For the past few years there has been a big focus on attributing attacks. The government has always been in the game (but obviously keeping it close to the vest) and recently vendors have been getting into the action for marketing, PR, and threat intel sales purposes (thanks to Mandiant for starting that one). This trend has led to a lot of other organizations trying to attribute attacks against them as well. If I have one word of advice for most out there, it would be “STOP.”
For almost all but the very elite, trying to figure out the “who” is a waste of time. Even if you do pull together some semblance of the attacker, there is not much most can do besides maybe reporting it to the authorities. And depending on the level of the adversary, you may never hear anything back due to sensitivity or classification concerns.
The resources exhausted on trying to figure out the “who” are much better spent on understanding the “how” of each attack. Cross-referencing this understanding with other researched attacks surfaces trends that begin to solidify adversary TTPs organizations can use to do the one thing they should be focusing on — detecting and preventing future attacks.
Many in the threat intel community have been saying this exact same thing for a while but for the purposes of this article I am going to use @krypt3ia’s famous reference in his discussion of the Ashley Madison compromise. Enjoy!
“It’s not about the who… It’s about the how. Learn from the how and attempt to prevent it in the future” – @krypt3ia
Today’s post pic is from Twitter.com. See ya!