By and large, organizations tend to invest in preventative cybersecurity measures and they also concentrate their resources on detecting and stopping cyberattacks, rather than on painstaking “who did it?” investigations. They want to close the gap, manage the public opinion fallout, learn from the episode and move on.

From an enterprise perspective, this makes sense, as resources dealing with cybersecurity are usually overstretched and the organization does not stand to gain much from determining, with a certain degree of certainty, who was behind a cyberattack. The incentive equation, of course, is different if the target of the attack is a government or a large organization that is part of a country’s critical national infrastructure.

Attack attribution has traditionally been approached from the perspective of enabling the target or victim entity to pursue the attacker either for damages in a court of law; or from a national, military or intelligence “strike back” perspective.

While dishing out some form of retribution has always been instinctual, however, only governments and very large corporations have historically had the technical toolbox, the economical means and the long-term view to pursue a cyber retribution strategy.

But should commercial and non-commercial organizations also care about cyberattack attribution?

Yes, within measure.

The first question ought to be: why? What does the target organization stand to gain from investing in cyber-attack attribution? The answer is that, the better it understands the attackers tools and techniques, the more likely the organization is to direct its limited resources to the right areas of defense.

As we know, each attacker or attacker group has certain preferred tooling and attacking methods. Also, they have their own motivation, speed, operational capability and discipline.

Assuming that an organization can safely concentrate only on patching, employee awareness programs, scanning, pen testing, log monitoring and other traditional defensive security measures, would be a mistake. These measures are, of course, necessary but they can no longer be the entire apparatus of cyber defense. Organizations need to invest a certain proportion of their resources in understanding their cyber adversaries, and their motivations, modus-operandi, credibility and capabilities, in order to better tailor their defensive resources.

What would be the “adequate” amount of time and effort for an organization to spend on seeking to attribute a cyberattack, successful or not, to a malicious actor or group? The effort should be proportionate with what is at risk and what resources the company has, either in house or via its suppliers and industry. Knowing at least how some of their enemies attack, however, can help companies to better leverage their resources when defending.