Why breach attribution is a red herring

By J.J. Thompson, Senior Director Managed Threat Response at Sophos

Credit: ID 164506987 © Kanawat | Dreamstime.com

When a data breach occurs, the first question often asked is ‘where did it come from?’. It should be ‘how did they get in?’.

Cyberattacks are regularly in the spotlight and headlines that attribute an attack to a certain nation-state or organisation, only add fuel to the fire. Knowing who carried out an attack is important, but it’s not the most critical aspect. Attributing an attack can even be an unnecessary distraction from the real problem.

Instead, business leaders should direct their efforts to patching the vulnerabilities that allowed the attack to occur—this means asking ‘how’, not ‘who’. The focus should be on protecting the business against further attacks and ensuring the right technology and staff with the right skills are in place to neutralise threats.

Neutralising a cyberattack

Imagine a ransomware attack hits an organisation. The IT team will manage the situation as best they can, however as the ransomware deadline approaches, the business begins to question whether it makes sense to pay the ransom.

So far, the IT team has been unable to verify what ransomware they are dealing with, nor can they identify how it got there.

At this point, worrying about a nation-state attack is wasting time. Businesses should be taking steps to get back online, determining the best way forward. This involves pushing the attribution question aside to focus on resolving the problem.

Recovering from a cyberattack in a timely fashion also requires a streamlined and pre-planned approach. First, business leaders must understand the facts by meeting with the IT or security team to discuss key points such as when the issue started, what caused it, what damage did or could it cause and what needs to happen for the business to become operational again.

The answers to these questions should inform the business’ next course of action.

Still think there’s value in attribution?

Other than the fact we are psychologically wired to seek attribution and point the finger, are there any real benefits to attribution? Consider these questions:

  • How would knowing who the attacker is help the business?
  • What are the costs of being wrong?
  • Are you sure you’re not exhibiting any confirmation bias?
  • Does the benefit of knowing outweigh the potential costs of being wrong?

Attribution certainly isn’t useless; threat intelligence derived from previous attribution efforts can be helpful—known threats can have known solutions. However, organisations should deprioritise attribution in the first instance and focus on getting the business back online and addressing vulnerabilities—particularly the vulnerability that led to the attack.

Business leaders should set the direction and guide IT and security teams toward threat prevention, detection and response. This means addressing active compromises, neutralising threats and determining root causes to prevent future attacks—all the while avoiding becoming side-tracked by attribution!

Tags data breachesransomware attacks

Show Comments