manner?

I’m a huge proponent of attribution and in regards to Anthem, I believe attribution is the key to understanding the actual fallout and repercussions. I also know for a fact that attribution maters from a technical perspective, a lot of which is tying indicators and TTP’s back to certain actors to track and understand their behaviors so you can better detect and respond to adversaries. However, for this blog post, I want to focus on clarifying a number of reasons why attribution doesn’t matter.

If a nation state truly did pull off this breach and theft of personal information- and all signs point that having happened- do you really think their government agencies are going to use this to commit identity fraud?

Generally speaking:

  • You’re not going to “put cuffs on” (aka arrest) a nation state attacker
  • In my experience, law enforcement isn’t overly concerned with criminals who commit cyber related fraud under ~$50k
  • Large cyber criminal organizations are generally working out of countries that we don’t have reach into (aka no arrests)
  • Once your data is gone, don’t expect to retrieve it

  • Is Sony going to do business differently knowing that North Korea attacked them? Did Google stop doing business in China after the Aurora attack? Will the perpetrators of the attack on Target and other retailers ever be brought to justice? I believe the answer to be, “No” in all of these cases and more. Finally, in the event of Anthem, should consumers truly be concerned with identity theft from the breach of their data? Probably not.

    As an anecdote, there was an incident I once worked where user accounts of a company’s online travel site had been compromised and were being used to purchase tickets on company credit cards. We quickly discovered the accounts and the ticket origins and destinations. Some of the fraudsters were actually “mid-vacation” and we knew whom, when, and where they would be based on the return tickets. We gathered evidence and immediately contacted law enforcement so they could nab them! Unfortunately we were told that it didn’t reach the monetary threshold that they were concerned about and they would be doing nothing. Even though we knew the whom, when, and where to nab them, even law enforcement has priorities and thresholds that cause them to act.

    If you’re an information security professional reading this, let alone an incident responder, you may raise an eyebrow when I say this- but it really opens your eyes when you begin to understand the business more. Getting past just IT/InfoSec and understanding concepts such as business sales cycles, mergers & acquisitions, product life cycles, go-to-market strategies, and capitalizing R&D costs, you begin to better understand how a business functions and why decisions are made. For example, I commonly hear, “XYZ country continues to attack us and steal our intellectual property. I can’t believe we continue to do business in that country!”

    However, as one business executive once told me, “Why wouldn’t we keep selling to that country and generate revenue now? Perhaps down the road we are only making 50 cents on the dollar, but a lot will change between now and then and its just part of a larger business risk equation.” Furthermore, much of this line of thinking stems from US-centric perspectives and ignores facts such as China being the world’s 2nd largest economy by size and 1st by growth. In regards to the US, it doesn’t even show up on a top 10 report for growth- so where is the future of most companies in regards to revenue generation?..

    In the end, attribution is about enriching your understanding of who is attacking your environment, and educating your business executives about the threats they are truly facing. Generally it isn’t about putting cuffs on someone at the other end of the keyboard, or pulling the business out of a Joint Venture, or ending the sale of goods to another country. Attribution done well though, can have an influence in the boardroom and make the executive team savvy enough to bake-in these issues into their business development plans and risk equations- solidifying the value that the Intel & Incident Response teams bring to the table.

    Feel free to reach out via Twitter @SeanAMason to share your thoughts. Thank you for reading.

    One thought on “Why Attribution Doesn’t Matter

    1. Attribution is a distraction. As you said, you’re likely not going to be putting cuffs on someone who’s been roaming around your infrastructure undetected for two years.

      Most folks who do this work understand that “groups” really refers to clusters of tactics, at whatever level of visibility/granularity you have (open source only, analysis of actual compromised boxes, etc.). They also understand that group A was found in big pharma yesterday, the DIB today, and tomorrow, it will be manufacturing. Or a law firm. It seems pretty rare that a particular cluster of tactics is only found in one vertical.

      Focusing on attribution moves the discussion away from who is truly responsible for the breach and the fact that it has gone undetected for so long. Instead, the conversation should be about the smart business decisions required to ensure that it’s detected as early as possible next time.

    Leave a Comment

    Your email address will not be published. Required fields are marked *