It's also difficult to attribute an attack to a group or country based on messages left on compromised servers or strings in a particular language found in exploit code. In part that's because hackers tend to share, buy, copy or steal other hackers' tools, so code with a string of Russian text could just as likely be used by Peruvian hackers or North Korean students. And for every hacker who inadvertently leaves some trace of his activity (like a string of text in Russian) there is probably another who will leave such information deliberately as a form of misdirection.
Another thing that's important is that hackers rarely meet each other face to face. Instead they often exchange information, tools and hacked data on hacker forums — either on the web, or the more obscure darknet.
These forums are vital sources of information for law enforcement agencies and security specialists, according to Christopher Ahlberg, CEO and founder of real-time threat intelligence provider Recorded Future. Speaking at the Black Hat Europe 2016 security conference in London, Ahlberg said that in many cases the ability to attribute an attack to a particular group or individual comes down to "sloppy handle usage" on hacker forums.
"We will see someone register a domain name, and use the same handle on hacker forums, on developer forums, on social networks and so on," he says. When handles (which may be part of an email address) are reused in this way it becomes relatively easy to work out who a forum member is, and forum posts often provide information that points to a specific individual (or group) as being responsible for a particular hack.
The problem for security experts like Ahlberg is that smart hackers know about operations security (opsec) and therefore know better than to reuse their handle in different environments. "They will do 'handle hopping,' changing their handles between forums, or indeed within a single forum," he says.
What can be done to overcome the practice of handle hopping? A possible solution is to apply a dose of mathematics and carry out a Pattern of Life analysis, which Wikipedia defines as "a method of surveillance specifically used for documenting or understanding a subject's (or many subjects') habits. This information can then be potentially used to predict future actions by the subject(s) being observed."
In fact, Pattern of Life analyses can be carried out on all kinds of data sets, ranging from crime statistics to Uber rides, to spot certain patterns of behavior, Ahlberg says. For example, it turns out that on Valentine's Day there are plenty of Uber rides that start at 1 a.m. and return at 5 a.m., but on the eve of Tax Day this type of ride behavior is very uncommon. Also interesting: the most popular time for burglars to strike in Chicago is 9 a.m., and narcotics dealers are most active at lunchtime and at night.
Sign up for CIO Asia eNewsletters.