An Exploratory Study on Artifacts for Cyber Attack Attribution Considering False Flag: Using Delphi and AHP Methods.

When a security incident by an attacker occurs in the cyber world, an analyst analyzes the artifacts collected in the incident area. The findings from the analysis of this incident utilize to track hackers or create security plans for the organization. However, if an analyst analyzes fabricated traces from an incident, he or she is not only fooled by the attacker's false flags but also makes it difficult to track the attacker. As a result, inappropriate responses can lead to a waste of limited resources and financial damage to the organization. Considering the incorporation of false flag operations, the collection of artifacts from intrusion incidents and their development into new Indicators of Compromise (IOCs) or Indicators of Attack (IOAs) can significantly enhance the accuracy of entity identification. This study is an exploratory research that aims to uncover valuable artifacts for false flag operations based on qualitative research targeting cybersecurity experts who have direct experience or extensive knowledge in the field. Specifically, through the participation of researchers knowledgeable about both defensive and offensive techniques, this study employed Delphi and AHP analyses to apply experts' knowledge and experience. Ultimately, the goal is to select artifacts related to the attacker's false flag operations and utilize the identified indicators in the analysis of intrusion incidents stemming from false flag tactics.