Attribution is a secondary but undeniable priority
When a cyberattack hits, the first response should always be practical: stop the damage, secure the systems, and eliminate any ongoing threats. Attribution, figuring out who was behind it, comes later. It’s important, but not the first thing you focus on. A compromised system means there’s already been a failure somewhere, and fixing that has to take priority. Once the immediate risks are handled, you dig into attribution. Knowing who attacked and why can help reduce the chances of it happening again and strengthen future defenses.
For high-profile companies, attribution often becomes a public conversation. If your platform goes down, people want answers. The larger the impact, the louder the calls to identify who was responsible. Executives are pressured not just by their teams but by stakeholders, users, and sometimes governments. Smaller companies, by contrast, don’t usually have this external pressure. Their focus is on getting back online and preventing further disruptions, which means attribution can wait.
CISOs and CIOs should take a strategic approach. Attribution is valuable, but only after securing operations. It can guide security investments, help assess future risks, and even shape policy decisions. But chasing a name before securing your network is a mistake. Prioritize mitigating damage, restoring stability, and then, only then, consider who was behind it.
Randolph Barr, CISO at Cequence Security, put it well: “The … concern that I probably would have as a CISO is addressing the vulnerability that allowed them in the door in the first place.” The lesson here is clear: security leaders need to focus first on resilience, then on accountability.
The complexity and resource intensity of attribution
Attributing cyberattacks is not simple. Attackers use layers of obfuscation, botnets, hijacked infrastructure, and anonymized networks, to cover their tracks. When a DDoS attack happens, for example, traffic floods in from thousands of compromised devices worldwide. The true origin is masked behind decentralized systems, making definitive attribution extremely difficult. Even when attackers claim responsibility, that doesn’t mean they’re telling the truth. Some groups take credit for attacks they didn’t execute, seeking attention or pushing misinformation.
Accurate attribution requires deep investigation. Security teams need technical tools and intelligence feeds to analyze attack patterns, track malicious activity, and match digital fingerprints to known threat actors. This takes time and resources. Large enterprises may have the internal expertise to do this in-house, but even then, external threat intelligence firms are often necessary. The result is usually a report that assigns attribution with varying levels of confidence, but a completely definitive answer isn’t always possible.
Business leaders need to recognize that attribution isn’t a fast process, nor is it always conclusive. It requires a sustained investment in cybersecurity capabilities, skilled personnel, and intelligence-sharing networks. Organizations that focus only on stopping attacks without building a deeper understanding of who is behind them may leave themselves vulnerable to repeat incidents.
Vishal Grover, CIO at apexanalytix, breaks it down: “A botnet is generally a network of compromised computers… you really can’t actually pinpoint that it came from this specific location.” This highlights the core challenge—attack attribution is not a simple trace-back operation. It requires a strategic, long-term view, not just a reactive response.
Attribution’s role in improving security preparedness and industry collaboration
Identifying who is behind an attack and how they operate allows organizations to adjust their defenses and make informed decisions about risk. But the value of attribution extends beyond a single company. When organizations share intelligence, the entire security ecosystem benefits. Threat intelligence teams can track emerging attack patterns, share tactics used by adversaries, and warn potential targets before incidents escalate.
This kind of collaboration happens in security forums, conferences, and direct industry relationships. Executives who take cybersecurity seriously should make sure their teams actively engage in these spaces. Information sharing allows security teams to compare notes on attack methods, exchange real-time alerts, and strengthen collective resilience. But collaboration like this is not always easy. Companies hesitate to disclose security breaches due to concerns over liability, reputational damage, and the financial impact of admitting a compromise. Some remain silent out of fear that exposing vulnerabilities could invite more attacks.
The challenge is finding a balance between transparency and risk management. Forward-thinking leaders recognize that cybersecurity is a shared responsibility. The more willing companies are to participate in trusted intelligence-sharing networks, the stronger their defenses become. Security teams that operate in isolation are often working with incomplete information, which puts them at a disadvantage.
Vishal Grover, CIO at apexanalytix, stresses the need for open discussions: “That’s one of the primary reasons that you go and attend a security conference… You definitely want to share your experiences, learn from their experiences, and understand everybody’s perspective.” Randolph Barr, CISO at Cequence Security, reinforces this point: “We build those relationships so that we know that we can trust each other to say, ‘Hey, if our name comes up, please let us know.’” Effective collaboration depends on developing these relationships, ensuring organizations can rely on each other when threats emerge.
Key takeaways for leaders
- Attribution is valuable but should not be the first priority: Security leaders must focus on closing vulnerabilities and eliminating threats before investigating attribution. Large organizations face greater pressure to determine responsibility, but all companies should prioritize resilience first.
- Tracing attackers is complex and resource-intensive: Cybercriminals use botnets and layered obfuscation, making definitive attribution difficult. Decision-makers should invest in deep threat intelligence and expert analysis but set realistic expectations that attribution may remain inconclusive.
- Collaboration strengthens defenses but requires trust: Information sharing between organizations enhances collective security, yet concerns over liability and reputation often limit transparency. Leaders should foster trusted security networks to stay ahead of threats while balancing disclosure risks.
