RSAC 2026 CONFERENCE – San Francisco – Questions about threat actor attribution, including the methodology behind it and the strategic reasons to delay public statements, require careful consideration from security teams and legal counsel.
Attribution is the process of identifying the responsible party for a security incident. Depending on the methodology and available evidence, researchers might determine that a specific threat group gained unauthorized access to an organization's network. In other cases, analysts identify a "cluster," which connects patterns of activity without linking a threat actor or nation-state to that activity with complete certainty. Security vendors frequently use custom naming taxonomies to track these threat groups, such as Salt Typhoon or Sandworm.
The decision-making process becomes more complex when organizations use these internal identifiers as public signifiers to share research or communicate about an active threat.
A panel at the RSAC 2026 Conference, titled "We Think It Was Them: The Perils of Attribution in Public Statements," evaluated these operational decisions. Axios reporter Sam Sabin hosted the discussion, which featured FTI Consulting senior advisor Brett Callow, Institute for Security and Technology chief strategy officer Megan Stifel, and Cooley LLP partner Mike Egan. They addressed the probabilistic nature of attribution, the criteria for public statements, and the potential consequences of attempting to name a threat actor.
Misconceptions surrounding threat actor attribution
Callow stated that a recurring misconception about attribution is treating the process as definitive rather than probabilistic. He noted that investigations usually conclude it is "more likely than not that a particular entity was responsible, but that nuance doesn't always get carried out."
Egan agreed, observing that absolute certainty regarding unauthorized access is rare unless the threat actor intentionally seeks visibility. This is further complicated by the documented propensity for entities like ransomware groups to lie and claim responsibility for incidents they did not conduct.
Egan also shared that some legal clients operate under the misconception that attributing an incident to a sophisticated nation-state will divert responsibility from the defending organization and improve the public narrative.
"We've had instances of that in the past where the FBI has come out and told the company, 'Listen, 99% of companies wouldn't be able to withstand this attack. This is a pure nation-state attack.' I get the attraction behind that, but it changes the narrative a bit and then can make some people a little bit more concerned," Egan explained. "Now all of a sudden, we're not talking about just a personal data breach and something bigger, and that story sticks around longer."
Attribution and operational risk
While establishing a firm attribution profile can seem appealing, the panelists advised organizations to weigh the secondary consequences. Callow described definitive public attribution as "extremely risky" because it introduces third parties into the operational narrative. "That could be a nation or it could be a for-profit criminal enterprise. In either case, whatever you say to them can attract considerable blowback and invite comments," he said.
The panel also addressed how attribution can directly impact cyber insurance coverage. Following the NotPetya ransomware incidents in 2017, some insurance providers initially denied claims from affected organizations. The insurers argued that the policies did not cover acts of war, given that the activity was directed at Ukraine before spreading globally and was attributed to Russian nation-state actors tracking as Sandworm.
Despite these concerns, there are also risks to remaining silent. Stifel, who previously served as an attorney in the National Security Division at the US Department of Justice, noted that declining to make an attribution case might unintentionally signal acceptance of the unauthorized behavior.
Sabin prompted the panel on how to handle situations where an affected organization is not ready to make a concrete attribution, but external pressures—such as media leaks—force the issue. Premature attribution carries clear risks, yet organizations generally need to maintain control over their own communication narratives.
The panelists offered differing strategies for this scenario. Stifel recommended acknowledging that the organization is aware of the reports, confirming that an incident occurred, and stating that the investigation is ongoing. Egan advocated for a stricter legal approach, advising clients to hold the "no comment" line while the internal investigation proceeds. "Oftentimes the best answer is no answer. We're concentrating on the investigation," Egan said.
Callow offered a different perspective on filling the communication gap.
"I don't think 'no comment' is ever a good response. If you don't fill that gap, somebody else will," he said. "You don't necessarily have to attribute the attack, but you should, for example, say the investigation is ongoing."