A Sleuth’s main role is to perform digital forensics analysis. The process of cyber attribution is crucial in identifying who and what is responsible for a breach. During Cyber attribution a collection of evidence, the building of timelines, and trying to piece together evidence in the wake of a cyber attack is crucial.

Within the context of an incident response, attribution attempts to address the ancillary questions surrounding the “who” and the “why” of an attack, as opposed to the more immediate concerns of “what”, “when”, “where” and “how”. As with any forensic process, answering these questions is not something that can be completed quickly and will usually require significant amounts of time and resources. Furthermore, in many cases, the process involves a significant amount of educated guesswork—and even analytical leaps—meaning results can often be subject to debate and difficult to back up with hard facts.

Links with the CyberEPQ Modules

• 7. Information Security Incident Management & Conducting and Managing Digital Forensic Examinations
• 9. Information Security Identity and Access Management

What does a Sleuth do?

The first requirement of a sleuth during cyber attribution is to gain extensive knowledge and unencumbered visibility into the IT environment, including the solutions used by the adversary, such as free cloud services. For many organizations, this is the biggest stumbling block of all. Without this insight, anyone attempting to carry out the long task of attribution is virtually guaranteed to fail because they simply won’t know what signs to look for; nor will they have the expertise to thread it into a cohesive timeline. Key indicators will be missed, leaving the investigation floundering from the start. It takes time and effort to understand an environment fully, and if organizations aren’t prepared to invest in finding effective solutions, any attempts at attribution will be largely pointless.

The second key ingredient for effective attribution is knowledge of potential adversaries. This includes who they might be, why they might attack, and what they might potentially leave behind. While predicting the future is never easy, laying the groundwork ahead of time means that in the event of an attack, the organization won’t need to start from scratch.

Finally, significant time and resources are required for your attribution efforts to be successful. Attribution is not a fast process, and the larger the investigation, the longer it can take. In particularly serious incidents, external law enforcement may need to get involved, extending the investigation time scale and adding further layers of communication to the whole process. The messages here are: Don’t expect results overnight. Use caution: Adversaries with enough resources will work to include “false flags” to trick investigators. Why? Misdirection consumes additional resources and can lead to false attribution, which is technically and politically beneficial to the perpetrator. This was seen in 2018 with the Olympic Destroyer malware used in the PyeongChang Olympics attack which ended up being a deliberate attempt to plant a false attribution flag, and the attack was initially, falsely attributed to the North Koreans.

Success can take many forms. It may highlight new types of attacks, expose vulnerabilities in existing security, or provide information on where the attackers may be geographically, including their prior engagements and their motives. While this may not lead to a day in court, it may inform future security planning and investment, and help to educate the entire organization.

What are companies looking for?

• Excellent analytical and problem-solving skills.
• Patience and a methodical and well-organised approach to work.
• An enquiring, investigative mindset with excellent attention to detail.
• Good written and verbal communication skills for reporting findings and conveying technical information to technical and non-technical people.
• The ability to identify patterns or trends across large amounts of data.
• An aptitude for working under pressure and to deadlines.
• The ability to interact and communicate effectively with a range of people.
• Integrity and impartiality and be compliant with issues of confidentiality.
• Security clearance - this may be necessary if you have access to sensitive information.

UK Earning Potential

From £21,000 to £80,000 depending on geography, experience and definition *

* Source: Forensic computer analyst job profile | Prospects.ac.uk, March 2020

References

Christopher Tannery, July 2018, Cyber Attribution: Essential Component of Incident Response or Optional Extra, viewed 12th March 2020

Learn more about the Seven Personae of Cyber