Cybersecurity Firms and Research Organizations Workflow

The capabilities, access to information, motivations, interests and incentives for private-sector cybersecurity firms and research organizations may look different from other entities that make attribution judgments. They may:

  • Have business incentives for issuing public attribution judgments, which helps raise their profile in a competitive marketplace.
  • Have greater visibility into computing networks: companies such as FireEye and Dell Secureworks, for example, claim to have sensors installed on thousands of their customers’ networks, enabling them to evaluate IOCs, discover malware and perform other detection activities faster than the U.S. government. (Romanosky and Boudreaux)

How the story begins: A cybersecurity firm, other private company or research organization issues a report on a cyber incident or influence operation that it publicly attributes to a certain actor. 

  1. Research the organization’s credibility. Ask: 
    1. Has the organization conducted similar investigations before? What is its expertise?
    2. What is the organization’s track record for accuracy? 
    3. What motivations might this organization have for making a public attribution judgment?
      1. Has the organization been transparent about its funding? 
      2. Is it affiliated with a government entity or a political party?
  1. Read the report. Look for: 
    1. The confidence level behind the attribution judgment. 
    2. Whether the data behind the judgment is included in the report, or made publicly available elsewhere.
    3. Whether the attribution methodology is clearly explained in the report and possible to reproduce.
    4. Whether the entity’s attribution judgment is based on data from a government agency, platform, other private-sector firm, or research organization.
      1. If the judgment is based on another party’s data, make a note — you will want to speak with this party about the accuracy of the cybersecurity firm’s attribution judgment before publishing your story. 
    5. If the private firm makes an attribution judgment to a state actor, whether the report provides and clearly explains evidence of the state’s direction and control over the influence operation. 
    6. Whether the report provides alternative explanations for the evidence. 
  1. Contact the organization and ask for any of the above information missing from the report. Also ask whether they had the report reviewed by outside experts before publication. 
  1. Contact cybersecurity experts and ask: 
    1. Does the organization’s attribution judgment make sense, based on the information that has been made public? 
    2. Could there be an alternative explanation, based on data available? If there is a possible alternative explanation, this should go in your story. 
  1. If the attribution judgment is missing key evidence, it is OK to pass on the story. 
  1. If you decide to write the story, it should be clear about: 
    1. The confidence level expressed by the organization.  
    2. The organization’s track record with making attribution judgments. 
    3. The attribution methodology used. 
    4. Whether the data behind the attribution judgment is publicly available. 
    5. Whether there are alternative explanations, based on the information available.
  1. Be careful in describing the organization making the attribution. If the organization is political, for example, the story should mention that fact.
  1. Your story should link to the organization’s report, so readers can see the judgment and the supporting evidence provided. 
  1. Ask someone in your newsroom, or a cybersecurity expert, to “red team” your story.

For a deeper look into how analysts arrive at attribution judgments, see UNDERSTANDING ATTRIBUTION.