Although Agatha Christie might disagree, sometimes mysteries should remain unsolved — at least in the cyber realm. Cyber attribution — finding exactly who perpetrated a given cyberattack — has seemingly become a cybersecurity goal in and of itself. But do organizations really need to know?

Recognizing the “who” behind cyberattacks (not just the “what” and “how”) provides critical insights into the attacker’s objectives, infiltration methods, covert communication channels and more. Effective incident response hinges on uncovering the perpetrator, and so does closing defense gaps, recovering assets and implementing damage control. Attribution empowers organizations to fortify their defenses and enact specific counter offensives against those responsible.

That sounds convincing — for a government, a multinational that serves governments or an enterprise in a sensitive domain like healthcare or critical infrastructure. But how much ROI do SMBs really get from determining post-attack cyber attribution? Let’s take a deep dive into why some organizations might not need cyber attribution after an attack.

Cyber attribution: Challenging and expensive

Cyber attribution is a complex and costly endeavor. Lacking the resources and expertise for cyber attribution, organizations frequently need to hire costly external information security experts. 

Yet even cybersecurity professionals find attribution challenging. Investigations involve extensive forensic analysis, including examining digital evidence, historical data and motives. Hackers often use stolen and compromised devices, spoofed IP addresses and proxy servers — further complicating their identification. 

Attackers also don’t always use their own tools and techniques. With malware-as-a-service (MaaS), in all its infinite permutations readily available on the dark web and elsewhere, it is far from simple to determine which of the many MaaS customers committed which attack. And even if one manages to make an identification, attack groups are constantly in flux — many even purposefully conduct attacks outside their standard modus operandi to mislead intelligence groups. 

Even for law enforcement agencies, jurisdictional limitations in cross-border cybercrime investigations can slow attribution as officers navigate official channels for assistance — or stop it in its tracks if attacks originate from uncooperative or rogue nations.

To conduct a cyber attribution investigation effectively, cyber professionals need to be able to:

• Identify Indicators of Compromise (IOCs). Obtaining IOCs, such as IP addresses and geolocation, is crucial for incident mitigation. However, acquiring relevant IOCs often relies on complex malware analysis, which can be time-consuming.
• Review previous attack reports. Examining reports of past attacks, attributions and mitigations is valuable but presents challenges. The process is time-consuming and complex due to the difficulty of extracting information from non-standardized reports.
• Integrate Human Intelligence. Cyber threat intelligence groups can enhance their capabilities by incorporating Human Intelligence (HUMINT). This approach adds a dynamic layer to cyber threat intelligence efforts.
• Determine attribution reliability. This involves setting a threshold for the type and amount of information required. Some groups mandate a minimum of five indicators for verification, while others use fewer or rely on speculation.

Who needs attribution? Six scenarios

Cyber attribution is crucial in numerous scenarios — most of which are relevant only to the large-scale organizations discussed above. Identifying attackers can prove valuable if security leaders are:

1. Prioritizing cyber investments. Understanding an attacker's modus operandi allows effective prioritization of cybersecurity investments, fortifying defenses where they matter most.
2. Enhancing supply chain protection. Attribution aids in prioritizing supply chain investments, enabling organizations to implement robust cybersecurity measures throughout the chain to reduce vulnerabilities.
3. Bolstering incident response. During a cyber incident, attribution provides insights into the attacker's goals, helping defenders predict their next moves and respond more effectively.
4. Mitigating attacks through infrastructure providers. Knowledge of the attacker and their infrastructure enables organizations to mitigate attacks by, for example, taking relevant infrastructure offline, such as an AWS account.
5. Creating a national strategy and retribution plan. Governments rely on cyber attribution for national strategies, allowing decisions on potential counterattacks.
6. Supporting cyber research groups. Cyber attribution holds value for research groups, contributing to their prestige and advancing general knowledge in the cybersecurity domain.

The bottom line

It’s crucial for the United States Government to know that its cyber infrastructure was strategically targeted by a Russian hacking group. But for an SMB who discovers at great expense that their attacker was a Russian hacking group — so what? It’s highly unlikely they were targeting that SMB specifically. More likely, they just found a way in — a vulnerability to exploit, a response to a random phishing campaign, or similar.

Cyber attribution is a worthy goal when necessary — but sometimes mysteries can remain mysteries, with no one the worse for it. When resources are limited and must be wisely allocated, understanding when cyber attribution is truly essential will help guide security leaders to fortify defenses and mitigate risks more effectively.