Although 'case linkage' is a term used primarily in law enforcement, recent research presented at DefCon 26 in Las Vegas, brings this important concept to the surface for all security practitioners. Threat researchers and defenders alike have a tough time keeping the bad actors out and trying to stay on top of the evolving and emerging threats. When it comes to attribution, it isn’t always clear-cut or straightforward. There are many methods used by attackers to obtain access, maintain persistence using pre-installed operating system tools, wiping their tracks, and hide behind proxy connections in countries that have weak cyber security laws. Due to the variation in how an attack can be executed, it’s particularly difficult to physically prove which individual, group or nation state is behind an attack. The addition of 'false flags', which have been another subject of interest recently, adds yet another layer of complexity to attribution, whereby attackers can portray the attack as committed by some other person, group or state.
While case linkage may have some way to go, it’s certainly a good talking point. This really brings home the fact that before you can even consider looking at behavioural analysis using case linkage, you should at least be collecting the forensic evidence that will help you or your organisation move towards this approach. As the trust zone has extended beyond the standard corporate network to include BYOD, IoT and more, log collection of servers and endpoints is one of many prerequisites. Industry best practice should incorporate continuous network security monitoring (NSM) and user and entity behaviour analysis (UEBA), allowing visibility into user, device and network specific artefacts. Whether you are responding to a security incident as part of your SOC duties or executing an incident response (IR) investigation, having a sound way of managing, maintaining, and tracking your artefacts via effective case management should also be a high priority.
Fundamentally, the more artefacts at your disposal, the more likely you'll be able to potentially spot behavioural differences, as well as similarities, which may enable you, your team or your company to get that all important step closer towards attributing the adversary.
Case linkage analysis certainly isn't a silver bullet. If it's ever used in breach attribution, it will likely need to be used in tangent with other methods. Still, deciphering who's behind the keyboard when a cyberattack hits remains one of the most troublesome tasks for law enforcement and researchers.