Home / Blogs

Why Attribution Is Important for Today’s Network Defenders

It makes me cringe when I hear operators or security practitioners say, “I don’t care who the attacker is, I just want them to stop.” I would like to believe that we have matured past this idea as a security community, but I still find this line of thinking prevalent across many organizations—regardless of their cyber threat operation’s maturity level.

Attribution is important, and we as Cyber Threat Intelligence (CTI) professionals, need to do a better job explaining across all lines of business and security operations how the pursuit of attribution, manifesting itself in adversary analysis, can be employed to improve an organization’s resource allocation and security posture.

Performing adversary analysis can benefit organizations in the following ways:

  • Prioritize incidents effectively based on adversary impact
  • Identify internal high-value targets and programs based on adversary intent and collection requirements
  • Proactively block threat infrastructure
  • Monitor threat communications to provide advance warning
  • Drive intelligence-driven red teaming based on threat tactics
  • Support internal business cases for IT security resource allocation based on what adversaries are targeting within your business

It is true that definitive attribution is very difficult to achieve, but most threat action leaves behind tangible elements; after all, cyber-attacks ultimately stem from a person or persons. They have motivations, develop code, abide by operational procedures or styles, have egos, attend university, have jobs, receive tasking, maintain blogs, administer forums, leverage social media, conduct security research, register infrastructure, and use tools.

A few basic examples of questions I’ve found useful in the past in conducting this type of analysis are:

  • Have the actors authored any publications, conducted vulnerability research, or developed tools, exploits or other code development notes?
  • What email address, blogs, URLs, handles, IP addresses or domains are associated with the actor?
  • Do any group affiliations exist (what is the actor’s role, group’s name, stated mission, other individuals in the group, etc.)?
  • What is the educational background of the actor (dates, curriculum, contact information, other classmates, etc.)?
  • What Web 2.0 technologies are leveraged by the actor (i.e., what is the nature of communication? Is it discussion focused)?

CTI professionals should work to create internally developed questions (read Six Approaches to Creating an Enterprise Cyber Intelligence Program) to drive research, collection and analysis across all of the aforementioned facets in order to provide a holistic view of the threat at the tactical, operational and strategic levels. The ultimate goal of adversary analysis should be to provide our stakeholders with intelligence that supports a security control, maps threat intent to organizational high-value programs/targets, changes an organization’s behavior, creates a course of action and supports the case for proper security resource allocation. These are just a few reasons to care.

To learn more about cyber intelligence, visit iDefense Security Intelligence Services.

By Josh Ray, Vice President of Cybersecurity Intelligence at Verisign

Filed Under


Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet




Sponsored byDNIB.com

Brand Protection

Sponsored byCSC

New TLDs

Sponsored byRadix

IPv4 Markets

Sponsored byIPv4.Global

Domain Names

Sponsored byVerisign


Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API