Does Threat Attribution Matter?By: SecureWorks
Putting aside some of the technical challenges of accurately attributing a cyber threat, does knowing who attacked (or is currently attacking) your organization matter?
I've heard others in the security community, including some CISOs, indicate that attribution is not a priority. The rationale is that the research cost of knowing "who" outweighs any advantages gained. Additionally, most organizations simply don't have the investigative capability, and even if they do, what would they do with the identity of their attacker other than turn it over to the appropriate law enforcement authorities? For most APT and cybercrime, threat actors reside beyond the reach of any law enforcement with an interest in prosecuting them.
Ergo, they argue that it is more important to focus on the "how" of an attack, not the "who."
I understand this position, but I believe it overlooks much of the value of attribution. Think of the number of potential "hows" there are for a typical organization to cover. There is always a vulnerability that can be exploited, whether it's in your people or your IT systems. You can do much to reduce exposure by hardening, patching and deploying both signature-based and signature-less security tools, but you can't remove every single "how" an attacker could use.
Having a sense of "who" helps you focus on the most critical "hows." Knowing an attacker's full identity isn't always necessary, but having a specific threat actor profile gives you a better understanding of your adversary's tradecraft, behaviors and motives. It can help you narrow your focus from thousands of potential threat indicators to a subset that you can prioritize. This can be used to better tune instrumentation as well as information security monitoring and targeting threat hunting processes to detect the threat earlier in the kill chain.
A good threat actor profile also improves your ability to disrupt the attack and eradicate the adversary's presence in your environment. If you can link observed indicators to a known threat actor profile, you can respond to the threat with better awareness of the adversary's objectives and TTP (tactics, techniques and procedures). This puts you in much stronger position to counter the threat and protect targeted assets. Once you have disrupted the threat actor's progress, your adversary knows they've been discovered and will act. Knowing the attacker's TTP allows you to anticipate and limit their next steps, minimizing the window of engagement between disrupting the attack and removing the threat actor from your environment.
When you take into account the value of knowing the methods and motivation of your attacker, attribution matters. Security leaders, especially those concerned about APT and targeted threats, should pay attention to "who" if they want to be more effective at countering the "how."