“Where I come from, we have the nation’s most sophisticated detection capabilities and we have among the best brains at work in cyber security in our country,” he said. “[But] about 40 per cent – there or thereabouts – of what we see we can’t attribute to anyone, whether it’s criminal, whether it’s espionage or whether it’s sabotage.”
On the surface, the reports highlighted the gravity of the attacks and, I suppose, we can also learn about the amount of incident response or forensics work required to recover. However, the question of attribution was in the spotlight in all three incidents. Even if you can identify the (potential) actors and establish the motive, what do you do next?
Those in the security response and investigation space know that attribution or putting names (and faces) to security incidents is not that straight forward. There is a lot of work and resources required. In fact, attribution is one of topics discussed in our Internet Investigation workshop for law enforcement agencies (LEAs) in this region.
It is not achieved simply by doing a Whois or ‘tracing’ an IP address obtained in logs or malware samples. There are plenty of technologies that allow attackers or criminals to ‘hide’ their actual locations or identities. Additionally, the Internet is a wide an open space and bad guys tend to use this to their advantage. This is where collaboration and information sharing is critical when trying to piece together the story. Not always easy though!
Finally if you are interested in this topic (cross-border incident response, forensics, attribution, etc) – I think you will enjoy Kim Zetter’s book, The Countdown to Zero Day
Note: I don’t get commission for promoting the book 🙂
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.