NTSC Blog

Attribution and its Role in Deterrence

Attribution and its Role in Deterrence

By Michael Farrell, Ph.D.
Institute for Information Security & Privacy
Georgia Tech

When one hears the word deterrence, images of nation states and military war plans may come to mind. In cyberspace, however, this concept of deterrence is now fundamental to organizations of all types. Private industry and government agencies alike require a deterrence strategy that supports the mission objective and defends their data.

But the mainstream status quo of passively playing defense and reacting to breaches after they happen is not effective. We must enable organizations to both identify potential attackers before breaches occur as well as definitively identify them after adverse events. Interestingly, attribution plays a key role in proactive defense and ultimately in a deterrence paradigm.

Without the ability to attribute attacks, assign identity, and name names, organizations have few legal, economic, or diplomatic response options. Every day, most cybersecurity professionals go to work without any idea about the identity and probable actions of their adversaries. This lack of information hampers both network defense as well as business strategy development. But with accurate attribution, organizations have a better chance of preventing, correcting, and ensuring operational continuity.

Steps Toward Better Attribution

The first step toward better attribution is an analysis of historic cyber events. It’s informative for affected organizations to perform detailed analyses of historic cyber events that are relevant to a specific attack or adverse incident. Doing so usually illustrates that different types of actors conduct different kinds of operations against different kinds of targets. For example, a nation-state actor that steals personally identifiable information from a health insurance company will use this data much differently than a cybercrime syndicate with the same stolen data. Although cyber events and attacks will vary widely in terms of motivation and desired effect, conducting historic analysis can yield patterns that will assist future defense.

The next step is to determine as an organization if it wants to publicly name the attacker. The burden of proof currently lies with the victim to establish definitive attribution for an adverse cyber incident. Any business decision by a company (and it should be a business decision, not solely made by legal or IT departments) to publicly attribute an incident must be based on two components:

  • Technical attribution: This includes forensic investigation based on data from victim hosts and networks, as well as broader internet-scale data.
  • Analytic attribution: This is an “all-source” intelligence assessment of potential threat actors, their motivations, economic and market considerations, geopolitical realities, and other contextual factors.

By design, attribution is not a native feature of the internet. The inter-network we know and love is flexible and extensible but not designed to provide end-to-end accountability to the level of an individual user. Usually, this is a good thing. But it also affords nefarious users a modest amount of natural obscurity.

Currently, indicators of compromise (IOCs) are shared by security companies and threat researchers as a tool for network defenders. While these IOCs can be useful for reducing network risk, they alone don’t afford the granularity needed for enhanced attribution. Further, many IOC lists published on the internet tend to lack sufficient signal needed for persona-level attribution and/or contain data that are significantly noisy.

All of this naturally leads back to an ability to attribute and whether a victim organization can eventually “name names” to avail themselves of meaningful response options. Significant advances by cybersecurity researchers in recent years offer hope for frameworks that may offer high-confidence attribution assessments that are publicly releasable and based on data that can be shared.

The Institute for Internet Security & Privacy (IISP) at Georgia Tech has recognized the need to create a science of attribution and trace-back, and we are engaged in a multi-disciplinary research program to this end. The attribution research thrust at Georgia Tech leverages experience in statistical signal processing, novel methods for feature extraction, and the latest in machine learning to work with multiple internet-scale datasets.

We believe that progress can be made when a results-driven approach is taken and proper assumptions are used for the signal (data) characteristics such as dimensionality, sparseness, and loss. In addition to these technical elements, Georgia Tech is able to engage researchers across its campus in areas such as business, public policy, and international affairs to gain other contextual factors and create supporting analytics. This makes our research initiative truly interdisciplinary.

If successful, this method of attribution research will allow both industry and government organizations to flip the cost equation and reassert asymmetric advantage over their adversaries. Organizations can craft a deterrence strategy for their mission or business that considers not only in-depth robust defense and built-in resilience but also an ability to pursue multiple response options and hold malicious actors to account due to knowing and sharing their identity. It’s time we become able to “name names.”

Michael Farrell, Ph.D., is an Associate Director of the Institute for Information Security & Privacy (IISP) at Georgia Tech and Chief Scientist for the Cyber Technology & Information Security Lab at the Georgia Tech Research Institute. He leads collaborative faculty and student teams across a wide swath of the Georgia Tech community to assess the technical, societal and geopolitical impact of cybersecurity trends for both government and commercial organizations. He leads a research thrust focused on creating a science of attribution and trace-back for malicious cyber activity.>