Products APIs Data Feeds Web Tools Domain Research & Monitoring Enterprise Packages AI Deep Research
WHOIS / WHOIS History
WHOIS / WHOIS History

Provide current and historical ownership information on domains / IPs. Identify all connections between domains, registrants, registrars, and DNS servers.

DNS / DNS History
DNS / DNS History

Look into all current and historical DNS / IP connections between domains and A, MX, NS, and other records. Monitor suspicious changes to DNS records.

IP Geolocation / IP Netblocks
IP Geolocation / IP Netblocks

Get detailed context on an IP address, including its user’s geolocation, time zone, connected domains, connection type, IP range, ASN, and other network ownership details.

Domain Research Suite (DRS)
Domain Research Suite (DRS)

Access our web-based solution to dig into and monitor all domain events of interest.

Domain Research Suite (DRS)
Domain Research Suite (DRS)

Get access to a web-based enterprise-grade solution to search and monitor domain registrations and ownership details for branded terms, fuzzy matches, registrants of interest, and more.

New gTLD Intelligence Services (NGIS)
New gTLD Intelligence Services (NGIS)

Independent, evidence-based DNS and abuse intelligence for applicants, advisors, governments, and counsel participating in the ICANN 2026 New gTLD Program.

Research
Monitoring
White-Label
Predictive Threat Intelligence Feeds
Predictive Threat Intelligence Feeds

Predictive threat intelligence is your best first line of defense. Subscribe to the feeds to strengthen your cybersecurity posture. Contact us today for more information.

WhoisXML API Internet Infrastructure
Internet Infrastructure

Unlock integrated intelligence on Internet properties and their ownership, infrastructure, and other attributes.

Enterprise API Packages
Enterprise API Packages

Our complete set of domain, IP, and DNS intelligence available via API calls as an annual subscription with predictable pricing.

Security Intelligence (SI) Suite
Security Intelligence (SI) Suite

Offers complete access to WHOIS, IP, DNS, and subdomain data for product enrichment, threat hunting and more.

Attack Surface Discovery API
Attack Surface Discovery API

Uncover entire attack surfaces with this API to embed asset discovery, vulnerability scanning, and technology metadata into your platform. Now in early access.

MCP Server
MCP Server

Talk to our APIs using LLMs. Connect your preferred LLM to WhoisXML API and simply chat about WHOIS, DNS, threat intelligence, and more.

Jake AI
Jake AI

I’m your Domain Intelligence Assistant. I make it easy to explore WHOIS, DNS, and threat data from WhoisXML API — I’m cloud-based, fast, and always ready to help.

WhoisXML API Domain Intelligence Advisor (via ChatGPT)
WhoisXML API Domain Intelligence Advisor (via ChatGPT)

A custom GPT for WHOIS, DNS, IP, and threat intelligence research. Connects ChatGPT directly to WhoisXML API to enable fast, conversational investigations and domain insights.

Discover what you really pay for when buying commercial Internet intelligence data.

Download now
×
Contact Us
Read other articles Download PDF

Cybersecurity Attribution: Why Is It Important and How Does Internet Intelligence Help?

Cyber attribution — the process of identifying the person or group behind a cyber attack or other activity — is, perhaps, one of the most interesting tasks in cybersecurity. It feels like detective work. You find clues and use them to identify the murderer, but in the case of cybersecurity, a) it’s not always the gardener, and b) you’re looking for cyber threat actors rather than murderers.

At the same time, cyber attribution is very challenging — those clues are often needles in large haystacks, and attributing something to a specific threat group is often quite difficult and time-consuming. Not to mention that the majority of analysts’ time is usually spent on threat containment. 

And yet, cyber attribution has to be done. 

 Why Is Cybersecurity Attribution So Important?

Most security professionals focus on containment, and understandably so, because it stops an active malicious cyber operation. However, cybersecurity attribution is also important, as it helps teams understand the person or group behind the keyboard — a proactive cyber defense approach that makes long-term security possible.

