Over the past year, perhaps more, there has been an increasing amount of discussion about whether or not organizations need to “know” their adversary. The topic roared up upon the publication of Mandiant’s Intel Report and the subsequent publications by other vendors. Naturally, much of the discussion seems to focus on espionage type attacks, but but depending on the organization, others are equally as important. Of course, there are experts and organizations on both sides of the spectrum. Some believe that any effort put towards identifying an attacker or likely attacker is wasted. After all, organizations have a hard enough time just keeping defenses up, let alone pulling analysts to work on something that doesn’t have immediate impact. On the other side, some others think that direct attribution is critical because without it, no direct action can be taken. As with many things, I think the true answer lies somewhere in between.
I’ll take a stab at the second situation first, as I think it’s quicker to run through. The question: Do you or your organization need to know the PERSON sitting behind the keyboard at the other end of the attack? I still believe that the answer, in most situations, is no. The exceptions I see are localized (physical tampering, skimming, etc) types of crime, or for organizations that are serious about prosecuting (which usually means a financial motivation) the perpetrator. With enough of a financial loss and the right resources, attribution is often (not always) possible. It’s going to take time, effort, and most of the time, the ability to convince law enforcement that it’s worth pursuing. In all other cases, I don’t think it’s beneficial for the average organization to put the effort in to (or be told by someone else), identifying the specific person responsible for an attack. Getting that information is not going to improve defenses. You can’t magically block all of those attacks in the future, many attackers aren’t going to be shamed in to stopping their malicious activity, and don’t count on your organization pulling out of a country that’s found to be targeting them.
On the other end of the spectrum, claiming that organizations don’t need to pay any attention to the who behind their attacks is completely ridiculous. The idea is nothing new. When of the first InfoSec books I read was Know Your Enemy, published in 2004. The idea is that knowing the tactics that the adversary is likely to use can be immensely valuable in prioritizing defenses and focusing employees. While understanding tactics is part of knowing your adversary, it also helps to understand the motivations behind your attackers. Why are you a target? What data are they going after (or prevent others from reaching)? How will they attempt to reach their goal? This is really no different than any other business intelligence function. Organizations spend immense amounts of money studying their customers, competitors, etc. It’s important to know why a customers wants and why they buy your product right? Why not dedicate resources to also understanding your adversaries? This allows targeted implementation of a defensive strategy. Now, this doesn’t mean that every organization should jump out and charge full steam ahead. There are many orgs that will say “What, me? I don’t have anything anyone wants.” Those orgs likely have some digging to do, some data classification to do, and probably more. If you really don’t have anything of value to others, how are you still in business? Additionally, lots of orgs will have to evaluate their security program. Once you are able to understand who your adversaries are and what they’re targeting, it doesn’t do any good if you can’t monitor, detect, and respond to incidents that may or may not occur.
tl;dr – In most cases, specific attribution to a person sitting at a computer isn’t going to matter. Organizations are much better off focusing on what type of adversaries they have, understanding how they operate, identifying why they’re a target and what data of interest they have, and using that data to make informed defensive decisions. If the organization can’t enact the requirements of those decisions, focus on maturity before you give any thought to attribution.