Technical vs. legal attribution
Definition
Technical attribution identifies the infrastructure and tooling used in an attack and may link it to a known cluster or actor profile. Legal attribution establishes criminal responsibility for a specific individual or state entity to the standard required by a court or treaty body. The evidence required for legal attribution is typically far higher than for technical attribution.
Related terms
- Attribution
- The process of identifying the threat actor responsible for a cyberattack. Attribution is a confidence-weighted analytical conclusion, not a binary fact. It...
- Confidence level
- An explicit label attached to an attribution assessment indicating how strongly the available evidence supports the conclusion. Standard tiers are low, medium,...
- False flag
- A deliberate deception in which an attacker plants indicators designed to make the intrusion appear to originate from a different actor. Common...
- Threat actor cluster
- A named collection of observed activity linked by shared infrastructure, malware, and TTPs, without necessarily having confirmed the real-world identity of the...
- TTPs (Tactics, Techniques, and Procedures)
- The behavioural fingerprint of a threat actor: the broad goals and approaches they pursue (tactics), the specific methods they use to achieve...
Explained in
- Attribution in Cyber InvestigationsTechnical attribution identifies the infrastructure and tooling used in an attack and may link it to a known cluster or actor profile. Legal attribution establ...