6.1 Introduction to Attribution

00:01

Hello and welcome to the new module about attribution.

00:05

The first lesson will be an introduction to this module as introduction. We need to understand what is attribution,

00:12

The Different Types of Retribution and Approaches to attribution

00:16

and you will see important requirements that are needed for attribution.

00:22

When discussing the latest targeted attacks, the question invariably arises. Who was behind it?

00:28

It's a simple question,

00:30

but it became difficult and complex to answer

00:34

attribution off. Cyber attacks has never bean an exact science

00:39

at the same time, attribution is done based on similarity off digital fingerprints such as coat similarity, share tools and sharing infrastructure, however, attribution, used in such methods is becoming increasingly difficult, especially with a trend off Attackers using fire less threats

00:58

such as

00:59

you'll use tools, for example. Yes, exactly.

01:02

There is also the classic problem off Attackers inserting false flags, including purposeful misdirection, obfuscation and fake calls. Design it to mask their identities.

01:15

Despite these challenges, attribution remains an important part off attack on the license. So by tying activity to specific groups, we start to see patterns off behavior that follows us to better understand the Attackers motivation

01:32

their target profile and sets the are pursuing,

01:36

but there are limits to how far we can go with retribution. For instance, even if we concise specific incidents Toe Unknown Attack Group

01:46

identifying who or what organization is directing or funding that activity is not in the scope or focus off what we are doing.

01:56

This level off attribution requires the substantial resources on access to information that is generally available on Lee to law enforcement or government intelligence agencies.

02:07

Attribution to cyber attacks means different things to different audiences. In some cases, analysts only care about group in multiple intrusions together toe, identify an adversary group

02:22

or their campaigns toe others attribution means determining the person, organization or nation state responsible off the successful intrusion or attack.

02:32

Rob Emily, the CEO and founder off Cyber security company. Drag US defines two types off attribution.

02:40

The 1st 1 is true attribution, which means that we are a tribute and an intrusion tow an individual threat actor or a group of actors who are executing the intrusion. It can also be attribution to nation state, which means that the actors are operating for interests off the government.

03:00

The second type is campaign attribution,

03:01

which means that we are linking a set of intrusions using them. In key indicators, the second attribution is much more useful than true distribution for network defense. It helps defenders identify group and investigate activity faster. Probably the fines. Also

03:22

four roads to true attribution.

03:24

The first approach is adversary admission. Here the adversary admits that they did, and Children.

03:32

The second drawer under approach is through leaks.

03:37

Here, the adversary releases the information or someone else releases this information about that. The third road is through direct access, and here it's records and direction with adversary and or their systems to collect information. In other words,

03:55

spying on the anniversary.

03:58

The first approach is through campaign attribution and here we are talking about intrusion and a license that we've explained in the previous light.

04:08

Why does distribution matters

04:12

now? Let's see that attribution.

04:15

Now let's see if attribution matters

04:19

the security blob. Our security has a great post about the value off attribution. Here are five reasons why attribution Matters based on five levels off strategy thought starting from the bottom

04:33

are the tools level attribution matters because identifying adversary my tell defenders what software they can expect to encounter during an intrusion or a campy.

04:45

It is helpful to know if the adversary uses simple tools that traditional defenses can counter or if they can write custom code and exploits to evade most any programmatic countermeasures. The benefits off attribution are similar. A Tactics Level

05:02

Tactics describes how adversary acts within an engagement or a battle.

05:09

The level off operations or campaigns describes activity over long periods of time from days to months and perhaps years over wider theater off operations. So from a department or network segment to an entire organizations environment

05:26

defenders who can perform attributions will better row their opponents long term patterns off behavior.

05:32

Basically, does the adversary prefer to conduct operations around holidays or certain hours of the day or days of the week?

05:42

Attribution House defenders answer these and related questions

05:47

at the level Off Strategy attribution matters to an organization's management and leadership as well as policy makers.

05:56

These individuals must decide if they should adjust how they conduct business based on who is attacking and damaging,

06:03

while cannot think strategically without recognizing and understanding their adversaries. Finally, the level off policy or program goals in the diagram. It's the super um goal off the government officials on top organizational management, such as sea use on their corporate boards.

06:24

Policymakers

06:25

can apply many government tools to problems such as law enforcement legislation,

06:30

diplomacy, sanctions and for once so force. Policymakers may truth to fund programs to reduce vulnerabilities, which is, in some sense, an attribution free approach. However, addressing the threat in a comprehensive manner, the man's knowing the threat. Attribution is the key toe.

06:49

Any policy decision

06:50

where one expects other parties to act or react to one's own moves When it comes to requirements for attribution, it is essential for any analysts to defeat their biases and logical errors. We will have two lessons dedicated to focus on these two concepts, but

07:11

you need to keep in mind

07:12

that biases are especially dangerous when performing any analyzes, because analyzes leaves so heavily on the human thought processes that it can lead us to inappropriate conclusions.

07:28

This is all for this video in this ness, and we introduce it attribution. We've seen the different types off attribution. We've seen that there is one type called a true attribution and their roads to true attributions.

07:43

We also discovered why attribution matters

07:46

and we define it. Some requirements for attribution

07:49

The next video will be focused on cognitive biases