惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

B
Blog RSS Feed
博客园_首页
N
News | PayPal Newsroom
有赞技术团队
有赞技术团队
The Hacker News
The Hacker News
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
The Cloudflare Blog
S
SegmentFault 最新的问题
Jina AI
Jina AI
人人都是产品经理
人人都是产品经理
P
Privacy & Cybersecurity Law Blog
AI
AI
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
Schneier on Security
Schneier on Security
博客园 - 三生石上(FineUI控件)
月光博客
月光博客
量子位
Forbes - Security
Forbes - Security
爱范儿
爱范儿
云风的 BLOG
云风的 BLOG
SecWiki News
SecWiki News
Last Week in AI
Last Week in AI
酷 壳 – CoolShell
酷 壳 – CoolShell
T
Tor Project blog
Recorded Future
Recorded Future
A
About on SuperTechFans
J
Java Code Geeks
The Register - Security
The Register - Security
PCI Perspectives
PCI Perspectives
H
Hacker News: Front Page
V2EX - 技术
V2EX - 技术
S
Secure Thoughts
V
Vulnerabilities – Threatpost
Hacker News: Ask HN
Hacker News: Ask HN
MongoDB | Blog
MongoDB | Blog
N
Netflix TechBlog - Medium
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
Scott Helme
Scott Helme
T
The Exploit Database - CXSecurity.com
Y
Y Combinator Blog
AWS News Blog
AWS News Blog
D
Darknet – Hacking Tools, Hacker News & Cyber Security
IT之家
IT之家
T
The Blog of Author Tim Ferriss
G
Google Developers Blog
C
CERT Recently Published Vulnerability Notes
L
LangChain Blog
F
Full Disclosure
Application and Cybersecurity Blog
Application and Cybersecurity Blog
The GitHub Blog
The GitHub Blog

