Why does attribution matter in the digital world? When we read articles in the press about cyberattacks, we simply assume that the work has been done to properly attribute the attack to the blamed entity. After all, in the physical world, attribution is fairly straight forward – from fingerprints to DNA, the evidence is often there for the matching. However, in the digital world, attribution is difficult at best.
Here is the issue: all of the botnets that we read about, all of the malware that we hear about – it all ties back to a common usage. Be it a distributed denial of service attack (DDOS) or a command and control node – they are all made up of various nodes within various entities around the world and are used or rented for a wide variety of illegal purposes – regardless of who acts as catalyst. The best botnets are not widely known, have not been used very much if at all, and are comprised of seemingly innocent devices such as home cable or DSL nodes, or relatively anonymous virtual private servers. Any entity with access to meager sums of money can rent such a bot net – skilled operators included – and appear to be much more capable than they really are.
Think about it. In the physical world, there is no choice but to use assets owned and identified by the parent entity – thus, attribution is a given. But in the digital world, the name of the game is anonymity. And nodes to launch an attack from are available around the world, 24/7. From finding and exploiting a vulnerability in a popular VPS control panel to hiding in the herd, anonymity enables armies of unwitting nodes to participate in all sorts of attacks – including being part of a targeted penetration on a foreign nation or entity. Regardless of the purpose, the outcome is the same – attribution is nearly impossible.
No entity in their right mind would use assets that could be directly traced back to them in any way.
So, to make the claim that entity X attacked entity Y is never so simple. In the absence of quarantined malware that has been thoroughly examined and disassembled, as with some of the recent higher profile attacks, attribution is at best a guessing game.