Attribution across Cyber Attack Types: Network Intrusions and Information Operations

Abstract

As the stakes get higher, intelligence and law enforcement agencies are working together to find the people responsible. This takes a lot of hard work. Tools and methods for figuring out who did bad things on the Internet are still in their early stages. Most of the time, people or groups are linked to attack activities through technical measurements, the origin of malicious code, and non-technical assessments of attack and attacker characteristics. Most of the time, figuring out who did an attack is a manual, time-consuming process that depends on both technical analysis and intelligence from the ground. As a result, this difficult and time-consuming process of attribution is mostly used for the worst cyber attacks and attacks on organisations with a lot of resources. Over time, we've gotten better at figuring out who did what. However, this is a double-edged sword: as attribution gets better, Internet privacy gets worse. This paper talks about attribution for two types of attacks that are at the centre of cyber conflict today: network intrusions and misinformation campaigns led by social bots. The paper talks about the current state of attribution for both types of attacks, makes suggestions for how it could be done better, and lays out directions for future research.