Share this
Why TPPs Matter and Attributions Do Not
by Reflare Research Team on Jan 12, 2023 7:13:00 PM
Attribution is hard, and even when done successfully, it's often wrong. Instead, understanding the tactics, techniques, and procedures (TTPs) of threat actors can help you look for indicators of compromise, and help you prepare for future attacks.
First Published 26th October 2021 | Latest Refresh 12th January 2023
I think, therefore I am... possibly... not correct... about who hacked me... maybe?
5 min read | Reflare Research Team
The lessons of history
Several years ago, we published a series of articles discussing the Democratic National Committee (DNC) hack and shared our views regarding nation-state attribution (by attribution, we are referring to the assignment of a preparator's exact name or origin to their designation. Designations such as ‘Cozy Bear’ are normally used to refer to actors that are suspected to be behind multiple breaches that share common characteristics. Some security vendors and practitioners may use the word attribution to simply mean linking multiple breaches to entities in which actual identities may be known or unknown).
Since then, a lot more information has surfaced on the incident, shedding new light on what the US Intelligence community and its allies knew all along, and what was kept from the public eyes - specific knowledge that made them confident that the Kremlin was behind the breach.
We learned from reports and official documents that the Netherlands’ domestic intelligence service, General Intelligence and Security Service of the Netherlands (AIVD) had been secretly watching one of the groups accused of being behind the DNC hack, “Cozy Bear”, since as early as 2014 after successfully hacking into the CCTV network of the office space in which they run their operations. This enabled them to alert their American counterparts when they found that the Russian spy-agency affiliated group had successfully breached the State Department computer network.
So, does this new development change our perspective on attributions?
Off the rails
Not quite. While the infosec community might have got it right with the DNC hack, they don’t have the history of always being spot on.
Sarah Jones, a principal analyst at FireEye, made an excellent presentation at SANS CTI Summit 2019 on the history of attribution mistakes. A seasoned cyber threat intelligence analyst, she highlighted how infosec companies and professionals are often guilty of misinterpreting information, making biased assumptions, and how they often found their conclusions to be completely off base.
Another researcher, Yury Namestnikov from Kaspersky, shows how easy it is for analysts to be misled into going down the wrong rabbit holes. In his talk at Kaspersky Industrial Cybersecurity Conference 2019, he also discussed how by planting false flags, APT (advanced persistent threat) groups were able to mislead analysts and media into blaming the wrong nation.
Being smart ≠ being right
Attributing security breaches requires more than technological know-how. As a matter of fact, organisations that regularly publish reports on nation-state actors tend to recruit analysts whose background is anything but technical. This is because it takes more than digital footprints and technical expertise to be able to link hacking campaigns to those behind them. Very few cybersecurity experts are also intelligence professionals because, while they may have excellent technical abilities, they might not have the necessary tools and critical thinking skills that would be required to navigate the complexity of threat attribution.
This brings us to one important fact - not many organisations in this world have the means, talents, and capabilities to be able to attribute security breaches to the threat actors responsible for them, and those that have the resources and talents to do so, they often get their attribution wrong.
So now that we have explained to you above why attribution is hard, unless you are working for a government agency or small group of organisations in which attributions might be important for reasons such as national security, you should really be asking yourself these questions.
- Does it really matter if it was the US, Russia, India or just some random teenagers?
- Would that make your incident response process significantly different depending on the identity of the threat actors?
A more valuable way to look at things
While attribution can be useful in some cases, the information is unlikely to help most organisations improve their security posture against future attacks. On the other hand, there is always plenty of value in trying to understand threat actors' tactics, techniques, and procedures (TTPs).
TTPs are the patterns of activities or methods associated with threat actors based on the information we have about their past actions and behaviours. They can help provide insight into how threat actors execute and manage their operations. The best part is you don’t need to know the identity of an actor in order to be able to identify their TTPs just as police detectives don’t need to know the exact identity of a serial killer in order to be able to come up with a profile that describes the characteristics of the killer.
Profiling threat actors based on their TTPs work because humans are creatures of habit and changing those habits can be difficult and expensive. These habits may include programming styles, tools of choice, and even repeatedly making the same mistakes when attacking a network. By analyzing these habits, security analysts would be able to help their organisation either look for indicators of compromise (IOCs) within their network, or prepare for potential future attacks.
TTPs of known groups are readily available online, thanks to projects such as MITRE ATT&ACK that aim to provide a knowledge base of adversary tactics and techniques based on real-world observations. These projects are not just helping security professionals and organisations to learn more about threat actors, but also encourage them to become a contributing member of the community by sharing their knowledge and any information regarding threat actor's TTPs that they may know.
Information sharing amongst organisations is extremely important if they want to be ahead of the cyber threat actors. To quote Sun-Tzu, “If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.”
Sun-Tzu had an acute understanding of how powerful turning knowledge into wisdom could be. If he were alive today, we are confident that he would, without hesitation, immediately subscribe to the Reflare Research Newsletter and learn more about his digital adversaries by clicking through the related research topic below.
Share this
- December 2024 (1)
- November 2024 (1)
- October 2024 (1)
- September 2024 (1)
- August 2024 (1)
- July 2024 (1)
- June 2024 (1)
- April 2024 (2)
- February 2024 (1)
- January 2024 (1)
- December 2023 (1)
- November 2023 (1)
- October 2023 (1)
- September 2023 (1)
- August 2023 (1)
- July 2023 (1)
- June 2023 (2)
- May 2023 (2)
- April 2023 (3)
- March 2023 (4)
- February 2023 (3)
- January 2023 (5)
- December 2022 (1)
- November 2022 (2)
- October 2022 (1)
- September 2022 (11)
- August 2022 (5)
- July 2022 (1)
- May 2022 (3)
- April 2022 (1)
- February 2022 (4)
- January 2022 (3)
- December 2021 (2)
- November 2021 (3)
- October 2021 (2)
- September 2021 (1)
- August 2021 (1)
- June 2021 (1)
- May 2021 (14)
- February 2021 (1)
- October 2020 (1)
- September 2020 (1)
- July 2020 (1)
- June 2020 (1)
- May 2020 (1)
- April 2020 (2)
- March 2020 (1)
- February 2020 (1)
- January 2020 (3)
- December 2019 (1)
- November 2019 (2)
- October 2019 (3)
- September 2019 (5)
- August 2019 (2)
- July 2019 (3)
- June 2019 (3)
- May 2019 (2)
- April 2019 (3)
- March 2019 (2)
- February 2019 (3)
- January 2019 (1)
- December 2018 (3)
- November 2018 (5)
- October 2018 (4)
- September 2018 (3)
- August 2018 (3)
- July 2018 (4)
- June 2018 (4)
- May 2018 (2)
- April 2018 (4)
- March 2018 (5)
- February 2018 (3)
- January 2018 (3)
- December 2017 (2)
- November 2017 (4)
- October 2017 (3)
- September 2017 (5)
- August 2017 (3)
- July 2017 (3)
- June 2017 (4)
- May 2017 (4)
- April 2017 (2)
- March 2017 (4)
- February 2017 (2)
- January 2017 (1)
- December 2016 (1)
- November 2016 (4)
- October 2016 (2)
- September 2016 (4)
- August 2016 (5)
- July 2016 (3)
- June 2016 (5)
- May 2016 (3)
- April 2016 (4)
- March 2016 (5)
- February 2016 (4)