To defend systems, one must first pinpoint the source of malicious activity. Most cyber threat intelligence (CTI) firms focus on tactical and operational attribution: tactical attribution identifies and clusters technical details such as malware used, attack methods, or indicators of compromise, while operational attribution uses characteristics of activity clusters to infer group profiles and assigns labels like “APT” or “UNC.”1 Strategic attribution goes further by identifying the real-world individuals or entities behind an intrusion.

Some CTI experts debate the conditions under which strategic attribution is appropriate, while others highlight the technical challenges of identifying threat actors, the political motivations behind public disclosure, and the legal standards required to assign responsibility. The Natto Team and other researchers believe that – compared to “cluster-based” tactical and operational attribution – the strategic identification of real-world individuals and o…