In the wake of malicious attacks, we often witness everyone focusing on searching for those responsible, as opposed to how or why the attack took place and the most critical lessons that we can learn as a result. This line of thinking is wrong and here’s why.
To start, attributing attacks to the responsible party or parties is difficult as bad actors use a variety of techniques to mask their malware’s origins. Secondly, we may wish to know who performed the attack so that retribution or justice can be served, but this knowledge does absolutely nothing to prevent such an event from occurring again, perhaps even in the same way.
By focusing on the “where” or “who,” you are neglecting to analyze the nature of past attacks and discover the lessons that can be learned from them.
Enhancing your cyber resilience while applying key learnings
1. Previously effective analysis techniques are nearly useless because of modern compilers
In the past a Bayesian analysis would help identify clues in the code that might lead to a possible point of origin, followed by analysis of the source code, binaries, the subroutines, the sequence of instructions, and the language embedded in the code to paint a picture of where the malware might have originated.
However, today’s modern optimizing compilers make it nearly impossible for those previously effective analysis techniques to produce useful information.
2. Previously reliable indicators are no longer reliable
While certain indicators, such as tags, language and variable names in the code can provide a glimpse at who might have written it, the truth is that these are easily masked by savvy attackers to distract and mislead. A bad actor can simply put comments in Farsi or Mandarin to make it appear as though the code originated in the Middle East or China.
It is also quite possible that the code used to attack your organization has been purchased from a threat actor in another country. So, threat actor A, in let’s say Italy, purchases malware from threat actor B, in Russia, who then weaponizes it and uses it in their attacks against an organization anywhere in the world. And, unfortunately, attackers are getting more…