Today I reiterated the consideration of granularity and confidence in attribution. There’s a segment of the industry that believes in the theory of “true attribution,” but I believe that theory is nonsense. Also today, USG attributed activity to Iran (granularity). Not a person.

I highlight that because sometimes attribution to the precise person at the keyboard at that moment isn’t useful even for a state. Does that make attribution not “true attribution”? Of course not. If you want to put someone in cuffs, your granularity and confidence will change.

In fact your confidence can shift with granularity in either direction. You could have high confidence an operation was conducted by a military intelligence service, medium confidence by a specific unit, and low confidence by Lt Schmuckatelli. This can work in reverse too.

You could have high confidence that Lt Schmuckatelli was in fact the nerd doing the deed, but what’s more important to you is whether or not his employer sanctioned/ordered the intrusion. Maybe he was stealing for personal enrichment, or maybe it was state ran operation

You can have high confidence that this intrusion is being conducted by UNC757, high confidence UNC757 is operating from Iran. Medium confidence UNC757 is working for the Iranian government, and low confidence UNC757 is named person foo. The defender may only care about the UNC.

All of this is attribution with different levels of granularity and confidence. If you don’t think attribution matters, I bet you were fed a myth about “true attribution.” That concept is actually taught, and I am sorry for the damage that has done to wide swaths of people.

Attribution matters.

@threadreaderapp unroll this, and pin it to the souls of these security and threat intelligence professionals out here saying attribution doesn’t matter. Thanks.