Rethinking attribution

Cyber-security has always had a touch of mystery. When an attack hits, it’s instinctive to ask who was behind it - a criminal gang, a nation-state, or a rogue insider. That question makes for a compelling headline, assigning someone to blame, but the reality is rarely that simple.

 

In the aftermath of an incident, investigators chase breadcrumbs across web logs, server logs and forensic artefacts, searching for operational flaws that expose how attackers operate. But those trails rarely end in certainty. Attribution simply now sits in a grey area - essential to an intelligence operation, but increasingly complex in the real value it delivers to an organisation.

 

The labels we designate to groups or attackers have become both more complicated and, at times, more misleading. False flags, shared tools and AI-assisted deception blur the lines between groups further, while the same actors move fluidly across sectors. The result is a picture that can look complete, yet misses what really connects the dots.

 

For defenders, extracting TTPs from threat reports is essential — but building defences around an APT name instead of the underlying behaviours creates unnecessary risk. APT labels are inconsistent, vendor-specific, and often misleading. What truly matters are the tactics, techniques, and procedures that reveal how an adversary operates. Relying on the branding of the latest APT report leads to blind spots; relying on the observable TTPs leads to resilient, repeatable defences.

 

A flawed pursuit in the AI era

The allure of attribution is easy to understand. When a breach occurs, the instinct is to identify who was responsible — a nation-state, a criminal syndicate, or an insider threat. That instinct satisfies the need for closure and creates a clean narrative for headlines, but the operational reality is rarely that straightforward. In the AI era, attackers have more tools than ever to obscure their fingerprints, and defenders can no longer rely on traditional attribution models to guide security strategy.

 

AI has amplified the problem. Adversaries can now generate false indicators at scale, mimicking coding styles, language markers, malware families, or infrastructure commonly associated with other threat groups. False flags are not new; what has changed is the speed, automation and volume of deception. With AI, an attacker can repackage an exploit, rotate infrastructure, or recycle tooling in seconds, enabling the same operator to hit a hospital on Monday and a manufacturing plant on Tuesday using nearly identical techniques wrapped in different signatures.

 

Yet most organisations never see these overlaps because attribution, as practised today, is fragmented. Each vendor assigns labels—APT-X, APT-Y, UNC-Z—based solely on its own telemetry. One report might claim a group targets universities; another may describe the same operator attacking industrial networks. Both can be correct and still be incomplete. The industry often mistakes the visible slice of data for the full picture.

 

For defenders, that fragmentation creates false assurance. When vendors claim a campaign is “sector-specific,” organisations outside that sector may assume they are not at risk—even when they depend on the same software libraries, VPN appliances, IoT devices, or medical equipment already being exploited elsewhere.

 

The problem is not attribution itself; it is partial attribution. By focusing on group names, sector labels, or vendor-specific identifiers, the industry ends up anchoring defenders on the least reliable component of the intelligence picture. What matters most are the attacker behaviours that persist across campaigns: the tools they rely on, the vulnerabilities they prefer, the sequencing of their actions, and the operational shortcuts they repeat.

 

Until attribution connects these behavioural threads across vendors, industries, and data sources, it will continue to obscure the patterns that matter most — and create dangerous blind spots for defenders.

 

From attribution to anticipation

Attribution will likely always remain murky in the cyber-security domain and that’s acceptable. Perfect certainty about “who” is attacking is rarely necessary for strong defence. Whether the actor is a nation-state, a cyber-criminal crew, or a proxy group, the impact on the business is the same. The challenge is not to name every adversary; the challenge is to understand how they operate.

 

This is where attribution delivers real value: not as a label, but as a behavioural map.

 

By shifting the focus to human-defined patterns, preferred tooling, malware reuse, exploit chains, pivot strategies, targeting logic, timing patterns, and mistakes that operators consistently repeat, intelligence teams can build a far more accurate picture of emerging threats. These behavioural profiles transcend vendor labels and sector boundaries, allowing defenders to anticipate how campaigns will evolve rather than simply react to where they have struck.

 

When attribution becomes behaviour-centric rather than name-centric, it forms the foundation for true early warning. It turns disparate observations into a coherent picture of attacker tradecraft, connecting incidents across industries that would otherwise appear unrelated.

 

To make this intelligence actionable, organisations need complete visibility into their digital estate of every device, application, and communication path across IT, OT, IoT, and unmanaged assets. In an era where adversaries weaponise AI to automate reconnaissance and exploit development, defenders must see every potential entry point and understand the context of each asset: what it does, how critical it is, how it behaves under normal conditions, and what it connects to.

 

With this context, defenders can link internal anomalies to external threat patterns, spotting when a familiar TTP resurfaces in their own environment. AI and machine learning amplify this capability, correlating billions of data points, detecting subtle precursors to attacks, and surfacing deviations long before they manifest as incidents.

 

The result is an anticipatory defence model, one that learns from attacker behaviour and acts before adversaries gain momentum.

 

This approach aligns with modern cyber-exposure management. Continuous monitoring, contextual visibility, and sensor-level intelligence transform security from incident response into proactive resilience. For business leaders, the value is clear: faster detection, reduced downtime, minimised operational disruption, and protection of customer trust.

 

From blame to resilience

The industry’s fixation on “who did it” will always have relevance for intelligence and law enforcement. But for defenders, the true priority is operational resilience.

 

Attribution still matters, but only when it drives understanding. And understanding only matters when it drives action.

 

The goal is not to chase culprits; it is to anticipate behaviour. Early warning systems and continuous visibility, powered by AI, provide defenders with the time and clarity needed to act before attacks materialise.

 

When attribution is rooted in behavioural insight rather than vendor-defined APT names, it strengthens defensive posture by revealing how adversaries adapt, pivot and reappear across sectors. It reduces blind spots. It clarifies risk.

 

In the end, the value of attribution is not in naming the adversary, it’s in understanding them well enough to stop what comes next.

 

---

 

Michael Freeman is the Head of Threat Intelligence at Armis

 

Main image courtesy of iStockPhoto.com and Vertigo3d