Q
O
Who is responsible for
ordering the attack?
Who took the initiative?
How successful was the operation?
Did it succeed or fail?
What was the attack's objective?
What are the attack’s consequences?
Did it have unanticipated side-effects?
Does the attack set a precedent?
What did the attack change?
Should there be a response?
If yes, what kind of response?
Indicators of Compromise
What prompted the investigation?
What are the atomic indicators?
Is the observed behaviour suspicious?
Have known-malicious programs been installed?
Scope
Was the attack part of a larger campaign?
What are the features of the larger campaign?
What other incidents have occured in the campaign?
What can be learned from them?
Cost
How expensive was the attack?
How much support did it require?
Did the attack require testing?
Did the testing require specific systems or
hardware?
Claims
Was the attack announced?
Has anybody claimed the attack?
Has a third-party leaked information on the attack?
Does the code contain deliberate hints?
Could this be a false-flag?
Who benefited most?
Who was damaged most?
Skills
Did the operation require specific skills?
How rare are those skills?
Who has them?
Context
What is the political or regional context?
What do other sources say?
Was the attack linked to
specific events?
Significance
What was the attack's operational significance
for the attacker?
Intelligence
Did the operation require target intelligence?
If yes, how much?
How hard was that intelligence to get?
Where did it come from?
Evolution
Did the attack evolve during its execution?
What explains the change?
Did this evolution require
futher authorisation?
Do multiple indicators alingn on one suspect?
Is there any 'padding,' detail that does not support
any findings but looks good?
Which questions remain unanswered?
Entry
What was the attack's penetration technique?
What weakness did the intruder exploit?
Does the penetration technique match other incidents?
Were zero-days used? How many?
Were entry-techniques combined in a revealing way?
Are there alternative explanations?
Could another party be staging
a false-flag operation?
How much detail should be released?
What is the most appropriate estimative language?
Functionality
What was the attack designed to do?
Exfiltrate information?
Modify information?
Modify and reprogram control processes?
Interrupt control processes?
Cluster
Are there other examples of the same or similar
attack methodologies?
Who used it?
When?
Where?
Insider
Did the attack require something
only an insider could provide?
Did the attackers get insider help
(beyond social engineering)?
Targeting
What was the target? Was the target specific or of general nature?
How did the attackers behave once inside?
Were they looking for specific documents?
Were they accessing specific machines?
Mistakes
Did the attackers make mistakes?
What kind of mistakes?
Does the code contain typos?
Did the intruders inadvertendly reveal information?
Language
What was the language of origin?
Are the system language settings known?
Does the code use language that hints at the author?
Do the files contain region-specific strings?
Modularity
Was the malware modular?
How different are the modules?
Were the modules developed by different teams, developers?
Were components already available?
Personas
Are there any pseudonyms or names involved?
Do they appear elsewhere?
Do they appear on social media?
Do specific words, names, phrases, slang
refer to a specific region, interests, or skills?
Caveats
Levels
Questions
Goals
Sta
Target
Responsibility
Certainty
Detail
Communication
to politicians, executives, the public
leaders analysts
forensic experts
(gov’t) org, individual
data, docs,
processes
gov’t agency, group individual
estimates hypotheses description
response understanding
technical analyis
lower medium
higher
concise
synthesis
detailed
strategic operational
tactical, technical
why? who?
what? how?
How well are the
conclusions
supported?
V
V
Will a response cause
second-order effects?
Approval
Who is likely to have approved the op?
Did lawyers approve the op?
Does the code have a due-date?
Does it try to minimize collateral infections or damage?
Is there target-verification?
leaders, advisers
probing with question
s
Infrastructure
What hardware infrastructure was used?
What was the software infrastructure?
What, if any, command-and-control infrastructure was used?
Who registered infrastructure?
Are their common tags or configuration templates?
Unknown
Is something missing?
Gaps?
Stealth
Did the attackers try to cover their tracks?
How did the intruders evade detection?
Did they use anti-forensics?
Did they manipulate log files?
Pattern-of-Life
When did the attack primarily take place?
When was the attack code compiled?
What were the intruders’ working hours?
When did Command-and-Control take place?
Did the attackers look for timely information?
Is the attack’s timing linked to other events?
Stages
Could the attack be a follow-up or preparatory op?
Does it appear that different teams worked on
different portions of the operation?
Could there be more stages yet to come?
What are the “terms and conditions”
of releasing signatures and technical indicators?
Will capabilities be harmed as a result of the release?
Will operations be harmed as a result of the release?
Will adversaries be able to adapt their behaviour?
If yes, how?
And who?
Post-Publication
How did the intruders respond
to the publicity?
Was the response professional?
Did the intrusions continue?
If no, did they stop permanently?
Did tactics and methods change?
When was the response initiated?
How long did it take?
Was infrastructure dismantled?
If so, how?
©
Thomas Rid and Ben Buchanan, King’s College London
Note: a detailed discussion of this model is at,
Rid, T and B Buchanan, “Attributing Cyber Attacks,”
Journal of Strategic Studies, vol 39, no 1, February 2015,
http://dx.doi.org/10.1080/01402390.2014.977382