Attribution provides several key advantages for defenders:

  • Evidence for legal action: Accurate attribution provides the evidence needed for legal action. Without it, law enforcement agencies cannot build a case against threat actors.
  • Predictive defense: Organizations can study the specific tactics, techniques, and procedures (TTPs) of an actor, allowing security teams to build cybersecurity strategies tailored to prevention of the threats most likely to hit their industry or region.
  • Faster incident response: When you know who is behind an attack, you know what else to look for. Since different groups have different TTPs, knowing the "who" helps teams predict the next move in terms of the "how."
  • Infrastructure takedowns: Knowing where an attack originates allows defenders to dismantle the servers and networks used by the hackers. This prevents the same infrastructure from being used in future operations.

The Modern Challenges of Cyber Attribution

Despite its value, attribution is fraught with obstacles that make it resource-intensive. 

The challenges of cybersecurity attribution
  • Difficulties collecting and preserving data. Investigators need everything from each stage of the incident, from system and traffic logs to endpoint data. Preserving this level of detail can be difficult, as logs roll over, attackers wipe their tracks, and context can be lost amid the chaos of remediation. 
  • Large volumes of data for analysis. And even when all this data and context are preserved, their sheer volume makes cyber forensic analysis a search for a needle in a haystack. Analysts need to correlate terabytes of logs to find a connection that betrays an attacker’s identity. Thankfully, this is no longer a manual search with the help of AI and pattern matching, but it still isn’t an easy task.
  • Cross-border investigation difficulties. Despite the fact that cybercrime has no borders — a server in one country, a registrar in another, and a victim in a third — cyber investigations often run into cross-border complexities. Bringing malicious actors to justice requires international law and cooperation, but countries have different local laws and procedures, and sometimes are reluctant to share data with each other. 
  • Growing number of attacks. Lastly, the growing number of attacks and attackers doesn’t make things easier. A 2026 Check Point report cited a 70% increase in cyber attacks since 2023 and a 50% rise in new ransomware-as-a-service groups. Security professionals simply don’t have much time to spend attributing them all. 
  • False flags. Even when attacks do get attributed, there’s a chance the attacker was only mimicking another actor (aka false flag attack). If a security team attributes an attack incorrectly, it can lead to serious political consequences or diplomatic friction.

But then again, cyber attribution still has to be done.

Types of Cybersecurity Attribution

Cybersecurity attribution can be categorized into three types — technical, strategic, and legal — with technical attribution further split into tactical and operational. 

Instead of looking at it as one giant task, think of attribution as layers of a case. You might start with technical clues like IP addresses (tactical), then move up to analyzing how the attacker thinks and works (operational). 

After that, you look at the big picture to figure out their ultimate motive (strategic) and then move on to the end game, where you try to bring the actors to justice (legal).

Types of AttributionFocus
TacticalAnalyzing the technical artifacts like IP addresses and malware hashes.
OperationalExamining the patterns of the attack, such as the timing and the specific infrastructure used.
StrategicUnderstanding the big picture — the political entity or motive behind the attack.
LegalPreparing the evidence that law enforcement needs to meet the standard of proof required for a court of law.

Cyber Attack Attribution Models

For each type of attribution, cyber investigators use existing attribution models or frameworks to make the process easier and more data-driven. Some of the most common models are briefly described below.

Diamond Model of Intrusion Analysis

The Diamond Model of Intrusion Analysis is a framework that views security events through four interconnected points:

  • Adversary: Who is behind the malicious cyber operation?
  • Infrastructure: What hardware or software did they use (servers, domains)?
  • Capability: What tools or malware did they employ?
  • Victim: Who was targeted?

The model is useful for tactical and operational attribution, since it connects the scattered pieces of a cyber attack investigation. Tactical clues like file hashes fill the “Capability” vertex, while operational patterns like registration and attack timing help define the Infrastructure vertex. Using the model this way allows teams to bridge the gap between technical data and the actual threat actor.

The diagram of the Diamond Model of Attribution
How the Diamond Model for cyber attribution works

The flow below gives a basic idea of how to use the Diamond Model:

  1. We’ve identified that this malware (capability) was used in an attack.
  2. This malware communicates with this C2 server (infrastructure).
  3. That C2 server is tied to a known threat group (adversary).
  4. The group historically targets financial institutions (victim profile).

