So let's talk about the
human elements of attribution.
We have a nice quote here from 1991 fiscal Taylor detail ing some aspects of attribution. Theory. As we can see, this touches on the correlation and causation examples that I gave a little bit earlier in this module. One of the things to think about for attribution
is it's a sort of a two edged sword.
some action or which group was responsible. Which nation state was responsible, for instance,
pieces of the puzzle that that do need to be known because it helps to
inform current activities and future activities? And so the problem is that
because of a requirement of public disclosure
this could inadvertently release reveals some some information sources and methods are frequently mentioned.
there's also the chance that publicly disclosing
who is responsible for a particular attack or incident
might be what the attacker actually wants. They want some notoriety. They want some publicity.
They might try to claim
responsibility for something that's happened because it helps to promote their cause,
especially hacktivists and cyber terrorists. They have there
their own reasons for wanting to
remain somewhat in the spotlight is leased their organization
maybe not themselves personally, but they might want to promote the organization.
Thean on Imus Group Shadow brokers are a couple of examples of
that usually try to claim
because they want you to know what their power is, what they can do, what they're capable of,
much like regular terrorists might do in the real world. Cyber terrorists are one thing, but if you've got Isis or Al Qaeda or something
and they are, they launch an attack, usually they want to claim responsibility for it so that it helps again to promote their cause.
My might also help them to get people to join their organization just like it would for
hackers who are trying to claim responsibility. It could be a recruiting tool.
This this type of attribution really any type of attribution does have some problems, though
there are so many ways to get it wrong that it's risky in many cases to announce anything at all. Maybe there is a certainty factor which could alleviate
You know, the persons who are making the announcement might say, We're not sure we have a
you know, 70% confidence that this is the correct information. For instance, now doing this on a campaign basis,
as we talked about in earlier sections of this course
campaign, is a collection of events that appear to be related to one another or appear to be committed by the same threat. Actors. Same
same bad guys, if you will.
As these as the types of events or incidents are grouped together, there could be a little slightly easier task of doing some attribution because you might recognize a similar methodology, a similar
technique of achieving some goal
and those things could be combined and looked at under a, uh,
a magnifying glass to see is this related information?
Do these people that are all taking these actions appear to be part of the same organization?
It is difficult work to do for sure,
with more modern machine learning tools,
a lot of threat intelligence platforms and other technology that's available,
we'll try to do some analysis on disparate pieces of information, trying to look for those patterns, trying to find a way to
link things together in a manner that's
that reaches some sort of a conclusion. If you recall from the last model there was a demonstration of the multi go tool,
and there are certainly other ones like like multi go. But that's just one that's, Ah,
easy for everybody to get their hands on because it's free. There's at least a free version of it. That's not a machine learning tool per se. But it can help to organize information, perhaps and more of a geospatial
where you're looking at where and when a new attack happened. Where did the traffic come from?
concluding rather correlating evidence that shows that certain activities happened along a timeline from certain physical locations,
which could also lend credence to certain conclusions being correct or incorrect for that matter? So there's a lot of angles to this. The important takeaway here is to think about how difficult attribution is and how careful the analyst must be in order to get right within the limits of their
subject matter expertise
and the tools that they have available