Sage Advice - Cybersecurity Blog

Cybercrime Attribution Analysis:  The Cyber Who Done It

attribution-analysis.jpgAs much as cybersecurity professionals need to be concerned about insider threats, the bulk of data breaches are still the work of outside forces. "In 2015, 77.7% of all the data breaches we tracked came from the outside,” said Jake Kouns, CISO for Risk Based Security, a consultancy that helps organizations apply analytics to real-time data to monitor activity, and CEO of the Open Security Foundation, which oversees the Open Source Vulnerability Database ( and “While insiders may hurt you worse because they know where the crown jewels are, breaches are much more likely to be coming from the outside.”

Kouns pointed out this disparity to highlight the importance of attribution analysis using historical arrest data – the subject of his “Cyber Who Done it” session at the 2016 CyberCrime Symposium – in helping organizations better understand the cybercrime actor landscape and begin to put that information to use to better protect themselves and others.  

There were nearly 4,000 incidents in 2015, with 736 million records exposed. Though the records exposed dropped from 2014’s take of 1.1 billion, the number jumped dramatically in 2016 – at the time of the symposium, more than 2.5 billion records had been compromised in more than 3,500 incidents, as mega-breaches continue to spread.

No matter what the industry does, “these breaches are occurring at pretty alarming rates and there’s no sign of slowdown,” said Kouns.

Cybercrime Attribution’s Difficult

Amidst all the frustration over growing attack frequency and size is the question... Who’s behind all these external hacks? "Knowledge is power," said Kouns, so naturally, cybersecurity professionals want to know "who done it" for specific hacks and understand their motives. There was so much speculation about who was behind the 2014 Sony hack that a number of amusing attribution tools – websites, attribution dice, an attribution 8-ball with its own Twitter feed – emerged.  “When things start going off the wall, the cybersecurity industry always comes up with funny things – the fact that these jokes come out makes it clear that there's some drama in the attribution space,” said Kouns.

The Sony hack attribution debate raged for some time, with the FBI, threat-intelligence vendors, cyber-journalists, and pundits all weighing-in, mostly with their reasons for why it was or wasn’t North Korea. Then there were the hacks of the DNC in 2016, with intelligence officials zeroing in on Russia and resulting in sanctions issued by the Obama administration, as there had been with North Korea.

“It seems that if we’re going to punish countries and keep escalating tensions, we’d better be sure we’re right," said Kouns. "There’s got to be a better way to do digital attribution."

But, he added, cyberspace has unique attributes that make typical CSI forensics / investigations impossible. These include:

  • It’s easy for hackers to “spoof” evidence.
  • It’s easy to use or embed other hackers’ work (tools, exploits, malware).
  • Physical “territory” is non-existent – hackers don’t need an ‘assembly zone’ that can be detected and watched.

Anatomy of a Hacker

As specialists in data collection rather than malware analysis, Risk Based Security decided to look at cybercrime attribution “through a much different lens.” Enter security researcher Lee Johnstone and his Arrest Tracker project, which started in 2013 as a way to track computer-intrusion incidents resulting in an arrest, the detaining of a person or group, and seizure of goods or items. Together with Johnstone, Risk Based Security expanded the project beyond just arrests to create the Cyber Crime Incident Tracker, officially launched at DEFCON 2016.

Though the Arrest Tracker database is still primarily based on arrest data at this point, it’s been expanded to tracks websites, organizations, authorities, collectives, crimes, and sectors. As of November 2016, Risk Based Security had analyzed the database’s 1,431 incidents, and has since added 200 more that they’ll tackle in their next round of analysis. They will use their findings to better understand the cybercrime landscape and to continue to build hacker profiles – including such information as name, aliases, gender, age, location, country, arrests, charges, trials, and sentences. 

What they’ve learned from the project thus far is pretty significant, said Kouns. “We think we can provide detailed computer crime arrest and statistical information to better understand who’s behind cybercrime.” To date, the youngest actor is 12 and the oldest 66, with an average age of 27, and at least 80% are male.

Other interesting findings:  Analysis has identified 58 collectives, with Anonymous leading the list. Most hackers identified reside in the US, but that’s due to the fact that the data was initially based on arrests.  As for arrests themselves? Most take place on a Monday and the majority have been in April.

For more information on the Cyber Crime Incident Tracker/Arrest Tracker Project, check out

This is the sixth in our series presenting key takeaways from Tyler Cybersecurity’s 2016 CyberCrime Symposium, held November 3-4, 2016. If you couldn’t get a seat at the event or just want a refresher, check-in weekly for the latest installment featuring actionable insight from select presentations.  

Free Download: Ransomware Survival Guide

We’ve all seen the headlines. Ransomware attacks are escalating. It’s essential that your organization has the proper controls in place to defend your organization against an attack. But defense strategies are not enough. With some ransomware strains touting success rates of 40% or higher, it’s even more important that your organization is prepared to confidently respond to, and survive, a ransomware attack. This survival guide will arm you with the knowledge you need to defend against and prepare for an attack.

Go to Download


Topics: CyberCrime Symposium, Cyber Defense, Cyber Crime

The Tyler Cybersecurity Lifecycle

Cybersecurity isn’t a destination.

Cybersecurity Lifecycle

There is no single, straight path that will get you to the point where you can say, “We did it! We’re 100% cyber-secure.”

A more realistic destination is cyber resiliency – the ability to prepare for and adapt to changing conditions, so you can withstand and recover rapidly from disruptions. Achieving cyber resilience depends on what we like to call the cybersecurity lifecycle – an ongoing cycle of interconnected elements that compliment and reinforce one another.

Learn More