6Attribution
Attribution is the art and science of linking a cyber incident to a specific threat actor. At the scene of every crime, perpetrators leave behind evidence that can be used to prove their association with the crime. In this respect, cyber security is no different from physical crime.
Instead of searching for DNA evidence or fingerprints at the scene of the crime, we must search for the similarities between attacks, especially the repeated use of specific tools or infrastructure, to link known threat actors with their crimes. Used effectively, attribution can be a powerful deterrent to threat actors, and help uncover patterns that can be used to detect and predict subsequent attacks.
Chapter 6 presents why attribution is important, and the points to consider when attributing an attack.
6.1 Holding Perpetrators to Account
Norms of behaviour are maintained within our societies via systems of rewards and punishments. Rewards range from informal words of praise, through recognition of esteem and status, to formal awards of honours or medals. Punishments range from words of admonishment, restitution to victims, through to prolonged loss of liberty or even forfeiture of life.
The cyber domain is no different. National and international laws apply to actions conducted in cyberspace, in addition to recognised norms of behaviour, that regulate and control the actions of participants. Anyone transgressing these rules should expect appropriate sanctions.
In practice, the ...
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.
Read now
Unlock full access