Monday, February 9, 2015

Is Attribution Important?

First, let me say that I am biased.  As a career Army officer, I have internalized, over 25+ years, the importance of threat intelligence.  It started when I was a young Lieutenant in Germany, facing off across the Fulda Gap against the Red Hoard.  After that was the first Gulf War, then on to peacekeeping operations in Bosnia and Kosovo, and finally Operations Iraqi Freedom and Enduring Freedom.  All of these different kinds of military operations (armored warfare, peacekeeping, counterinsurgency, and security force assistance) require a robust but tailored intelligence effort.  Cyber operations, whether in the public or private sector, are no different.  Network defense is by its nature adversarial.  You are defending against someone who wants to do harm to your organization, and to approach such a situation without some sort of intelligence on potential threats is likely doomed to failure.

An intelligence effort can have multiple components.  One important aspect, one that some don't consider to be part of the intelligence effort, is to know yourself.  The more you know, the better.  Having a full accounting of all of the devices on your network and what software is running on them, including versions and patch levels, is extremely helpful when a new vulnerability is announced.  This inventory helps your security team prioritize efforts when taking action to mitigate new threats.  Another potential component of a security intelligence apparatus is a "threat intelligence" capability.  Here you might keep the pulse of real-time threats and exposed vulnerabilities from various CERTs, ISACs, and other sources.  Any way you slice it, some level of intelligence collection and analysis is critical.

Attacker attribution is an intelligence effort that has recently garnered increased attention.  Like many cybersecurity topics, there are lots of opinions regarding its value, and even some diametrically opposed positions on the matter.  On one end of the spectrum is CrowdStrike, a company that has built a large part of its business on threat attribution and has provided these services to both public and private sector entities.  CrowStrike argues that threat attribution is essential.  Their tagline, "You Don't Have a Malware Problem, You Have an Adversary Problem," belies their assertion that once you know exactly who is attacking you, you can take defensive measure against that specific individual's or organization's known tactics, techniques, and procedures (TTP). 

Other end of the spectrum are Jack Daniel, Paul Asadoorian, and the crew at Security Weekly, who recently discussed threat attribution during episode 399 of their weekly podcast.  Jack devoted one of his "rants" to an eWeek article entitled "Best Defense Against a Cyber-Attack Is to Know Your Adversary", which describes the philosophy of Tom Chapman, director of cyber operations at EdgeWave Security (the article referenced in their show notes for episode 399 is an excerpt with the same title). Jack Daniel scoffs at this notion, arguing that knowing your adversary is of little value in network defense.  "You have to know your own sh*t," he says. 

During the 2014 National Science Foundation Cybersecurity Summit for Large Facilities and Cyberinfrastructure I moderated a panel on "Threat Profile for NSF Large Facilities and Cyberinfrastructure."  Among the panelists was Matthew Rosenquist, Cybersecurity Strategist for Intel Corporation, who had just given the keynote address.  Matt's talk on "Strategic Leadership for Managing Evolving Cybersecurity Risks" included prediction as a component of defense-in-depth.  He argued that predicting future attacks against your organization can come from an analysis of the most likely attackers, targets, and methods, something that threat attribution would certainly facilitate.  Matthew described a process by which threat actors are divided into "archetypes" with common attributes in terms of resources, skills, targets, tactics, etc.  Understanding who targeted you in the past helps in predicting which archetype is likely to target you in the future, and therefore informs your protective posture and helps you prioritize your approach to defense.  After all, it is difficult, some would say impossible, to completely protect everything in your network.

So, who's right?  I leave it up to you to decide whether threat attribution is relevant or not.  I'll state the obvious here: you must prioritize your intelligence effort according to the resources you can devote to it.  Of critical importance is knowing what hardware and software is on your network so that you know how new threats might impact you.  Next, subscribe to intelligence feeds necessary to know of new threats and vulnerabilities.  Analyze potential threat archetypes and keep track of those that you think would target you.  Finally, once you can do all that, begin to focus on threat attribution to refine your understand of who is targeting you and why.  

And I got through this without a single Sun Tzu quote . . .

No comments:

Post a Comment