What is Attribution?

Attribution is the process of determining who, what, or where a cyber breach or intrusion originated. It involves linking the attack to a specific actor or group, the tools they used, and the source infrastructure or geography involved. In practice, analysts combine indicators, threat intelligence, observed TTPs (tactics, techniques, and procedures), malware signatures, reclaimed infrastructure, and digital forensics to form a reasoned assessment about the responsible party and the origin of the intrusion. It’s not about prosecuting attackers—that’s a legal process that may follow attribution—nor is it a vulnerability assessment method or a patch deployment technique. Understanding attribution helps security teams contextualize threats and prioritize defenses, but it’s often probabilistic and can be influenced by deception, false flags, or use of compromised intermediaries.