Chase Li, Co-founder, MD of International Business, ThreatBook

To sufficiently protect ourselves from today’s myriad of cyberattacks, we must know the identity of our adversaries, understand their motivations, and recognise their tactics, techniques and procedures, and indicators of compromise. Full threat attribution therefore empowers us to prevent attacks — rather than react to them

William Blackstone, the 18th-century English jurist acclaimed for his commentary and interpretations of English law, famously asserted there can be no crime without human intent. Blackstone’s position would become the fundamental principal of criminal law globally. It would also contribute to the creation of the US Constitution and American legal system. 

By extension, Blackstone suggests that without knowing what crime was committed; who executed it; where, when and why it happened — and how; we are unable to fully understand and adjudge any offence. And crucially, prevent them from reoccurring.

The same can be said of cyber-attacks. Without ascertaining the full details of each threat, we leave our organisations vulnerable to the same types of attacks over and again. Such details typically include the identity of our adversaries and their motivations. It also involves their tactics, techniques and procedures (TTPs), and indicators of compromise (IOCs) like suspicious IP addresses, file hashes, and unusual network traffic.

What does full attribution involve; how does it benefit us; and what are the key tools that power it?

Assembling the evidence, preventing future attacks

Like any crime, the process of cyber-threat attribution relies on assembling various pieces of evidence. Typically, there is no fixed order in which this information is gathered. But a good place to start is to identify why a group is targeting an organisation. When it comes to ransomware infiltrating a company for example, the purpose of the attack is to extort money in return for regaining control over the target’s network. The identity and demands of perpetrators are thereby typically disclosed, and victims can learn from each attack. Interestingly, Singapore ranks number one in terms of ransomware risk globally; while 43% of Hong Kong victims have paid a ransom — according to research by ThreatBook. 

The majority of threats, however, are motivated by other causes — only 28% of malware attacks across Asia in 2024 involved ransomware. Hackers may intend to steal intellectual property like a new piece of technology for example; or they may seek to expose an organisation for an activity or stance that will be deemed unethical by the general public, thus causing reputational and ultimately financial damage. In both cases, identities tend to remain a secret, while the attack is designed to cause maximum harm.

Despite being unable to unearth the identity behind such attacks, there are other ways to attribute these. Threat actors overwhelmingly exert the same behavioural traits in each strike, in my experience, consistently using the same or highly similar TTPs and IOCs. Over time, these usually point to a specific criminal gang or state-sponsored group. 

Knowing who, why and how such groups target organisations brings about multiple benefits. Firstly, it enables them to enhance their cyber defences by pre-empting specific types of attacks. Well-informed security teams in the financial services, for example, will know they are susceptible to the Lazarus Group, state-sponsored hackers targeting the industry, and will have taken the necessary measures to bolster their defences against this specific threat. Such knowledge therefore enables such organisations to implement stronger security strategies, critically shifting from being reactive to proactive by predicting future moves, deterring known actors, and informing security executives of emerging trends. 

In-depth information on each attack also contributes to a more robust security community, by helping organisations across different geographics and industries prepare for a wide range of attacks, rather than them focusing on the ones they know or have experienced. And lastly, publicly attributing attacks to nation-states or criminal groups holds them accountable, and sometimes leads to less adversary activity. It may also prompt legal and diplomatic action, where governments can issue sanctions against perpetrators; while law enforcement can prosecute and eradicate specific groups. Attribution also supports vendors tasked with eliminating cybercriminals as well.  

Noteworthy technologies and tools

Increasingly, attribution is powered by a number of novel technologies and tools. Many overlap one another, and there is no definitive list. There are, however, a few noteworthy candidates.

To meet the complexity and enormity of attribution, security operations can leverage artificial intelligence (AI) and machine learning (ML) to process ultra-large volumes of data, and identify patterns that appear invisible to human analysts. ML models are able to accurately identify adversaries by their TTPs, rather than via static indicators like IP addresses, which change frequently.

AI and ML power many of today’s threat intelligence platforms (TIPs). These aggregate data from millions of sources, providing context on already known threat actors, their infrastructure, and their motivations. Many TIPs feature threat intelligence portals, which allow analysts to cross-reference malware with databases of known hacking groups. Some hold repositories of IOCs.

A number of forensic analysis techniques are notably contributing to the attribution process as well: malware analysis that dissects code is able to link unique characteristics, signatures and/or behavioural patterns to specific attackers; network forensics and traffic analysis examine at scale network logs and packet captures to trace attacks to their origin; while graph-based analysis tools visualise the relationships between disparate data points — such as malware signatures, IP addresses, victim organisations and others — to map out the threat actor’s infrastructure. 

Threat intelligence also relies on novel sources of information. One such repository is open source intelligence (OSINT), where security partners utilise publicly available information from forum posts, social media, and academic papers, to identify actors. Another is dark web monitoring that can access hidden online forums for discussions on new exploits, malware-as-a-service, or adversaries discussing their hacks, which in turn provides clues to their identities.

Technology and human judgement: a necessary combination

The above technologies and tools are making attribution easier, faster and more accurate. Yet the task is not without challenges.

False flag attacks, which deceive victims and vendors about to the true identity of perpetrators, are becoming increasingly sophisticated and make hacks more difficult to attribute. Increasingly, perpetrators are also leveraging AI and ML to create new obfuscation vectors: AI-powered malware has the ability to mutate, changing its code to bypass signature-based detection and forensic analysis; while large language models (LLMs) are used to create seemingly realistic but fake coding that can mislead attribution analysis. 

There are also tools that blur the lines between different actors. Ransomware-as-a-Service (RaaS) providers allow unskilled actors to deploy sophisticated tools, making it harder to ascertain whether the attack is purely financial or a state-sponsored distraction. 

Fortunately, there are many skilled security professionals bringing the fight to the enemy. As attacks become more sophisticated, so too are security teams. While attribution is heavily reliant on its technology, it is also dependent on humans. That’s because on times, attribution is as much as an art form as it is a science. Occasionally we are unable to 100% ascertain the identity of an adversary through technology alone. In such instances, human analysis and seasoned intuition put the final pieces of the puzzle together, by analysing patterns and assembling a trail of digital clues from transaction information, metadata, operational mistakes, and behavioural patterns found in TTPs and IOCs, among others.

All of the above confirms that attribution — and the many technologies, tools and people it involves — is critical to shielding organisations from today’s and tomorrow’s myriad of cyberattacks. With the number of hacks rapidly rising year on year, threat attribution therefore matters more now than ever before. William Blackstone would surely agree!