Unit 42 Attribution Framework

Developed by Palo Alto Networks, the Unit 42 Attribution Framework is designed to move an investigation from tactical to strategic. It introduces a structured promotion system for attackers:

  • Activity clusters: These are groups of events that share common technical indicators (e.g., IPs, domains, hashes).
  • Temporary threat groups: After at least six months of consistent observation and mapping using the Diamond Model, a cluster is promoted to a temporary group.
  • Named threat actors: Analysts promote a temporary group to a formal name after a structured evaluation. This process uses the Admiralty System, originally designed for naval intelligence in the 20th century but later adapted for cyber intelligence, to grade source reliability and information credibility through standard codes.

Pahi’s Cyber Attribution Model (CAM)

Pahi’s CAM (named after Timea Pahi, who presented it together with Florian Skopik in 2019, subsequently publishing a paper about it in 2020) uses a puzzle-matching approach to align an active incident with historical data to ensure high-confidence attribution. The model runs two parallel tracks that help with operational, strategic, and legal attribution:

  • Cyber attack investigation: Analysts examine the current incident to identify technical and socio-political indicators. This includes victimology, infrastructure, and the specific capabilities (malware signatures) used.
  • Cyber threat actor profiling: This track uses existing knowledge from previous cyber incidents to build a database of known threat actor profiles and their specific TTPs.

By comparing the TTPs and modus operandi of the live investigation against established profiles, analysts can spot inconsistencies. If a cyber incident appears to be from one group but uses the infrastructure of another, the model helps flag it as a potential false flag attack.

Tools Needed for Cyber Attribution 

The data you plug into those attribution models has to come from somewhere. Some data points, of course, come from the logs, but you need something to compare them with for it to start making sense. 

Effective attribution requires a set of tools that gather the necessary data for you, and below are some of the tools that security teams commonly use for attribution.

MITRE ATT&CK

The MITRE ATT&CK framework provides a massive database of known adversary tactics and techniques. So instead of guessing what a hacker might do next, analysts use this framework to map observed behaviors to techniques used by APT actors. This turns raw data into a structured account of how a malicious cyber operation could unfold.

For security teams using the Diamond Model, for example, MITRE ATT&CK provides the technical detail for the Capability and Infrastructure vertices. Instead of just saying, "the attacker used malware," you specify the exact technique, such as T1543.003 (Create or Modify System Process: Windows Service).

It also helps analysts identify the activity clusters for the Unit 42 Attribution Framework, which are needed to promote an attacker to a named group. If multiple clusters use the same unique set of ATT&CK techniques, they likely belong to the same responsible party.

Threat Intelligence 

Attribution relies on a constant stream of external data. Analysts use community-driven platforms like Open Threat Exchange (OTX) and ThreatFox, along with commercial feeds such as WhoisXML API’s security intelligence data feeds and Internet intelligence APIs or databases (we’ll talk about that in more detail in a moment). 

These intelligence sources provide a global view of emerging threats, and comparing internal logs with these feeds lets security teams see if a specific campaign is targeting other organizations in the same sector.

Malware Sandboxes

When a suspicious file appears, you cannot just run it on your main network. Analysts use malware sandboxes to detonate code in a safe, isolated environment. These tools reveal what the software actually does, such as which servers it tries to contact or which processes it tries to interfere with in the operating system. 

Malware sandboxes extract file hashes, command-and-control (C2) IP addresses, and registry keys, which are IoCs needed to block a digital attack. This is also where some of the signals that constitute the attacker’s digital fingerprint are obtained since the sandbox reveals the TTPs. All the data harvested from a malware sandbox provides the raw ingredients for attribution. 

OSINT Tools 

Open Source Intelligence (OSINT) tools are essential for digging deeper into infrastructure. Platforms like Domain Research Suite (DRS) and various APIs enable researchers to identify related domains and IP addresses. 

For example, WhoisXML API researchers did an OSINT analysis on 144 IoCs for the 2026 top malware threat, QakBot, and found thousands of artifacts. It’s important to note a technical distinction here — IoCs are digital evidence seen directly during an active attack, while artifacts that we’ve discovered are resources that haven’t been used in the attack but can still be attributed with high confidence to the same threat actor based on OSINT extrapolation. They, however, are not IoCs and should not be treated as such. They are nonetheless very useful for threat intelligence purposes.

