Understanding Attribution

We’ve provided a glossary of definitions and tips for checking your information, but what is cyber attribution, really? How and why is it made? 

Cyber attribution is rooted in a long history. Many cybersecurity scholars date the birth of the field to the “Cuckoo’s Egg,” an incident from the mid-1980s. Clifford Stoll, a scientist at Lawrence Berkeley National Laboratory, traced a discrepancy in the lab’s finances — a total of 75 cents — to hackers handing off files from the Lab’s network to the KGB, and later wrote about his process. Since these early days of cyber attribution, new forms of attacks employed by new actors have opened the door for new methods, models and workflows to uncover their provenance and achieve attribution. At the same time, as Andrew Grotto writes in his recent paper on attribution, though there is overlap between these models, “they also reflect subtle but important biases about the means and ends of attribution as well as different evidentiary standards, target audiences, and models of communication for attribution claims.” 

With this in mind, it is important for journalists to know the differences in how attribution is made, and the motivations and capabilities behind the entities making the judgment, in order to weigh the attribution claims in context. This page provides a brief overview of the different components of attribution: first, the types of operations, such as traditional cyber operations and cyber-enabled influence operations; and second, the frameworks analysts use to make attribution and the different attribution lexicons and models. Finally, it presents three case studies under “Assigning Attributions” that apply the frameworks to different operations. 

Types of Operations

Journalists reporting on attribution will encounter different kinds of operations: cyber operations, influence operations or a combination of both. There is also an important distinction between influence operations and information operations. This page breaks down these concepts … More Types of Operations

Threat Monitoring Frameworks

Though journalists might not report directly about how an entity monitors threats, understanding the greater context of how analysts identify and prevent a threat actor from reaching its goal gives journalists a better ability to judge the attribution claims they receive … More Threat Monitoring Frameworks

Assigning Attributions

How do researchers and analysts sift through the evidence to make an attribution? These examples may help journalists understand how difficult attribution can be and how to weigh the information they’re given —which in some cases may conflict. … More Assigning Attributions