Kaspersky Labs has just published some really interesting threat intelligence called ‘A look into the Russian-speaking ransomware ecosystem' which provides an insight into ransomware trends across 2016. One of them was that of the 62 new crypto ransomware families that emerged, 47 can be attributed to Russian-speaking actors.
The big question is, does this really matter?
In the report, Kaspersky Labs researcher Anton Ivanov concludes that one of the reasons for this is that “there are a lot of well-educated and skilled code writers in Russia and its neighbouring countries” of which there can be no doubt.
Ivanov goes on to suggest that the Russian cyber-criminal underground was temporarily knocked back after something of a ransomware epidemic between 2009 and 2011 put pressure on law enforcement and technology companies alike to respond. One of the biggest blocks erected was making the taking of payments through SMS premium services a lot harder. So, the criminal just waited until they could monetise their efforts again; and that came with crypto-currencies.
Again, all fascinating stuff for law enforcement, especially when considering the bigger, strategic picture of who the attackers are and what hits their operations hardest; but why should the average enterprise CISO give a damn?
The same can be said about the news earlier this week that the UK has been hit more than 188 times by serious cyber-attacks in the last three months alone. National Cyber Security Centre chief Ciaran Martin told the Sunday Times [http://www.thetimes.co.uk/article/russia-steps-up-cyber-attacks-on-uk-rl262pnlb] that this was part of a “step change in Russian aggression in cyber-space.”
That law enforcement should worry about this stuff is understood, and attacks on critical national infrastructure and government targets obviously go beyond the normal remit of enterprise cyber-security strategies. However, for the most part the enterprise really doesn't need to waste time, money and especially focus worrying on the ‘who' and ‘when', as the ‘what' is all that matters, isn't it?
Stuart Clarke, chief technology officer cyber-security at Nuix disagrees. “Attribution is important because maintaining a good security posture requires continuous learning and development of actionable intelligence” he told SCMediaUK. And Mike Ahmadi, global director for critical security systems at Synopsys quoted a bit of Sun Tzu at us with, “It is said that if you know your enemies and know yourself, you will not be imperilled in a hundred battles.” His point, and Ahmadi's, being that ‘knowing who your enemies are empowers you with the knowledge of how well resourced they may be, how motivated they may be, and potentially why they are attacking you in the first place.'
Most others we spoke to agreed that the Kaspersky report, and others, are interesting. “A lot of the C&C infrastructure is based in Russia, this is in part down to the Russians' relaxed attitude to hosting the fast fluxing and dynamic hosting environments needed by hackers” says Simon Edwards, European cyber-security architect at Trend Micro who continues “but in terms of how important attribution is to companies, I would say in most circumstances not at all.”
Gareth Grindal, head of analysis at context, agrees and told SCMediaUK, “geographic attribution of cyber-crime activity does not mitigate the risks for an organisation. If I steal money from your bank account does it really matter to you, the victim, whether I live in Russia, China, or North Korea?”
This theme was repeated by many in the industry. Take Brian Laing, VP at Lastline who points out having this type of attribution has little impact on the actual response process. “When we talk to companies about their incident response process” Laing said “we will often ask them how they would respond differently if they knew the attack was coming from a specific threat group.” Every non-government company they talked to said they had no idea how or if they would respond differently.
And, as Andy Norton, risk officer (EMEA) at SentinelOne warns “attribution data should not be used to triage attacks because it can be wrong, fake, planted, forged, and unknown. Attack triage needs to be done on the capability of the threat.” Not least as nobody wants to be caught, and many actors will hire third parties to conduct attacks, and ultimately have plausible deniability.
So, investigating attribution is at best a waste of time. "The fact is that the enterprise has suffered an attack” says Pascal Geenens, EMEA security evangelist at Radware “spending weeks or months finding the attacker will not change that fact."
And a waste of money. "In our experience, money is always better spent in the defence of a breach rather than in trying to find the culprit” Ryan O'Leary, VP Threat Research Centre at WhiteHat Security insists “Cyber-attacks can appear on a global scale and therefore if one group or individual can launch an attack then so can others. The issue is not the attacker, it's the system that is susceptible to the attack.”
That said, Paul Calatayud who is CTO at FireMon, can understand why attribution is such a highly-debated topic amongst CISOs, even if they won't gain much benefit. “When there is potential harm or some harm has occurred, people want to know why and who” he concludes.
We'll leave the last words to independent cyber-security consultant, Orlando Scott-Cowley, who told SCMediaUK that "attack attribution in the enterprise or at least searching for someone to blame, is going to be an intensely time consuming and expensive exercise for most organisations.” Orlando's advice?