Enterprises are the target of cyber attacks all the time. Some are minor while others make headlines. Unfortunately, the more public the incident, the greater the emphasis is placed on identifying the culprit. This attribution, confidently determining who conducted the attack, can satisfy the curiosity but also can take critical resources away from the recovery effort. Attribution can be a detriment to the overall good of the organization if it detracts from containment work which is imperative during the event.
Networkworld has a pretty good post on the topic. Attack attribution does little to improve enterprise security
The following quote sums up their position well:
Improving a company’s defenses should be the top priority after a hack, not spending time trying determine who conducted the attack
I have been in those trenches myself. The focus, after the realization of a compromise, should be to limit the damage, prevent recurrence, and return to normal operations. There are some beneficial learnings with attribution if the victim is willing to understand the motivations and methods of the threat agents and incorporate improved defense-in-depth or strategic cybersecurity capabilities. But this is rare and normally only attempted by the most mature organizations. Common practice is just to patch the hole and wait for the attacker to cause the next crisis.
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit