GoKawiilRSAC 2026 CONFERENCE – San Francisco – Questions about threat actor attribution, including how to do it and why you might want to hold off, are not as straightforward as they may first seem.
Attribution is a wide-ranging topic that mostly boils down to "Whodunnit?" for cyberattacks. Depending on the attack and various circumstances, you may read somewhere that a bespoke threat group, such as a ransomware gang, compromised an organization's network. Sometimes it's a "cluster," designed to connect a pattern of activity without strictly connecting a threat actor or nation to that activity with complete certainty. Often, a cybersecurity vendor will use their own custom naming taxnomy to track threat groups, like Salt Typhoon or Sandworm, even though the threat actors themselves would never use those names.
This gets more complicated when those names are used both as an internal signifier to describe a pattern of activity as well as a vendor marketing tool to share research or present a threat.
Related:Why a 'Near Miss' Database Is Key to Improving Information Sharing
A panel at RSAC 2026 Conference, titled "We Think It Was Them: The Perils of Attribution in Public Statements," dug into some of the questions of attribution that are not always asked: How often is attribution a sure thing? Should you always publicly attribute? What are the risks of attempting to attribute a threat actor? Axios reporter Sam Sabin hosted the panel, which featured FTI Consulting senior advisor Brett Callow, Institute for Security and Technology chief strategy officer Megan Stifel, and Cooley LLP partner Mike Egan.
Misconceptions Surrounding Threat Actor Attribution
Callow said that when it comes to attribution, a common misconception is that the process is definitive rather than probabilistic. He said it is almost always a case of it being "more likely than not that a particular entity was responsible, but that nuance doesn't always get carried out."
Egan agreed, saying it's rarely 100% clear an attacker conducted an attack unless the attacker wants their involvement known. That's without even considering the propensity for entities like ransomware groups to lie and take credit for attacks they might not be responsible for — another complicating factor in attribution.
He added that for some of his legal clients, a recurring misconception has been that attribution may divert responsibility from the defender and improve the narrative surrounding an attack because it gives the impression that there was no way to avoid something so sophisticated.
"We've had instances of that in the past where the FBI has come out and told the company, 'Listen, 99% of companies wouldn't be able to withstand this attack. This is a pure nation-state attack.' I get the attraction behind that, but it changes the narrative a bit and then can make some people a little bit more concerned," Egan explained. "Now all of a sudden, we're not talking about just a personal data breach and something bigger, and that story sticks around longer."
... continue reading