All the latest news on the Cyber EPQ

Are you a Sleuth?

Posted on

A Sleuth’s main role is to perform digital forensics analysis. The process of cyber attribution is crucial in identifying who and what is responsible for a breach. During Cyber attribution a collection of evidence, the building of timelines, and trying to piece together evidence in the wake of a cyber attack is crucial.

Within the context of an incident response, attribution attempts to address the ancillary questions surrounding the “who” and the “why” of an attack, as opposed to the more immediate concerns of “what”, “when”, “where” and “how”. As with any forensic process, answering these questions is not something that can be completed quickly and will usually require significant amounts of time and resources. Furthermore, in many cases, the process involves a significant amount of educated guesswork—and even analytical leaps—meaning results can often be subject to debate and difficult to back up with hard facts.

Links with the CyberEPQ Modules

What does a Sleuth do?

The first requirement of a sleuth during cyber attribution is to gain extensive knowledge and unencumbered visibility into the IT environment, including the solutions used by the adversary, such as free cloud services. For many organizations, this is the biggest stumbling block of all. Without this insight, anyone attempting to carry out the long task of attribution is virtually guaranteed to fail because they simply won’t know what signs to look for; nor will they have the expertise to thread it into a cohesive timeline. Key indicators will be missed, leaving the investigation floundering from the start. It takes time and effort to understand an environment fully, and if organizations aren’t prepared to invest in finding effective solutions, any attempts at attribution will be largely pointless.

The second key ingredient for effective attribution is knowledge of potential adversaries. This includes who they might be, why they might attack, and what they might potentially leave behind. While predicting the future is never easy, laying the groundwork ahead of time means that in the event of an attack, the organization won’t need to start from scratch.

Finally, significant time and resources are required for your attribution efforts to be successful. Attribution is not a fast process, and the larger the investigation, the longer it can take. In particularly serious incidents, external law enforcement may need to get involved, extending the investigation time scale and adding further layers of communication to the whole process. The messages here are: Don’t expect results overnight. Use caution: Adversaries with enough resources will work to include “false flags” to trick investigators. Why? Misdirection consumes additional resources and can lead to false attribution, which is technically and politically beneficial to the perpetrator. This was seen in 2018 with the Olympic Destroyer malware used in the PyeongChang Olympics attack which ended up being a deliberate attempt to plant a false attribution flag, and the attack was initially, falsely attributed to the North Koreans.

Success can take many forms. It may highlight new types of attacks, expose vulnerabilities in existing security, or provide information on where the attackers may be geographically, including their prior engagements and their motives. While this may not lead to a day in court, it may inform future security planning and investment, and help to educate the entire organization.

What are companies looking for?

UK Earning Potential

From £21,000 to £80,000 depending on geography, experience and definition *

* Source: Forensic computer analyst job profile |, March 2020


Christopher Tannery, July 2018, Cyber Attribution: Essential Component of Incident Response or Optional Extra, viewed 12th March 2020

Learn more about the Seven Personae of Cyber

Find us on social media, and start your own conversation with #cyberepq

Our partners, sponsors and supporters

Immersive Labs
Heart of Worcestershire College
University Technical Colleges
City and Guilds
The National Museum of Computing

Sign up to our mailing list for news and updates

Your data will only be used by CIISec to send you relevant news. Your data will never be shared with third parties unless you provide your consent for us to do so. Your data will be held securely and monitored under EU data protection law. You may unsubscribe at any time using the options provided in-email or by proactively contacting our administration team at [email protected]

© Chartered Institute of Information Security. Privacy Policy Refund Policy Site by Dgtl