Why Attribution Really Is Not A Choice


Over the last dozen years, the concept of attribution has been introduced into the broader cybersecurity community and conversations. As a result, the concept – or some variation of the concept, has become a persistent element of conversation in our industry. Whether being employed by intelligence analysts, SOC analysts, threat researchers, threat hunters, or incident responders, one thing is still clear: attribution is not a luxury, it is a necessity.  Attribution is integral in proving, supporting, and managing a comprehensive defensive security strategy and associated operations toward their most effective end. For many, attribution is the equivalent of a four-letter word. For others, (myself included), it is key to gaining insight and understanding of threat actors and their peers in addition to being an integral part of the intelligence life cycle. As such, if attribution provides so many benefits it begs the questions: why is it often looked upon within an extreme degree of scrutiny and skepticism within the cybersecurity industry?

Why People Approach Attribution with Skepticism and Dismissiveness

Without going down the rathole of speculation, I believe people are both skeptical and dismissive of attribution for the following  reasons:

  1. There is a fundamental lack of first-hand experience with the lifecycle of intelligence, intelligence analysis, and attribution as a part of the discipline of intelligence analysis. Even though in today’s world cybersecurity is ubiquitous, few people have real exposure and experience in this area, and most (not due to any fault of their own), lack an understanding of the power and importance of attribution analysis having neither been exposed and trained in it or mentored by those who have years doing so.
  2. They fall prey to the ‘echo chamber’ that is fueled and perpetuated by ignorance — contributing to the noise through what they are taught and told by industry skeptics whose opinions and agendas do not align with value proposition(s) that attribution analysis (when conducted properly) delivers.
  3. Vendor messaging is often dismissive of the importance of attribution analysis, further galvanizing the idea that attribution is not essential to or for defenders and is little more than guesswork at best.

Understand that these three points are representative of most of the arguments at the heart of the debate surrounding the importance and relevance of attribution intelligence.  As my colleague Kevin Hall reminded me, correlation is intentionally made difficult by motivated adversaries and we, as defenders, would do well to consider that prior to being dismissive during an investigation.

So Where Do We Go from Here: The Take Aways

When investigating events of interest and upgrading them to actual incidents, attribution analysis will be an especially important aspect of your work — and this is not debatable. On its own, it is not the most crucial aspect of the work conducted by defenders however, its absence can and often has a significant impact on the results and conclusions generated and arrived upon during the course of investigations. A failure to incorporate attribution intelligence as part of an organization’s response strategy complicates matters related to the challenging of alternate hypotheses increasing the likelihood that the same threat actors and adversaries will be encountered again in one incarnation or another.

With that in mind,  what can we do to enable a more measured approach that encourages the incorporation of attribution analysis and intelligence in organizational incidence response and threat analysis actions rather than discourages it? To begin with, we need to recognize our individual and organizational gaps understanding where, when, why, and how to appropriately address them through education and strategic partnership. Increasing knowledge on an individual and organizational level is always good; however, you may not have the time to become comfortable or capable of performing the work for a variety of reasons. If and when this occurs, it is critical identify and engage with potential product and services partners that are skilled in the nuances of the lifecycle of intelligence, attribution analysis, hunting, threat research, and response in order to gain the result the organization needs. The result will see you and your organization achieve a more in-depth, and richer understanding of who’s targeting you: where, when, how, why, and for what reason while being armed with the necessary intelligence to disrupt your adversaries efforts, mitigate and contain any on-premise incursions, leading toward eviction when the time is right to do so.