1 research outputs found
A multi-disciplinary framework for cyber attribution
Effective Cyber security is critical to the prosperity of any nation in the modern world. We have become
dependant upon this interconnected network of systems for a number of critical functions within society.
As our reliance upon this technology has increased, as has the prospective gains for malicious actors who
would abuse these systems for their own personal benefit, at the cost of legitimate users. The result has
been an explosion of cyber attacks, or cyber enabled crimes. The threat from hackers, organised criminals
and even nations states is ever increasing. One of the critical enablers to our cyber security is that of cyber
attribution, the ability to tell who is acting against our systems.
A purely technical approach to cyber attribution has been found to be ineffective in the majority of cases,
taking too narrow approach to the attribution problem. A purely technical approach will provide Indicators
Of Compromise (IOC) which is suitable for the immediate recovery and clean up of a cyber event. It
fails however to ask the deeper questions of the origin of the attack. This can be derived from a wider
set of analysis and additional sources of data. Unfortunately due to the wide range of data types and
highly specialist skills required to perform the deep level analysis there is currently no common framework
for analysts to work together towards resolving the attribution problem. This is further exasperated by a
communication barrier between the highly specialised fields and no obviously compatible data types.
The aim of the project is to develop a common framework upon which experts from a number of disciplines
can add to the overall attribution picture. These experts will add their input in the form of a library. Firstly
a process was developed to enable the creation of compatible libraries in different specialist fields. A series
of libraries can be used by an analyst to create an overarching attribution picture. The framework will
highlight any intelligence gaps and additionally an analyst can use the list of libraries to suggest a tool or
method to fill that intelligence gap.
By the end of the project a working framework had been developed with a number of libraries from a
wide range of technical attribution disciplines. These libraries were used to feed in real time intelligence
to both technical and nontechnical analysts who were then able to use this information to perform in depth
attribution analysis. The pictorial format of the framework was found to assist in the breaking down of
the communication barrier between disciplines and was suitable as an intelligence product in its own right,
providing a useful visual aid to briefings. The simplicity of the library based system meant that the process
was easy to learn with only a short introduction to the framework required