Few topics in the field of Cyber Threat Intelligence (CTI) prompt as much passion and debate as the concept of threat attribution. From numerous conference talks, to blogs and papers, to various applications in CTI analysis, the question of threat attribution repeatedly emerges. While CTI attribution discussions can take many forms and aim at specific audiences—for example, policy-makers and state strategy—this discussion will focus on the technical analyst’s perspective. In adopting this viewpoint, the question of attribution typically manifests in a very binary fashion. Whereas attribution, as described below, represents various gradations, most discussion limits itself to “yes or no” discussions as to the value and need for CTI attribution, when the actual answer (as with most things in CTI) is, “it depends.”
In this paper, a concept of attribution that moves the CTI community away from binary conceptions of CTI attribution value and instead approaches a continuum of attribution types will be introduced. In doing so, multiple possibilities emerge for CTI attributive statements, of different values and significance for different parties—as well as different degrees of relevance for those who wish to make such statements. Through this discussion, the relative value of different types of statements will be examined. Additionally, critical consideration will be applied to why some positions along the emerging continuum of attribution types may be less than desirable for all parties, and ultimately best avoided.
This white paper:
- Defines the attribution continuum
- Clarifies the relative value and importance of different types of attribution
- Orients Cyber Threat Intelligence to defensible attribution actions