Just a reminder that if you don’t have intel requirements for true attribution (e.g. state/agency/people’s names) that’s totally fine. For some they make sense for many orgs they don’t. Set your intel requirements off of you and your consumer’s needs not expert commentary. #CTI

What many orgs want out of attribution is clustering of intrusions to identify past and future activity, assessments of motivation, identifying of TTPs, key indicators, etc. that’s a great type of attribution that doesn’t require the resources of true attribution (E.g. Russia)

If your intel requirements lead you to true attribution that’s ok too. As an intel analyst it’s up to you to work with your consumers and know their needs. Just make sure everyone understands the value and cost associated with those requirements as well as the risks.

Attribution can make a lot of sense especially for political and law enforcement needs. It can be used strategically as well by others. In my experience though it’s often used as a crutch and can lead to bad analysis when used to shortcut other requirements.

E.g. “It’s Russia therefore they’re going to target Ukrainian infrastructure.” There are other actors interested in targeting Ukrainian infrastructure. And plenty of Russian groups that aren’t. This can also lead to cognitive biases and reinforcing bad analysis

True attribution can be done well. It can satisfy valid intel requirements. It’s just not required nearly as often as I see it touted and I am concerned that most of these assessments never get confirmed or countered and so useful analytical feedback is missing for many.

Also this has nothing to do with the Iranian proud boys stuff. Just musing on the topic of attribution as it relates to cyber threat intel. I am a fan of states such as the US doing attribution publicly especially when it’s focused on the states and not individuals

Concluding thought. One I share with @cnoanalysis in casual late night convo. I think there’s a compelling argument to be made that true attribution through intrusion data is getting harder not easier. Disinformation, false flags, adaptive adversaries, dwindling open data, etc

And the risk of getting that attribution wrong is becoming higher stakes than ever as political leaders and executives listen more and more to their cybersecurity SMEs. I think folks always misestimate their ability to get played by professional intel agents

I mean the wonderful @SachaBaronCohen is well known and puts on ridiculous outfits and fools high level political leaders, yet many feel they could easily go toe to toe with professional spies and not get rolled. Quite a bit of hubris in that.