Hello, you are using an old browser that's unsafe and no longer supported. Please consider updating your browser to a newer version, or downloading a modern browser.
Training Camp • Cybersecurity Glossary
The analysis that links a cyberattack to a specific actor or group using TTPs, malware, infrastructure, and intelligence such as MITRE ATT&CK.
Threat Actor Attribution Definition: The analysis that links a cyberattack to a specific actor or group using TTPs, malware, infrastructure, and intelligence such as MITRE ATT&CK.
Threat actor attribution is the analytical process of identifying who is responsible for a cyberattack, their origin, motive, and characteristics, by correlating technical and contextual evidence. It links an incident to a known individual, criminal group, or nation-state cluster, helping defenders anticipate behavior and respond proportionately.
Attribution synthesizes multiple evidence layers: malware code and reuse, command-and-control infrastructure, network indicators, timestamps and language artifacts, and especially the tactics, techniques, and procedures (TTPs) mapped against frameworks like MITRE ATT&CK. Analysts apply structured tradecraft, including the Diamond Model of Intrusion Analysis and Analysis of Competing Hypotheses, to weigh alternatives and confidence. Because skilled adversaries use false flags, shared tooling, and rented infrastructure, attribution is expressed in confidence levels rather than certainty and often groups activity into named clusters (for example APT or threat-group designations) before naming a sponsor.
This matters because knowing the adversary shapes the defense. A financially motivated ransomware crew, a hacktivist, and a state-sponsored espionage group warrant different containment, hunting, and disclosure decisions. Attribution drives threat intelligence, lets teams prioritize controls against an actor's known TTPs, informs law-enforcement and diplomatic or sanctions responses, and helps predict likely next targets. Poor attribution, by contrast, can misdirect resources or trigger inappropriate escalation.
For example, after detecting data exfiltration, an incident response team finds spearphishing lures in a specific dialect, a custom backdoor previously documented against firms in the same sector, and reused TLS certificates on the C2 servers. Mapping the intrusion to ATT&CK techniques matching a tracked espionage cluster, they assess with moderate confidence that a known state-aligned group is responsible, then prioritize hunting for that group's other signature techniques across the environment.
Turn knowledge into credentials with our instructor-led cybersecurity boot camps.
View All Courses →