In a groundbreaking development for cybersecurity, researcher Silvia Sebastián, advised by professor Juan Caballero, unveiled at her thesis defense a novel automated approach to attribution, significantly transforming the process of identifying entities responsible for cyberattacks. Silvia had the support of colleagues, family and friends to defend her thesis entitled: “An Automated Framework for Cybersecurity Attribution and Artifact Relationship Identification”, which was presented at ETSIINF UPM.
Attribution, the crucial task of answering the question “Who did it?” in the realm of cybersecurity, has long been hindered by challenges such as anonymized information, manual processes, and high costs.
The proposed approach centers around the creation of an attribution graph, where nodes represent digital artifacts (such as IP addresses and domains) or identities (such as person names and organization names), and edges capture the connections between these indicators. The attribution graph offers transparency, documenting the chain of inferences leading from the initial artifacts to the owner’s identity.
By automating the construction of the attribution graph, the researchers aim to reduce the cost and time associated with the attribution process. This innovative approach allows cybersecurity analysts to shift their focus to other critical tasks, including acquiring data sources, designing new attribution techniques, and engaging in more creative inferences.
Two tools have been developed based on this approach. The first tool, Retriever, is designed to identify developer accounts in mobile application markets belonging to the same identity. In evaluations involving 17 operations reported by security vendors, Retriever successfully discovered previously unknown developer accounts in 94% of cases.
The second tool, WhoseDomain, goes beyond the limitations of the WHOIS protocol by identifying the owner of domains and websites through the analysis of additional data sources, such as TLS certificates, passive DNS, and website content. WhoseDomain gets a high accuracy with an F1 Score of 0.94, which overpasses by far the accuracy of WHOIS with an F1 score of 0.54.
Additionally, the researchers introduced AVClass2, a tool capable of extracting tags from the antivirus labels of malware samples. These tags capture various characteristics, including malware class, family, behavior, and file properties. AVClass2 allows analysts to perform rich searches in malware datasets, showcasing its effectiveness in handling large-scale malware analysis.
This automated attribution approach marks a significant advancement in the field of cybersecurity, offering an automatic method for cyber attribution. As these tools gain traction, the hope is to enhance the overall security landscape by streamlining the attribution process and enabling cybersecurity professionals to stay one step ahead of evolving threats.
