In Cybersecurity, Attribution of Cyber Attacks Is a Red Herring

When your system’s under attack, does it matter who’s attacking?

Written by Quinten Dol
Published on Feb. 20, 2020
In Cybersecurity, Attribution of Cyber Attacks Is a Red Herring

The bad guys in cyberspace are getting smarter — and more numerous. But should the attribution of cyber attacks be what we're focused on?

Many cybersecurity experts report seeing an increase in both the volume and sophistication of attacks. It’s a trend exacerbated by a growing sense of geopolitical instability, which is prompting governments and militaries to test their own virtual weaponry on the computer systems of adversaries.

Attribution of Cyber Attacks

Cyber attack attribution is simply the act of tracing a cyber attack back to its roots and identifying the parties responsible for the breach. Attribution can help identify areas of vulnerability and mitigate loss.

“Everybody in the industry is seeing more and more attacks on a day-over-day basis,” said J.J. Thompson, who manages threat response teams for cybersecurity firm Sophos out of its offices in Indianapolis. “But saying that it’s attributed to one particular group is a harder statement to verify.”

He’s talking about reports of an “uptick of malicious activity by pro-Iranian hackers” in the first several weeks of 2020. As the United States and Iran traded missile attacks in carefully choreographed demonstrations of military force, the Cybersecurity and Infrastructure Security Agency (CISA) warned that further Iranian retaliations might occur in cyberspace

Thompson described an industry spooked by the flurry of headlines and struggling to figure out next steps. For cybersecurity teams battling unprecedented levels of cyber crime, the potential of a foreign government beating down the doors with a DDoS attack or large-scale system infiltration is of real concern. 

“Securing IoT end-to-end is tough on its own, because you’re talking about the engineering and DevOps phase and the data analytics phase, and both of these have completely different security models,” he said. “And now you have a media frenzy with Iran experts emerging from the woodwork to drive public chatter, which in turn drives the types of conversations tech professionals and cybersecurity experts are having.”

With handwringing across the industry, Thompson (who founded, led and sold managed detection and response pioneer Rook Security to Sophos) said there are a number of steps cybersecurity teams should — and shouldn’t — take to reduce exposure. 

5 Steps to Maximize Security

  1. Locate and identify all your endpoints, servers and other assets — and the data they contain
  2. Keep patches up to date
  3. Finalize a budget and buy (or build) technology to protect endpoints
  4. Invest in a team (or robot) who can monitor your network and respond to anomalies
  5. Create and secure your backup systems and ensure a system compromise won’t undermine those backups


sophos cybersecurity

Knowing What You Don’t Know

According to Thompson, reliably attributing an attack to a single actor, group or government is virtually impossible. 

Hackers tend to use IP addresses in the same way that more traditional criminals use burner phones, he said, so finding an Iranian IP in log data doesn’t necessarily mean anything. And open-source intelligence on known Iranian attack groups can lull cybersecurity professionals into a false sense of security. 

“If you search your network for all the indicators described in those resources and say ‘I did not find any, therefore we have not been attacked by Iran,’ that’s a cognitive leap,” Thompson said.  

The question of attribution isn’t isolated to recent tensions between two countries. Across its more than 400,000 customers, Thompson said Sophos — which is based in the U.K., employs more than 1,000 people across the U.S. and operates a stateside headquarters outside of Boston — faces increasing difficulty in attributing attacks based on indicators of compromise. After all, when a hacker writes a piece of ransomware and sets it loose on the internet, anyone can theoretically use that code for their own nefarious purposes. 

“Once the code’s out in the wild, you don’t know if the people using it are the same people who wrote it,” Thompson said.


Simulate Your SystemsWhy Security Teams Are Turning to Cyber Ranges


Attribution is a Red Herring 

For an organization defending itself against cyberattacks, the main value in attribution is that it can help signal an attacker’s motivations. Cyberattackers usually fall into two distinct groups: criminal organizations, often in pursuit of financial windfalls, and rogue businesses or governments, whose motivations can range from propaganda to industrial espionage and financial extortion.

“If their motivation is to retaliate against their enemies and be perceived as doing so successfully, they’re going to do that themselves,” Thompson said. 

The recent defacement of a federal government website with Iranian propaganda offers an example of this kind of overt penetration. But the collection of intelligence or extortion of funds to bypass sanctions are activities a government may prefer to contract out to organized crime, obscuring their involvement. 


“It’s not sexy to talk about, but it’s really important to keep those patches up to date.”


In any case, Thompson advised that cybersecurity professionals resist the urge to dwell on attribution. 

“From the perspective of a tech executive or an independent cybersecurity professional, it really doesn’t matter who was behind the attack after it has occurred,” he said. “It doesn’t matter from an insurance perspective. It doesn’t change the fact that you’ve had an outage and that data has been exposed to people who shouldn’t have it. It’s a red herring that can lead you on a wild goose chase.”


sophos headquarters

Building A Line of Defense

Thompson outlined a number of steps organizations can take to maximize the security of their systems. His first recommendation is to identify the locations of all endpoints, servers and other assets — and denote what data they store. The second step is to patch. 

“It’s not sexy to talk about, but it’s really important to keep those patches up to date,” Thompson said. 

The third recommendation is to find the best possible endpoint protection technology and network detection technology money can buy, with the fourth step focusing on network monitoring and response.

To support those precautions, an array of businesses — Sophos, CrowdStrike, McAfee, Cylance, to name a handful — are vying to position themselves as a provider of choice. Last year, Cybersecurity Ventures’ Cybersecurity Market Report predicted that businesses would spend more than $1 trillion on cybersecurity in the five years from 2017 to 2021.

“We want to be able to detect an attack within two minutes, and be in a position to act shortly thereafter,” Thompson said. “Do you have the team or robot in place that’s able to do that on their own, or on your behalf? And are they able to do that 24/7, 365 days a year?”

These kinds of rapid detection and response capabilities can be costly, and Thompson said organizations who can’t afford them are forced to accept a higher level of risk. Last year, cybersecurity firm Radware released a report claiming that the average cost of a single breach had surpassed $1 million. 

Thompson’s fifth and final recommendation is to make sure to protect all backups — a line of defense he said is increasingly at risk. 

“We’ve found that ransomware attackers are starting to go after those backups now, because it increases the likelihood of payout,” Thompson said. “Most organizations have digitally connected backup technology, and that can be rendered useless prior to the encryption of their endpoints.

“So in the case that somebody compromises your environment, would they be able to compromise your backups as well? Because if so, they’re not going to be useful to you.”


Hiring Now
Machine Learning • Mobile • Other • Social Impact • Software • App development