From: Under false flag: using technical artifacts for cyber attack attribution
Questions regarding the relevant INFRASTRUCTURE: |
∙ Was the victim specifically selected or likely hit by chance? (e.g., Was there a mechanism for target validation?) |
∙ Where other target infrastructures attacked in parallel? |
∙ Was insider knowledge likely required to break in effectively? |
∙ What external infrastructure (Cloud, DNS etc.) was utilized to carry out the attack? |
Questions regarding the CAPABILITIES of a threat actor: |
∙ What special skills were required in order to build the payload? |
∙ How rare are these skills and who is known to have them? |
∙ What budget and time resources were likely required? |
∙ Who has the facilities and access to certain components (in case of CPS) to re-build the target environment and test exploits accordingly? (if applicable) |
∙ Where there any beginner’s mistakes made? |
∙ Where certain actions sloppy compared to other steps in the whole process? |
∙ Was the operation successful in general? |
Questions regarding the MOTIVATION of a threat actor: |
∙ Who has a clear benefit to breach into the target organization? |
∙ Who or what has most harm, also considering side- and long-term effects? |
∙ Who or what was damaged most and which impact can be predicted for the future? |
∙ Can any current political developments be associated to this attack? |