Intel 471 Blog

TeamPCP Supply Chain Attacks Turning Geopolitical Tension into Actionable Intelligence CVE-2025-68613: Zerobot botnet exploits critical vulnerability impacting n8n AI orchestration platform Introducing Cyber Threat Exposure Bundle: A Unified Approach to External Risk CVE-2026-20127: Critical Cisco SD-WAN vulnerability exploited in wild Handala Threat Group OpenClaw: A viral AI assistant and a magnet for infostealer malware and ClickFix trickery Israeli, US strikes against Iran triggers a surge in hacktivist activity CVE-2026-1731: Finding a critical RCE in an age of AI-driven vulnerability research Born to bypass MFA: Taking down Tycoon 2FA The UK Cyber Security Resilience Bill How AI and the human advantage beat tomorrow’s threats Winter Olympics 2026: Hacktivism Surges Ahead of Protests and Suspected Sabotage How Threat Hunting and “Good” Metrics Help The Business Likely fake ransomware operator 0APT causes panic — Our analysis Hunting APTs: from state policy to TTPs CrazyHunter Ransomware DevMan Ransomware Introducing HUNTER Tuning: a New Tool for Driving Behavioral Threat Hunt Detections Battling check fraud in the U.S. Gootloader Malware Update Shai-Hulud Worm 2.0 New FvncBot Android banking trojan targets Poland White Paper Preview: Black "Fraud Day” and Beyond — The Key Cyber Threats Facing the Retail Sector this Holiday Season Threat hunting case study: Detecting IAB activity Using deception to extract cyber threat intelligence Lynx Ransomware Qilin Ransomware Group ClickFix: Tricking users into installing infostealers Cybercrime Takedowns: Trust, Partnerships and Focus How card fraud is powered by underground card checkers Tracking down The Com Turning Chaos into Clarity: The Next Phase of Intel 471’s Geopolitical Intelligence Solution The FBI’s Group 78: Covertly fighting ransomware? How threat actors bypass multifactor authentication Crimson Collective In a digital age, US paper check fraud flourishes How you can defend against AI-driven fraud and phishing Detecting cybercriminal activity on Telegram NPM - Shai-Hulud Worm Threat hunting case study: ToolShell AMOS Stealer How AI can (and can’t) help in threat hunting The Phrack leak: Examining an APT’s workstation How initial access offers power intrusions and ransomware Drawing value from cyber threat intelligence “Pig-Butchering” Scams: The Dark Side of Social Engineering and Why Terminology Matters After disruption, XSS cybercrime forum faces loss of trust Update: Salt Typhoon Bridging the CTI Gap: New Exposure Modules on Verity471 Deliver Market-Disrupting Views of Threats Introducing Verity471: Cyber Threat Intelligence Ready to Operationalize FileFix Social Engineering Technique Guided Threat Hunts Takes Your Behavioral Threat Hunting to the Next Level Defending against doxing CVE-2025-53770 - Microsoft Sharepoint Mass Exploitation (ToolShell) Threat hunting case study: Lumma infostealer Pro-Russian hacktivism: Shifting alliances, new groups and risks mommy Access Broker NATO summit commences in tandem with tense cyber, kinetic conflict A look at ‘Tinker,’ Black Basta’s phishing fixer, negotiator Threat hunting case study: DragonForce Two critical challenges facing CTI teams and how to overcome them: Intel 471’s additional insights into the SANS 2025 CTI Survey Android malware trends: Stealthier, easier-to-use Fingerprinting threat actors by their anonymity techniques DanaBot malware disrupted, threat actors named Intel 471 brings HUNTER behavioral threat hunts to Google Security Operations SANS 2025 CTI Survey: It’s Business Time for Cyber Risk How an alleged Russian hacker slipped away Threat hunting case study: Medusa ransomware CVE-2025-31324 - SAP NetWeaver Vulnerability DragonForce Ransomware Managing a cyber crisis LabHost: A defunct but potent phishing service Understanding and threat hunting for RMM software misuse Threat-hunting case study: Windows Management Instrumentation abuse VanHelsing Ransomware An in-depth look at Black Basta's TTPs Six Key Takeaways From the SANS 2025 Threat Hunting Survey Update: Medusa Ransomware Writing high-quality IDS detection rules Threat hunting case study: RMM software Update: LockBit Ransomware Zservers: Bulletproof hosting for online crime Update: Black Basta Ransomware and Threat Group Black Basta exposed: A look at a cybercrime data leak BadPilot Campaign The evolution of Russian cybercrime Android trojan TgToxic updates its capabilities Threat hunting case study: SocGholish DeepSeek AI poses cybersecurity risks Law enforcement hammered cybercrime in 2024. Is it working? Remote Monitoring and Management (RMM) Abuse How threat actors are using artificial intelligence Threat hunting case study: PsExec How ransomware may trend in 2025 What 2025 May Hold for Cybersecurity Bring Your Own Hunts to HUNTER ‘Tis the Season to Be Alert for Cyber Threats: 5 Unjoyful Holiday Tactics Collecting Useful CTI from Underground Markets Expanding source coverage: adding Signal chats to threat intelligence
The Trouble with Attribution in Cyber Threat Intelligence (Part 1)
Intel 471 · 2020-09-19 · via Intel 471 Blog

Within the field of cyber threat intelligence (CTI), there are few more contentious topics than that of attribution. Just the word evokes such a wide range of emotions from individuals in cyber security: from fascination, to mystery, to rolling of eyes, frustration, anger, right through to a physical twitch. Such a diverse number of responses would indicate that the concept of attribution doesn’t mean the same thing to all people and that the industry, as a whole, struggles with how attribution fits into the overall security cycle.

The first reaction from many, on learning of a breach or attack, is to ask, “who did it?” This reaction is not without merit, as knowing the who begins to fill in the conceptual gaps around the event. What is curious, however, is that often, the questions stop, instead of start, there. The other questions about what, when, where, why, and how often seem to fall by the wayside because the who has been answered. As such, many have taken to associating attribution in threat intelligence with simply attaching a name — which is often designed more for marketing purposes than for intelligence analysis — to a set of activities, an attack, or a breach. It is important to state from the outset that, while such activities are a part of attribution, it is not the totality of attribution.

