Attribution often gets a bad name in the cybersecurity industry. Attribution can be challenging and may not lead to a direct business outcome is a common refrain. Companies that operate digital platforms have a unique advantage when it comes to attribution, however.
In most cases, a threat actor will need to interact directly with a platform in order to abuse it. In turn, the owner of a platform can likely take tangible action to discourage and prevent attacks without relying on outside support from law enforcement or others. With so many potential targets out there, take-downs and their second-order effects discourage financially motivated attackers from spending time on repeat attacks in favor of moving on to lower hanging fruit.
Get Beyond Whack-a-Mole
Financially motivated fraud is a major problem for many companies, but perhaps the most frustrating reality of fraud prevention is the constant up-down nature of one-off attack response. In fact, according to research by PYMNTS.com, false positives are seen as the main friction point in the fraud prevention process, with more than 60% of companies citing this as an issue. While there is no way to completely eliminate the scattered nature of platform attacks, advanced criminal groups that consistently target a platform will often account for an outsized number of repeat attacks. These attackers are also likely to cut corners to save time and money, which leads to mistakes. With basic information like a common phone number used to register fraudulent emails, which in turn were used to register accounts, a security team might be able to go from one or two connected take-downs to dozens or more at once.
Predict the Future
With a broader reach from reactive investigations, the next step is to establish a proactive and sometimes automated cadence for identifying selectors - email addresses, phone numbers, IP addresses, social media handles and more - that are being used to support abuse, so the actors behind them never have a chance. Security teams that ingest threat intelligence are likely to find clues that could lead to additional information about actors targeting them, but this information may not be enough to get proactive by itself.
Pivoting off of the leads a good threat intelligence feed provides to attribute specific actors, however, will enable a security team to get farther ahead of an actor group. Once a team knows baseline information about the highest risk groups, it can establish internal controls and even monitor external infrastructure and activity to stay a step ahead of coordinated attacks.
Support the Business
Ultimately, digital platforms have grown exponentially in recent years because the efficiencies they create enable companies to achieve major business goals. Good platforms have to be secure, but they also need to be user friendly. A security team can play a huge role in striking that balance with the right intelligence about the real threats to its platforms.
Attribution that provides context can enable more secure code, a better UX, and a brand that customers trust. Much the way a company’s IT team has transitioned from being a cost center to a value center in the past 20 years, when a security team provides actionable advice to a product or platform team, security can transition from a needed hindrance to an enabler.
So while attribution may not be for every company or every use case, those that rely on platforms to drive the business can find outsized impact from investment in discovering the detailed context of the platform abuse they face.