Attribution in Investigation

Identifying Threat Actors Through Forensic Analysis

1Threat Actors
2TTPs
3Attribution
4Quiz

Understanding Threat Actors

Attribution starts with understanding WHO might attack and WHY. Different actors have different resources, motivations, and techniques.

Nation-State (APT)

Espionage / Warfare

Highly sophisticated, well-funded. Target government, critical infrastructure. Persistent access for years.

Organized Crime

Financial Gain

Ransomware, banking trojans, BEC scams. Professional operations with customer support.

Hacktivists

Political / Ideological

Website defacement, DDoS, data leaks. Motivated by causes, not profit.

Insider Threat

Revenge / Profit

Current or former employees with legitimate access. Data theft, sabotage.

Script Kiddies

Notoriety / Learning

Use pre-built tools without deep understanding. Opportunistic attacks.

Competitors

Business Advantage

Corporate espionage for trade secrets, customer lists, strategic plans.

Explore IR & Forensics Lab →

Full incident response lifecycle, forensic phases, and analysis tools.

Tactics, Techniques, and Procedures (TTPs)

TTPs describe HOW attackers operate. They're more valuable for attribution than IOCs because they're harder to change.

The Pyramid of Pain

TTPs

Hardest to change - behavior patterns

Tools

Custom malware, exploit kits

Network/Host Artifacts

C2 patterns, registry keys, mutex

Hash Values / IPs / Domains

Trivial to change - least useful alone

MITRE ATT&CK Framework

The industry standard for categorizing adversary behavior. Maps techniques to real-world threat actors.

Tactic Example Technique Detection Opportunity
Initial Access T1566 Phishing Email gateway logs, user reports
Execution T1059 PowerShell Script block logging, command line
Persistence T1547 Registry Run Keys Registry monitoring, autoruns
Defense Evasion T1070 Log Clearing Event ID 1102, SIEM gaps
Credential Access T1003 OS Credential Dumping LSASS access, Mimikatz signatures
Exfiltration T1048 Exfil Over C2 Unusual outbound data volumes

Attribution Challenges

Definitively attributing an attack is extremely difficult. Attackers use misdirection:

  • False Flags: Planted evidence pointing to another actor
  • Shared Tools: Many groups use the same public tools
  • Proxies: Traffic routed through compromised hosts
  • Stolen Infrastructure: Using another group's C2 servers
  • Language Artifacts: Fake comments in code

Attribution Indicators

Analysts look for patterns across multiple attacks to build attribution confidence:

  • Code Similarity: Shared libraries, functions, encryption routines
  • Infrastructure Overlap: Same C2 servers, domain registrars, hosting
  • Victimology: Who they target aligns with actor motivations
  • Operational Hours: Activity patterns suggest timezone/workweek
  • Language/Locale: Keyboard layout, language settings in tools
  • TTP Consistency: Unique techniques used across campaigns

Case Study: APT Attribution Process

Investigating a breach at a defense contractor:

Day 1 Initial IOCs collected: File hashes, C2 domain, registry keys
Day 3 TTP analysis: Spearphishing > Macro > PowerShell > Cobalt Strike
Day 7 Malware reverse engineering reveals shared code with previous APT29 samples
Day 14 C2 infrastructure linked to previous campaigns targeting same sector
Day 21 Attribution assessment: High confidence APT29 based on TTP + code + targeting

Attribution Confidence Levels

  • Low: Single IOC match, could be false flag
  • Medium: Multiple TTP matches, infrastructure overlap
  • High: Code similarity, targeting pattern, operational consistency
  • Near Certain: All above + intelligence sources corroborate

Attribution Quiz

Test your understanding. You need 80% (4/5) to pass.

Q1. According to the Pyramid of Pain, which indicator is HARDEST for attackers to change?
IP addresses
File hashes
Domain names
TTPs (Tactics, Techniques, Procedures)
Q2. Which threat actor type is MOST likely motivated by espionage?
Script kiddies
Nation-state APT
Hacktivists
Organized crime
Q3. What framework is the industry standard for categorizing adversary behavior?
NIST CSF
ISO 27001
MITRE ATT&CK
OWASP Top 10
Q4. An attacker plants code comments in Russian to mislead investigators. This is called:
A false flag
Code obfuscation
Steganography
Polymorphism
Q5. Which of these provides the STRONGEST attribution evidence?
Matching IP address
Code similarity + targeting pattern + TTP consistency
Single file hash match
Domain registration data

Quiz Complete!

0/5