Skip to main content

Table 2 Characterizing threat actors based on gained insights

From: Under false flag: using technical artifacts for cyber attack attribution

Questions regarding the relevant INFRASTRUCTURE:
∙ Was the victim specifically selected or likely hit by chance? (e.g., Was there a mechanism for target validation?)
∙ Where other target infrastructures attacked in parallel?
∙ Was insider knowledge likely required to break in effectively?
∙ What external infrastructure (Cloud, DNS etc.) was utilized to carry out the attack?
Questions regarding the CAPABILITIES of a threat actor:
∙ What special skills were required in order to build the payload?
∙ How rare are these skills and who is known to have them?
∙ What budget and time resources were likely required?
∙ Who has the facilities and access to certain components (in case of CPS) to re-build the target environment and test exploits accordingly? (if applicable)
∙ Where there any beginner’s mistakes made?
∙ Where certain actions sloppy compared to other steps in the whole process?
∙ Was the operation successful in general?
Questions regarding the MOTIVATION of a threat actor:
∙ Who has a clear benefit to breach into the target organization?
∙ Who or what has most harm, also considering side- and long-term effects?
∙ Who or what was damaged most and which impact can be predicted for the future?
∙ Can any current political developments be associated to this attack?