Why TPPs Matter and Attributions Do Not

Attribution is hard, and even when done successfully, it's often wrong. Instead, understanding the tactics, techniques, and procedures (TTPs) of threat actors can help you look for indicators of compromise, and help you prepare for future attacks.

First Published 26th October 2021 |  Latest Refresh 12th January 2023

I think, therefore I am... possibly... not correct... about who hacked me... maybe?

5 min read  |  Reflare Research Team

The lessons of history

Several years ago, we published a series of articles discussing the Democratic National Committee (DNC) hack and shared our views regarding nation-state attribution (by attribution, we are referring to the assignment of a preparator's exact name or origin to their designation. Designations such as ‘Cozy Bear’ are normally used to refer to actors that are suspected to be behind multiple breaches that share common characteristics. Some security vendors and practitioners may use the word attribution to simply mean linking multiple breaches to entities in which actual identities may be known or unknown). 

Since then, a lot more information has surfaced on the incident, shedding new light on what the US Intelligence community and its allies knew all along, and what was kept from the public eyes - specific knowledge that made them confident that the Kremlin was behind the breach.

We learned from reports and official documents that the Netherlands’ domestic intelligence service, General Intelligence and Security Service of the Netherlands (AIVD) had been secretly watching one of the groups accused of being behind the DNC hack, “Cozy Bear”, since as early as 2014 after successfully hacking into the CCTV network of the office space in which they run their operations. This enabled them to alert their American counterparts when they found that the Russian spy-agency affiliated group had successfully breached the State Department computer network.

So, does this new development change our perspective on attributions? 

Off the rails

Not quite. While the infosec community might have got it right with the DNC hack, they don’t have the history of always being spot on.

Sarah Jones, a principal analyst at FireEye, made an excellent presentation at SANS CTI Summit 2019 on the history of attribution mistakes. A seasoned cyber threat intelligence analyst, she highlighted how infosec companies and professionals are often guilty of misinterpreting information, making biased assumptions, and how they often found their conclusions to be completely off base.

Another researcher, Yury Namestnikov from Kaspersky, shows how easy it is for analysts to be misled into going down the wrong rabbit holes. In his talk at Kaspersky Industrial Cybersecurity Conference 2019, he also discussed how by planting false flags, APT (advanced persistent threat) groups were able to mislead analysts and media into blaming the wrong nation.

Being smart ≠ being right

Attributing security breaches requires more than technological know-how.  As a matter of fact, organisations that regularly publish reports on nation-state actors tend to recruit analysts whose background is anything but technical. This is because it takes more than digital footprints and technical expertise to be able to link hacking campaigns to those behind them. Very few cybersecurity experts are also intelligence professionals because, while they may have excellent technical abilities, they might not have the necessary tools and critical thinking skills that would be required to navigate the complexity of threat attribution.

This brings us to one important fact - not many organisations in this world have the means, talents,  and capabilities to be able to attribute security breaches to the threat actors responsible for them, and those that have the resources and talents to do so, they often get their attribution wrong.

So now that we have explained to you above why attribution is hard, unless you are working for a government agency or small group of organisations in which attributions might be important for reasons such as national security, you should really be asking yourself these questions.

- Does it really matter if it was the US, Russia, India or just some random teenagers?

- Would that make your incident response process significantly different depending on the identity of the threat actors?

A more valuable way to look at things

While attribution can be useful in some cases, the information is unlikely to help most organisations improve their security posture against future attacks. On the other hand, there is always plenty of value in trying to understand threat actors' tactics, techniques, and procedures (TTPs).

TTPs are the patterns of activities or methods associated with threat actors based on the information we have about their past actions and behaviours. They can help provide insight into how threat actors execute and manage their operations. The best part is you don’t need to know the identity of an actor in order to be able to identify their TTPs just as police detectives don’t need to know the exact identity of a serial killer in order to be able to come up with a profile that describes the characteristics of the killer.

Profiling threat actors based on their TTPs work because humans are creatures of habit and changing those habits can be difficult and expensive. These habits may include programming styles, tools of choice, and even repeatedly making the same mistakes when attacking a network. By analyzing these habits, security analysts would be able to help their organisation either look for indicators of compromise (IOCs) within their network, or prepare for potential future attacks.

TTPs of known groups are readily available online, thanks to projects such as MITRE ATT&ACK that aim to provide a knowledge base of adversary tactics and techniques based on real-world observations. These projects are not just helping security professionals and organisations to learn more about threat actors, but also encourage them to become a contributing member of the community by sharing their knowledge and any information regarding threat actor's TTPs that they may know.

Information sharing amongst organisations is extremely important if they want to be ahead of the cyber threat actors. To quote Sun-Tzu, “If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.”

Sun-Tzu had an acute understanding of how powerful turning knowledge into wisdom could be. If he were alive today, we are confident that he would, without hesitation, immediately subscribe to the Reflare Research Newsletter and learn more about his digital adversaries by clicking through the related research topic below.