AI

As previously mentioned, one of the biggest challenges in attribution is the sheer volume of data. It is next to impossible for humans to manually sort through millions of logs to find a single connection, and this is where AI comes in, particularly in the following tasks:

  • Pattern recognition: Cyber solutions, such as the First Watch Malicious Domains Data Feed, use AI to detect subtle clusters in data that suggest a coordinated campaign (e.g., bulk domain registration of lookalike domains that use the same name servers).
  • Rapid pivoting: Tools like Jake AI and MCP servers allow analysts to query data and have AI pivot between different artifacts to speed up research.

The Role of Domain Intelligence in Cyber Attribution

Domain intelligence, or the collection and interpretation of Internet domain data, including WHOIS records, DNS intelligence, and SSL certificates, is one of the keys to increasing attribution certainty.

Increase Certainty by Getting More Signals 

Using DNS and WHOIS data allows you to spot patterns that aren't visible at first glance. We can be more certain of an actor's identity when a new domain exhibits the same patterns as other domains already attributed to them.

Passive DNS (pDNS) is especially powerful here. It adds signals that help connect domains that currently look different, but actually have a past connection. While two domains might resolve to different IPs today, pDNS shows if they resolved to the same or similar IP addresses in the past. This historical connection often links infrastructure that an attacker tried to separate.

Uncovering Associated Infrastructure

If you have one domain tagged as an IoC, you can use DNS, WHOIS, and SSL data to find others with similar traits.

To illustrate, let’s take a look at ferromny[.]digital, one of the domains identified by CISA as deploying LummaC2 malware. WHOIS history tells us that the domain was registered on March 24, 2025, by a registrant organization named Mark Popov, with PDR Ltd. as the registrar.

WHOIS details reveal the domain registrant — an important piece of information for cyber attribution
Image source: DRS

A Reverse WHOIS Search using those details led to nine additional domains that also used Cloudflare nameservers. 

Results of a reverse WHOIS search reveal more domains with the same registrant — very likely attributable to the same person
Results of a reverse WHOIS search reveal more domains with the same registrant — very likely attributable to the same person. Source: DRS

With some degree of certainty, we just completed a small attribution exercise, attributing these domains to the same threat actor. They could’ve been used for malicious purposes just as well. VirusTotal lookups support our findings: two of these discovered domains – ​​meltmetu[.]live and oreheatq[.]live — are already known to be malicious by security vendors. 

Leads to Operational Fingerprints

As you find more domains and subdomains, you begin to build the threat actor’s operational fingerprints based on their habits and preferences, such as:

  • Preferred registrars: Many actors stick to specific registrars they find easy to use or exploit.
  • Registration timing: You might notice that an actor registers their domains during specific hours, or that some groups of domains you found were registered at the same time. 
  • Naming patterns: Threat actors often follow specific naming conventions or use the same top-level domains (TLDs).

Going back to the LummaC2 IoC example, ferromny[.]digital, predictive threat intelligence at the time of its registration actually picked up other domains that had similar characteristics — the same registrar, Cloudflare nameservers, the same registrant country, and even the same registration date and time (with only a few seconds’ difference between each registration). Two of those we’ve already seen when using Reverse WHOIS in our previous attribution mini exercise. 

Artifacts that can be attributed to the same threat actor discovered by predictive intelligence
Image source: First Watch Malicious Domains Data Feed file for March 24, 2025

Another tool that can help is IP geolocation, as it can give you an idea of where the actor typically operates. While this is not the exact physical location of the person behind the keyboard, it’s still a helpful signal, as it shows where the infrastructure that they rely upon is.

Conclusion

Cybersecurity attribution is quite a complicated puzzle, but it’s a really exciting one and also one that security teams must keep on solving for the sake of long-term security. 

The more signals one can collect and the more context one can add by using domain intelligence and other data sources, the clearer the picture of an adversary one can create.

Talk to WhoisXML API experts to learn more about how our Internet intelligence APIs and databases can help with cyber attribution.

Read other articles Download PDF
Try our WhoisXML API for free
Get started