Cyber Attribution

A virtual world or widespread interconnected digital technology, commonly referred to as cyberspace, has emerged as a strategic source of power that provides moral or physical strength, freedom of action, and will to act. This has created a great power struggle, prompting adversaries to conduct malicious cyber activities to achieve competitive advantages, influence, and harm to Canadian interests. They can do so under the protection of anonymity.

The technologies that aggregate to form the Cyber Domain provide Cyber actors with easy anonymity, and thus provide deniability; that makes attribution of responsibility almost impossible. When deterrence fails, it is difficult to prove and act against Perpetrators.” - Maj Alfred Lai


Attribution will likely remain a difficult problem with cyber defence. However, it is also crucial for effective deterrence, active cyber defence, and as a legal imperative for an effective countermeasure. For example, Persistent Engagement is a strategic approach to cyberspace intended to counter and contest adversary gains. This strategy requires attribution at its core.

There are two sides to the attribution argument.

  • Some would contend that attribution requires highly-sophisticated capabilities beyond the means of most organizations. It is too expensive upfront and has a low likelihood of prosecution. Therefore, it is more expedient to block, repair the damage, move on, and hope for the best going forward.
  • Others agree that failing to attribute, deter, and counter the threat will result in significant expenses for the organization. It will also result in persistent attacks. Currently, Canada is at risk of becoming a permissive victim.

Attribution Definitions

Cyber Attribution is when the perpetrator of a cyberattack is tracked, identified, and held responsible.

Technical Attribution pertains to resolving the network activity to a threat actor by identifying black-listed Internet Protocol (IP) addresses or domains, malware signatures, or recognizing known Tactics, Techniques, and Procedures (TTPs) of an adversary. This level of attribution is often adequate to block risky communications, manage vulnerabilities, or launch incident responses. However, it does not affect the threat actor’s ability to pursue another line of attack. It is insufficient for effective cyber defence or threat reduction.

End Attribution identifies the real entity, whether it is an individual or organization, and the motive behind the attack. This requires active threat hunting and pursuing the adversary through deep investigation across multiple domains (physical, cyber, cognitive) using deep cover.


It is difficult to connect the attribution dots when the dots are extra-jurisdictional and scattered across many domains. The agility, obfuscation, and misdirection of threat actors pose several challenges to attribution:

  • fast fluxing (ephemeral) network connections across cyberspace (computers, networks, social platforms, botnets, mobile devices, and machines or devices)
  • encrypted 6th generation malware, processes, command and control channels;
  • hiding in memory or living off the land (commandeering legitimate programs or apps);
  • using intelligent agents, proxies, avatars, cutouts or victim machines; and
  • operating from safe havens overseas.

Furthermore, tactics like cognitive warfare leave traces of toxic narratives which can be laundered through organic online followings, thus allowing the originator to withdraw into the shadows without a trace.

Closing the Attribution Chain

To conclude the attribution chain, the adversary needs to be hunted through cyberspace and cognitive domains out into the real world. Adversaries always leave digital exhaust and physical footprints behind. These include reusing infrastructure, code, or a predictable modus operandi, cross-contaminating network operations, creating a social media presence, and real-life identities. The detection and attribution of advanced persistent threats (APT) with enhanced precision, speed, and fidelity require advanced technology, talent and tradecraft.


Cyber attribution is necessary for active cyber defence, deterrence, and prosecution, but foreign intelligence (FI) operations are required for End Attribution and targeting.

Cyber threat intelligence (CTI) can provide Technical Attribution; however, it is only good enough for a limited cyber response. All-source intelligence sources and methods, including FI, are essential for the attribution and targeting of APTs. End Attribution also requires highly-specialized products and services such as containerized investigative platforms, managed non-attribution systems, deception networks, and a willingness to forward deployed intelligence operations into contested space and in the adversaries' territory.

Taking Action

Knowing your enemy is a crucial tenet of warfare. Therefore, attribution is enormously helpful. There are some pragmatic approaches one can take from attribution:

  • name and shame the perpetrator, drawing them into the light;
  • share the intelligence and contribute to global blacklists;
  • prosecute the actors in civil court;
  • seek a criminal inditement of individuals;
  • administrative action unilaterally or with partners to seize domains;
  • execution of warrants to dismantle infrastructure;
  • strike-back using active cyber;
  • persistent engagement; or
  • launch preemptive proactive operations.

Cyber threat reduction does not limit options to the cyber domain. Legal action, diplomatic measures, financial sanctions, further intelligence collection, and military targeting are valid choices.


So who has the accountability, responsibility, means, and authority for attribution and subsequent actions, effects, and fires?

The Government is the national guarantor of peace, order, and good government (POGG), and has a mandate to address threats to national security and prosperity. Additionally, in protecting citizens by identifying and prosecuting actors through law enforcement, active cyber defence, or conducting military-style persistent engagement.

Notwithstanding, the intelligence and security industry, service providers, and platform owner-operators of cyberspace are in a unique position to detect malicious activity at scale, identify bad actors, and take quick and effective action. Commercial intelligence services can hunt and pursue bad actors anywhere on the planet.

Commercial Intel Advantage

The private sector owns global cyber and financial networks and has unprecedented visibility of the data. Industry can often connect the dots for attribution quite effectively. It is also easy for industries to cooperate across industrial partners, form new ones, cultivate sources, provide data proximity-at-scale, share sensitive intelligence at the speed of cyber, and agree to take collective action. It should be no surprise that plenty of cyber attribution is accomplished by industry.

However, there is not a large market for attribution services. Most victims try to move on from the problem - pressing charges or further investigation may not be attainable. To fill this gap, collaborations between US intelligence agencies and industry have resulted in precise attribution and decisive action.

Cyber Defence Futures

The most exciting work on cyber attribution in Canada appears to be from the Department of National Defence’s Innovation for Defence Excellence and Security (IDEaS) program. The program is developing and deploying innovative approaches that access, interpret, and compare evidence using technical and all-source intelligence to attribute advanced persistent threats in the defence of Canada.


Cyber defence is a team sport. Response actions and offensive operations, particularly involving attribution and targeting of nation-state actors, will require equitable partnerships with industry and the development of a Canadian sovereign capability. Attribution relies on foreign intelligence collaboration. As is playing out in Ukraine, the implications of attribution, deterrence, persistent engagement, and de-escalation will require renewed attention given the rapid evolution of the threat and warfare in cyberspace and the cognitive domain.

Back to blog