Evidence linking the presumed attacker to the attack
An understanding of the attacker’s actions, supporting that evidence
Evidence collected from other systems that matches the understanding of the attacker’s actions
An understanding of the sequence of events during the attack, matching the evidence
via Attribution is Hard, Part 1 | Tenable Network Security.]]>
[H]e pointed out attribution to malware was not key in combating cybercrime because it did little to improve the state of security and most attribution took a long time and may not be accurate.
via FireEye: Malware attribution not key in cybercrime fight | ZDNet.
No argument. Its probably a bad idea to hackback, unless you are reasonably certain that:
a) you are the toughest kid on the playground; or
B) you have nothing left to lose, because it is a matter of life or death.
Much like in the real-world. Which begs the question:
Why are we still stuck in the 90’s mentality that what happens on the Internet is not IRL?
Can we agree that this is a real problem, not an imaginary one, where a cyber bully flicks your cyber ear, and you cyber respond with a cyber insult? Instead a real person did something really bad to you using the dangerous weapon attached to his keyboard, and you have to demonstrate an immediate ability to protect yourself, or the bad guy will do it again. This is real life, and there are real losses, do you hire armed, or unarmed cybersecurity guards to mitigate your risk?]]>
Schneier disagrees with active defense. From the post:
Because espionage unfolds over months or years in realtime, we can triangulate the origin of an exfiltration attack with some certainty. During the fog of a real cyber war attack, which is more likely to happen in milliseconds, the kind of forensic work that Mandiant did would not be possible. (In fact, we might just well be “Gandalfed” and pin the attack on the wrong enemy.)
“Gandalfed” cool word to indicate that you attack the wrong enemy, or attribute the attack to the wrong group. I agree with the post that we have not solved that attribution problem. I continue to argue that during the long millisecond where the attack is active, there is no need to attribute. There is simply a need to make the attack stop. Find out where the attack originates after you halt the attack with an appropriate use of force.]]>
“I’ll give you a prediction,” said John Carlin, the principal deputy assistant Attorney General in Justice’s national security division. “Now that we are having people look at bringing one of these cases, it’s there to be brought, and you’ll see a case brought.”
via DOJ Plans To Indict State-Sponsored Cyber Attackers | Defense News | defensenews.com.]]>