|“||is the process of determining the identity of the source of a cyber attack. Types of attribution can include both digital identity (computer, user account, IP address, or enabling software) and physical identity (John Doe was the hacker using the computer from which an attack originated). Attribution can also support a new model of authorization using accountability as a basis for deciding which operations or resources to trust.||”|
|“||identifies an adversary linked to a particular incident. It is the culmination of the review of evidence and intelligence gathered during an incident which results in an assessment that identifies individuals or organizations which likely played a role in the cyber incident.||”|
See right of attribution.
"Attribution is a fundamental part of an effective cyber deterrence strategy as anonymity enables malicious cyber activity by state and non-state groups. On matters of intelligence, attribution, and warning, DoD and the intelligence community have invested significantly in all source collection, analysis, and dissemination capabilities, all of which reduce the anonymity of state and non-state actor activity in cyberspace. Intelligence and attribution capabilities help to unmask an actor's cyber persona, identify the attack's point of origin, and determine tactics, techniques, and procedures. Attribution enables the Defense Department or other agencies to conduct response and denial operations against an incoming cyberattack."
"Dynamic IP address assignment and spoofing make attribution a significant technical challenge. Generally, only with cooperation from the attacker's ISP might the attacker be identified. Many times, however, the evidence to attribute the attack to an individual remains inconclusive. Open wireless access points, Internet cafes, and similar venues that allow Internet access without positive identification and authentication further exacerbate this problem."