The Reality Of Attribution In An Incident

One reality of a security incident, is that you may not always know who the attacker is.

First of all, I'd like to wish you and your families Happy Holidays!

One reality of a security incident, is that you may not always know who the attacker is. With the anonymity of the internet, the ubiquity of third party of applications getting breached and accessing your info, and API's with anywhere access the attack surface is large.

One time I was asked to try to find out who attacked a company's AWS Account, after the fact. An AWS root key was used in the attack, but they quickly identified it and deleted the key.

After reviewing the Cloudtrail logs, it turned out the attacker executed their attack from a Tor exit node. Since they used Tor and their user-agent had no other unique properties, there was no other way they to identify the attacker. I tried looking for mistakes they may have made using the key from another location, but it was all dead ends.

What I'm trying to say, is that it's a fact of life you may not know who ever attacked you.


However, there is so much you can do to prevent this or increase the chances of identifying someone. Here is a few things you can do:

  • Eliminate the sharing of user accounts. Every human should have a unique ID.

  • Reduce the use of shared/service accounts. More on the above here.

  • Ensure you have adequate logging on all authentication and privileged actions

  • Take a look deploying or moving towards a Zero Trust Model in your organization

Of course, if you don't already, look into publishing an Incident Response plan and even conducting a Tabletop exercise to practically test your organization.

Take care,


If you liked this email, forward it to a friend! I'd appreciate it.