Threat attribution looks up attackers\u2019 \u2018fingerprints\u2019 to plan your response and defense.<\/p>\n<\/blockquote>\n
How threat attribution helps if you\u2019ve been targeted by an APT<\/h2>\n
If you\u2019ve been targeted by an advanced persistent threat (APT)<\/a>, threat attribution helps you understand the attack motive and respond quickly. The cybercrime groups that carry out APT attacks are often linked to state-sponsored attacks<\/a>. It\u2019s a costly way to get to their prize. If you have something they want, you could be a target.<\/p>\n They\u2019re advanced<\/strong>. No low-cost software bought on the dark web<\/a> by do-it-yourself cybercriminals. They build their own sophisticated software for purposeful damage.<\/p>\n They\u2019re persistent<\/strong>. They seek you as their target, hitting you with weeks or months of attacks until they break through your IT security defenses. Or they lie dormant for years until the time to attack. Once in, they conduct secret operations to find critical data. If they\u2019re determined, there\u2019s only so much that cybersecurity software can keep safe.<\/p>\n And they\u2019re a serious threat<\/strong>. Their goals range from espionage to sabotage, to data theft for profit.<\/p>\n Threat attribution is a next-level solution, but it\u2019s not for every business. It\u2019s like choosing a car. What you need depends on your journey. A budget motor is fine for driving from A to B. In cybersecurity, that\u2019s endpoint security<\/a>. If you\u2019re carrying precious cargo, a limousine may be a worthwhile investment. In cybersecurity, that\u2019s threat intelligence<\/a>.<\/p>\n If you need speed and the most high-tech engine to win the race, threat attribution is that fast-track race car. <\/p>\n<\/blockquote>\n If you hold classified information that\u2019s interesting to a rival state, you\u2019re at greatest risk of an APT attack. National security and law enforcement agencies (like Interpol or the FBI) are most vulnerable. They have much to gain by uncovering who\u2019s hacking them. Sometimes APT attacks also target corporates, other government agencies and critical infrastructure like power plants and manufacturing.<\/p>\n You don\u2019t have to be a big organization to be a target. If you\u2019re making components for a military plane, a less friendly state may want to know how you\u2019re making the rudder for counter-intelligence.<\/p>\n Supply chain attacks<\/a> are also on the rise. By hitting a laptop manufacturer, hackers can infect everyone in an organization. Then, when the time\u2019s right, they strike, cherry-picking who they spy on by hacking straight into their laptop.<\/p>\n APTs are a fast-growing \u2018industry.\u2019 These threat actors<\/a> are not amateurs. They\u2019re super-organized crime workers. Some have different units for espionage, counter-intelligence and financial exploitation.<\/p>\n Lazarus<\/a> was the most significant threat actor in 2019. They attacked Sony Pictures Entertainment with a data-wipe in 2014 and made several attacks on South Korea. APT trends in 2020<\/a> predict more sophisticated attacks using artificial intelligence (AI) and deep fakes to access personal data.<\/p>\n When one of the most damaging ever ransomware<\/a> attacks WannaCry hit in 2017<\/a>, a Google researcher tweeted cryptic code<\/a> showing similarities between WannaCry and 2015 malware attributed to Lazarus. This is threat attribution.<\/p>\n Identifying cybercriminals is forensic. It\u2019s deep detective work. <\/p>\n<\/blockquote>\n You need to analyze and find clues that take you back to existing knowledge. By analyzing the attack\u2019s context, and nuances and languages deep in the code, researchers can reveal the threat actor\u2019s origins. Like all forensic analysis, it\u2019s slow and painstaking. With highly sophisticated threats, it means reverse-engineering the attacks. It can take years, even for teams of the most skilled researchers. That\u2019s often enough time for attackers to achieve their goals.<\/p>\n What if we could speed up the process? Faster attribution can shorten incident response times from hours to minutes, and reduce false positives.<\/p>\n To know what\u2019s bad, you need to know what\u2019s good. But to know what\u2019s good, you need experience. <\/p>\n<\/blockquote>\n Kaspersky\u2019s Global Research and Analysis Team (GReAT) tracks over 600 APT actors and campaigns. To help the Information Security (InfoSec) community block APTs, they produce 120 or more subscriber reports each year and share highlights in quarterly APT trends reports<\/a>. Profiling each threat actor can take years, building a database of everything you need to know about them.<\/p>\nThreat attribution wins the threat intelligence race, but it\u2019s not for everyone<\/h2>\n
Who are the threat actors?<\/h2>\n
How does threat attribution work?<\/h2>\n
\n![\"threat](\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2020\/06\/26053954\/188-C-Morgan-1024x768.jpg\")
\nThese actors rarely leave a calling card, but they do leave evidence. We can analyze malware samples never seen before to find out if the actor is new, or an existing player in disguise.<\/p>\nHow can we shorten the analysis time?<\/h2>\n