TLP:AMBER This post is part of the CTI Methodology series.
Attribution is one of the most misunderstood concepts in cyber threat intelligence. Every breach triggers the same question: who did this? And yet, jumping to attribution without rigorous methodology is how analysts get burned — and how organizations make bad strategic decisions.
This post walks through the framework I use to build confident, defensible attribution assessments.
Why Attribution Is Hard
The fundamental problem is asymmetry. Defenders need to be right. Attackers only need to be plausible. A sophisticated actor can:
- Reuse leaked or stolen tooling from other groups
- Plant false flags in malware metadata
- Route operations through infrastructure in third-party countries
- Mimic the TTPs of known groups
This means technical indicators alone are almost never sufficient for high-confidence attribution.
The Diamond Model as a Starting Point
I use the Diamond Model of Intrusion Analysis as my structural foundation. It forces you to think across four axes simultaneously:
| Axis | Question |
|---|---|
| Adversary | Who is conducting the operation? |
| Capability | What tools and techniques are used? |
| Infrastructure | What systems are being leveraged? |
| Victim | Who is being targeted and why? |
The relationships between these axes are often more revealing than any single data point.
Building the Assessment
Step 1: Cluster, Don’t Label
Before assigning a name, cluster activity by shared technical characteristics:
- Overlapping C2 infrastructure (same ASNs, hosting providers, certificate patterns)
- Shared code (same compiler artifacts, unique strings, custom packers)
- Operational timing (working hours relative to timezone)
- Victimology patterns
A cluster is not an actor. It’s a hypothesis.
Step 2: Apply the Confidence Ladder
I use a structured confidence scale before reaching any conclusion:
LOW — Shared TTPs only (easily copied)
MEDIUM — Shared infrastructure + code overlap
HIGH — All of the above + unique operational signatures
Most public attribution claims sit at LOW confidence dressed up as HIGH.
Step 3: Triangulate with Strategic Context
Technical analysis can tell you how. Context tells you why and who benefits.
- Does the victimology align with known geopolitical interests?
- Is the timing correlated with real-world events?
- Does the capability level match known state or criminal resources?
Never let strategic context override technical evidence. Let it inform your hypothesis, not confirm your bias.
Relevant ATT&CK Techniques
Techniques commonly abused to plant false flags:
T1036·Masquerading T1027·Obfuscated Files or Information T1588.002·Tool: Malware
Sample IOCs (Defanged)
| Type | Indicator | Confidence | Note |
|---|---|---|---|
| IPv4 | 185.220.101[.]47 | High | C2 Server |
| Domain | update-service[.]net | Medium | Dropper staging |
| SHA256 | a3f1c2d4e5b6… | ||
| High | Loader sample | ||
| URL | hxxps://cdn-delivery[.]org/payload | Low | Unconfirmed |
Common Attribution Failures
False flag acceptance — Taking metadata at face value. The Lazarus Group has been known to plant artifacts pointing to other actors.
Overfitting to known groups — If your tooling overlaps with APT29, that doesn’t mean it is APT29. Shared tools are common in criminal and state ecosystems.
Premature public disclosure — Naming an actor before you have high confidence contaminates the intelligence ecosystem and can compromise ongoing investigations.
Final Thoughts
Attribution done well is a rigorous, multi-source analytical process — not pattern matching. The goal is to produce an assessment that is defensible, caveated, and actionable, not one that is merely dramatic.
When in doubt: cluster more, name less.