Jumat, 22 Januari 2010

Attribution Using 20 Characteristics

05.50  , ,  No comments

My post Attribution Is Not Just Malware Analysis raised some questions that I will try to address here. I'd like to cite Mike Cloppert as inspiration for some of this post.

Attribution means identifying the threat, meaning the party perpetrating the attack. Attribution is not just malware analysis. There are multiple factors that can be evaluated to try to attribute an attack.


  1. Timing. What is the timing of the attack, i.e., fast, slow, in groups, isolated, etc.?

  2. Victims or targets. Who is being attacked?

  3. Attack source. What is the technical source of the attack, i.e., source IP addresses, etc.?

  4. Delivery mechanism. How is the attack delivered?

  5. Vulnerability or exposure. What service, application, or other aspect of business is attacked?

  6. Exploit or payload. What exploit is used to attack the vulnerability or exposure?

  7. Weaponization technique. How was the exploit created?

  8. Post-exploitation activity. What does the intruder do next?

  9. Command and control method. How does the intruder establish command and control?

  10. Command and control servers. To what systems does the intruder connect to conduct command and control?

  11. Tools. What tools does the intruder use post-exploitation?

  12. Persistence mechanism. How does the intruder maintain persistence?

  13. Propagation method. How does the intruder expand control?

  14. Data target. What data does the intruder target?

  15. Data packaging. How does the intruder package data for exfiltration?

  16. Exfiltration method. How does the intruder exfiltrate data?

  17. External attribution. Did an external agency share attribution data based on their own capabilities?

  18. Professionalism. How professional is the execution, e.g., does keystroke monitoring show frequent mistakes, is scripting used, etc.?

  19. Variety of techniques. Does the intruder have many ways to accomplish its goals, or are they limited?

  20. Scope. What is the scope of the attack? Does it affect only a few systems, many systems?


As you can see, there are many characteristics than can be assessed in order to determine if an incident is likely caused by a certain party. Mature security shops use profiles like this to make their own intelligence assessments, often confidentially collaborating with others sharing the same problems.

0 komentar:

Posting Komentar

Langganan: Posting Komentar (Atom)