Surprise Yourself – Think Then Do

Think Then Do

When I first started in engineering, I figured I pretty much had it down pat. I had a sound foundation in physics, math, electronics, English, etc. Had worked at NASA — access to a floor of computers and worked the night shift – access aplenty. Went to grad school to take a deep dive into areas that interested me. Spent time in the Marine Corp – caldron spanning the very best to very worst about mankind. What more was there to know? Give me a problem, and I would dive in, build a working prototype and move on to the next problem. My manager was happy, but after a while, I became bored. First, I thought same old problems. Nothing new. Slowly, very slowly, I started to realize that it was my understanding of the world around me that was my biggest problem. I had tunnel vision.

Slowly, I started to read more before I dove in to solve a problem. I read books and papers that addressed the problem areas that I was solving. That helped for a while. Then one morning, I realized that I had become too wrapped up in technology. In security, all the bit and pieces, hardware, software, tools, were in place. It is the people interfacing to technology that are the weakest link.

Some time passes and I start thinking about social media – never before have so many given such much about their identity to so few – so willingly.

The link to OSINT, from Wikipedia:

Open-source intelligence (OSINT) is the collection and analysis of data gathered from open sources (covert and publicly available sources) to produce actionable intelligence. OSINT is primarily used in national securitylaw enforcement, and business intelligence functions and is of value to analysts who use non-sensitive intelligence in answering classifiedunclassified, or proprietary intelligence requirements across the previous intelligence disciplines.[1]

OSINT sources can be divided up into six different categories of information flow:[2]

OSINT is distinguished from research in that it applies the process of intelligence to create tailored knowledge supportive of a specific decision by a specific individual or group.[


As I worked my way through OSINT, I came across a paper from Robert Layton – “Relative Cyberattack Attribution”.

Definition of attribution from Oxford Languages:

  1. the action of regarding something as being caused by a person or thing:“the electorate was disillusioned with his immediate attribution of the bombings to a separatist group”
    • the action of ascribing a work or remark to a particular author, artist, or person:“the study of Constable is fraught with problems of attribution” · “the attribution to Mozart on the title page is correct” · “none of the texts in the collection contained author attributions”
    • the action of regarding a quality or feature as characteristic of or possessed by a person or thing:“the attribution of human emotions to inanimate objects” · “attributions of false motives, especially of greed, are commonplace”

For a considerable amount of time, I have worked on security. My work has focused on defense. But after reading the paper on the importance on being able to attribute an attack to one or more individuals, I realized that I had been missing a significant part of the solution. If I can’t determine who or what is doing the crime, the attacker will keep coming back.

Attribution is hard work. If attribution was easy, cyber criminals would not have a 95+% success rate.


Anonymization is about removing your identity. It is as if you have a mask on and you are passing through life with those around you not having any idea who you are. Before social media, your identity, your privacy, what makes you unique were a norm. After social media, the idea that I have done nothing wrong, I have nothing to hide, my life is an open book became the norm. But since the dawn of time, there has always been one group that realizes and treasures anonymity. The criminal. In olden days criminals wore masks and disguised their voices. Today criminals use Tor, VPNs, leave no breadcrumbs, do everything possible to protect their anonymity. Cyber criminals understand life and human cognition. The “I have nothing to hide” are targets of opportunity-sitting ducks.

Absolute Attribution

In days of old, The US Federal Government prosecuted a fellow by the name of Al Capone. Getting enough evidence was not easy. Al Capone was into murder, prostitution, boot legging, loan sharking, etc.

The Federal Government ended up assigning the crime – attributed — tax evasion.

Absolute Attribution is about gathering enough evidence to successfully prosecute an individual.

Cyber criminals are smart. They learned from Al. They have an enormous advantage – something Al never had. Cyber criminals have a target rich environment – literally over a billion targets asking, “what do you want”. Prosecuting a cyber-criminal is orders of magnitude more difficult than simply filing tax evasion charges.

Attribution Pattern Analysis

Relative Attribution is similar to a technique called Modius Operandi (MO). Anyone that has watched a crime drama has seen law enforcement use an MO – a pattern of behavior – to catch a criminal. Humans are uniquely identifiable. DNA does not guarantee identification of an individual. People are raised in a culture. People have different education levels. People have different skill levels. People have a primary level of language expertise and have different levels of competency in other languages. People use keyboards with different layouts. People type on a keyboard, move a mouse to select an item of interest uniquely. Some people are aggressive. Some people are passive. Collect enough defining attributes and folks that are expert in pattern recognition can tell you that an individual or group most probably did an attack. May not be able to tell you the name of the individual or organization, but they can tell you that it is most likely person or group XYZ. Relative Attribution is akin to sensor fusion. Look for patterns of uniqueness.

Well educated and technology savvy cyber-criminals will do everything possible for defenders not to be able to detect uniqueness – patterns. But cyber-criminals and honest working folks share a common attribute. They are human and being human, they make mistakes.

Futile Exercise

Summary. Covered a lot. Security, protecting assets, requires a diverse set of skills. Defense is good. Will usually keep you out of trouble with the law. Understanding technology, networks, data storage, applications, services, etc. is required.

Understanding people, what they are capable of doing, what makes them unique, what is important to them is as important as understanding and applying technologies. If the attacker cannot be identified, the attacker, the same thing with the mole and Bill Murray, will keep coming back. An exercise in futility.

Cyber-attackers are aware. They understand that defenders are people. They understand service users are people and that people make mistakes. Just as Al Capone understood people, cyber-attackers understand people and will do what is necessary to remain anonymous.

Finally, successfully defending, requires understanding and deep thought across a very large subject area. It is not about “give me the ball”. It is about being a coach, understanding the big picture, being able to adapt – ask Client Eastwood- and understanding the strengths and weaknesses of those you are protecting and of your adversary.

Discover more from Threat Detection

Subscribe to get the latest posts to your email.

Leave a Reply

Discover more from Threat Detection

Subscribe now to keep reading and get access to the full archive.

Continue reading