Browse Definitions:
Definition

cyber attribution

Contributor(s): Linda Rosencrance and Matthew Haughn

Cyber attribution is the process of tracking, identifying and laying blame on the perpetrator of a cyberattack or other hacking exploit.

Cyberattacks can have serious consequences for businesses in terms of public relations, compliance, reputation and finances. In the wake of an attack, an organization often conducts investigations to attribute the incident to specific threat actors in order to gain a complete picture of the attack, and to help ensure the attackers are brought to justice. These cyber attribution efforts are often conducted in conjunction with official investigations conducted by law enforcement agencies.

Cyber attribution can be very difficult because the underlying architecture of the internet offers numerous ways for attackers to hide their tracks.

Challenges of cyber attribution

Companies often lack the resources or expertise needed to track down cybercriminals, so organizations that need to do cyber attribution usually hire outside information security experts. However, cyber attribution can be challenging, even for cybersecurity experts.

To determine the actor or actors responsible for a cyberattack, experts often conduct extensive forensic investigations, including analyzing digital forensic evidence and historical data, establishing intent or motives, and taking into account the overarching situation.

However, one of the challenges of cyber attribution is that hackers don't typically carry out attacks from their own homes or places of business, but launch cyberattacks using computers or devices owned by other victims that the attacker has previously compromised.

Identifying an attacker is also made more difficult because attackers can spoof their own IP addresses or use other techniques, such as proxy servers, to bounce their IP addresses around the world to confuse attempts at cyber attribution.

Additionally, jurisdictional limitations can hinder attribution in cross-border cybercrime investigations because every time a law enforcement agency has to undertake an investigation that crosses borders, it must go through official channels to request help. This can hamper the process of gathering evidence, which must be collected as soon as possible.

In some cases, cyber attribution efforts are further hampered when attacks originate in nations that refuse to cooperate with U.S. law enforcement investigations. Jurisdictional issues can also affect the integrity of the evidence and the chain of custody.

Cyber attribution techniques

Cybercrime investigators have many different, specialized techniques available for performing cyber attribution, but definitive and accurate cyber attribution is not always possible.

Investigators use analysis tools, scripts and programs to uncover critical information about attacks. Cybercrime investigators are often able to uncover information about the programming language and related information, including the compiler used, compile time, libraries used and order of the execution of events related to a cyberattack. For example, if investigators can determine a piece of malware was written using a Chinese, Russian or some other language keyboard layout, that information can help narrow down suspects for cyber attribution.

Investigators attempting to do cyber attribution also analyze any metadata connected to the attack. The metadata, including source IP addresses, email data, hosting platforms, domain names, domain name registration information and data from third-party sources can help make the case for attribution because systems used for cyberattacks often communicate with nodes outside the network being targeted. However, these data points can also be easily faked.

Investigators may also analyze metadata collected from multiple attacks targeting different organizations. Doing so enables experts to make some assumptions and assertions based on the recurrence of falsified data they identify. For example, security professionals may be able to trace an anonymous email address from an attack and link it back to the attacker based on domain names used in the attack that were previously identified as being used by a specific threat actor.

Another approach for investigators is to examine the techniques, procedures and tactics used in an attack, because cyberattackers often have their own distinctive and recognizable styles. Investigators are sometimes able to identify perpetrators based on clues related to attack methods, such as social engineering tactics or reuse of malware used in prior attacks.

Knowing what's happening within certain industries or certain companies can also help cybercrime investigators predict attacks. For instance, companies in the natural gas industry spend more money on exploration when gas prices increase and, consequently, are at a higher risk for theft of geospatial data.

Understanding the attacker's motives can also aid in cyber attribution. Security experts work to understand the perpetrators' objectives, because it's not always about money. Investigators aim to figure out if the cybercriminals are just lurking or if they've been spying for a long time. They also try to discover whether the hackers are looking for specific data during their attacks, and how they try to use what they find.

Although cyber attribution isn't an exact science, these attribution techniques can help cybercrime investigators identify the attackers beyond a reasonable doubt. 

This was last updated in October 2017

Continue Reading About cyber attribution

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

How has your organization gone about doing cyber attribution after a cyberattack?
Cancel

-ADS BY GOOGLE

File Extensions and File Formats

Powered by:

SearchCompliance

  • internal audit (IA)

    An internal audit (IA) is an organizational initiative to monitor and analyze its own business operations in order to determine ...

  • pure risk (absolute risk)

    Pure risk, also called absolute risk, is a category of threat that is beyond human control and has only one possible outcome if ...

  • risk assessment

    Risk assessment is the identification of hazards that could negatively impact an organization's ability to conduct business.

SearchSecurity

  • phishing

    Phishing is a form of fraud in which an attacker masquerades as a reputable entity or person in email or other communication ...

  • vulnerability disclosure

    Vulnerability disclosure is the practice of publishing information about a computer security problem, and a type of policy that ...

  • incident response

    Incident response is an organized approach to addressing and managing the aftermath of a security breach or cyberattack, also ...

SearchHealthIT

SearchDisasterRecovery

  • business continuity and disaster recovery (BCDR)

    Business continuity and disaster recovery (BCDR) are closely related practices that describe an organization's preparation for ...

  • business continuity plan (BCP)

    A business continuity plan (BCP) is a document that consists of the critical information an organization needs to continue ...

  • call tree

    A call tree -- sometimes referred to as a phone tree -- is a telecommunications chain for notifying specific individuals of an ...

SearchStorage

  • flash memory

    Flash memory, also known as flash storage, is a type of nonvolatile memory that erases data in units called blocks.

  • NAND flash memory

    NAND flash memory is a type of nonvolatile storage technology that does not require power to retain data.

  • NOR flash memory

    NOR flash memory is one of two types of nonvolatile storage technologies.

SearchSolidStateStorage

  • hybrid hard disk drive (HDD)

    A hybrid hard disk drive is an electromechanical spinning hard disk that contains some amount of NAND Flash memory.

Close