Attribution is a component of cyber threat analysis which seeks to answer the question of who, using specific elements of observed activity, including:

  • Employed tradecraft (the how)
  • Infrastructure & Tools and Malware (The where, how and what)
  • Intent, (the why)
  • Targeting, and (the where, when and why)
  • Indications and Warnings (I&W) (Additional supported reporting)

[Image: Image for post]

Upon completion of this collection, what follows is an incredibly manual process of reviewing and analyzing that data to collate and correlate connections, overlaps, and observed behaviors to existing datasets in order to attribute the activity to a particular country, entity, or persona.

Attribution, however, is not simply a minimal and definitive statement of fact (e.g. “This activity was carried out by Actor X”), and any report which presents it in this manner should be looked at with extreme scrutiny. Instead, attribution should be presented in terms of a balance of facts and evidence against opposing evidence, known intelligence gaps, and blind spots. Additionally, that attribution should be presented with a confidence level that conveys clearly to the readers the certainty an organization has, preferably using standardized terms, such as words of estimative probability.

Initial attribution, however, is not where this process stops. Indeed, attribution for the sake of attribution, is a bit of a self-licking lollipop, that is, a rather large waste of time and resources. Instead, that information must then be woven into a broader body of knowledge within an organization, in order for intelligence and security professionals to operationalize that attribution data, a task that is often overlooked in the broader discussion about the usefulness of attribution.

That this is overlooked is also one of, in this author’s opinion, the key elements leading to the derision of attribution amongst security professionals. However, what operationalization of attribution does look like is not standard and will likely depend on the maturity of the organization doing it.

First and foremost, one of the key components of operationalizing attribution data will be at the tactical and operational levels. That is, intelligence professionals, should be preparing assessments regarding who is conducting activity, and whether an organization is at risk of being targeted. Note though that “who” in this case is merely a conceptual placeholder for all of the other data around that actor:

  • Why are they targeting us?
  • What are they after?
  • What tools are they likely to use?
  • Where are they likely to target us?
  • How are they likely to attack us?
  • How can we detect them?

[Image: Image for post]

Attribution data can also be critical during incident response engagements. If suspected attribution can be established during an investigation — even if it is multiple possible actors — it can help drive the incident responders to look for specific artifacts or methodologies that might not have been readily apparent, especially in the early stages, or during the remediation phase. This can be critical, especially when dealing with more advanced adversaries.

Another area where attribution data, especially threat profiles, can be leveraged heavily is in what is commonly referred to a cyber threat emulation (CTE). CTE is often described as a set of highly specific red team engagements that mimic the known TTPs and methodologies of actors known to target an organization or vertical. The objective of these types of engagements is twofold: to ensure that organizations are capable of detecting these types of attacks, and perhaps more critically, that security analysts and existing processes are able to identify, triage, and respond to these types of attacks effectively.

However, that attribution data can certainly be used for strategic business decisions as well, especially when organizations are deciding upon improvements to their existing security posture. For instance:

  • Who are the actors that are most likely to target a given organization or vertical?
  • Do existing security controls allow for those organizations to reliably detect those actors and their specific TTPs?
  • Are there visibility gaps, and could those gaps pose problems for future detection of those actors and their known toolsets or methodologies?
  • Do products, services, and solutions that are currently being evaluated improve these specific gaps?

In that regard, attribution data can not only help inform, it can also help drive evaluation during the purchasing process by enabling decision makers to set up a subset of key criteria for evaluation purposes. These of course are only a sample of possible uses for operationalizing attribution data; however, the key takeaway is that attribution — that is attaching a name to the activity — does not merely end when an organization has answered the who question, rather that is typically where it starts.

The concept of attribution continues to be controversial within the discipline of cyber threat intelligence. As organizations continue to be inundated with reporting, much of which presents attribution as a product- or service-driven marketing element, rather than a well-reasoned and supported intelligence component, attribution continues to be looked at with suspicion or even derision. However, as organizations intelligence capabilities mature, it is vital for their existing intelligence programs to leverage attribution data for what it can provide from a tactical, operational, and strategic perspective, as well as how it can be used for the purposes of training, as well as supporting business-oriented decision makers.