Home Depot and JPMorgan Chase seem to be the top searches that pop up when one Googles “data breaches.” But just when you think a particular breach will snag a headline for weeks, another takes its place in what seems like days.
Cybercriminals have long kept law enforcement on their toes, but there’s no denying the amount of hard work that goes into attributing these threats.
In the BlackShades bust, an FBI-led investigation that included help from 17 law enforcement agencies around the world resulted in 100 individuals being charged for using or distributing the malicious RAT, which could give an attacker nearly complete control over a compromised machine. Then there are the eight suspects arrested in Spain who were a part of the ATM hacking ring that netted $60 million from banks around the globe.
Tracking down threat actors is no easy feat, and requires an immense amount of research and collaboration. Sophisticated malware used in these attacks may share similar attributes, but that doesn’t necessarily mean they’re tied to one cybercriminal or group. While security researchers conduct their fair share of work toward tracking down these actors, it’s ultimately comes down to law enforcement to make the big move.
“Although certain forensic evidence security researchers help law enforcement in their investigation, tracking down the actual criminals is more of a law enforcement task,” says Karl Sigler, threat intelligence manager at Trustwave.
Additionally, even if these forensic researchers are able to follow clues – such as unique strings in a binary and executable resource language – it’s difficult for them to be 100 percent accurate when it comes to open-source intelligence attribution, which is as far as some researchers can go if they’re not law enforcement, says Joe Stewart, director of malware research for Dell SecureWorks’ CTU research team.
Even then, he says digital evidence can be forged to look like it came from someone else.
“That’s really the primary problem with attribution for any kind of digital crime,” Stewart says. At the end of the day you have to make a final connection between a keyboard and a set of fingers. “We can often find the keyboard, but proving beyond all doubt which fingers actually made those keystrokes is a difficult task.”
That’s when, he says, law enforcement comes knocking with a warrant.