This document provides a set of key indicators that the intelligence community uses to consider attribution following a cyberattack. The key identified indicators include tradecraft, infrastructure, malware, and intent, as well as indicators identified by outside sources such as private security companies. The report also identifies three practices, assessment for human error, timely collaboration, information sharing, and documentation, and rigorous analytical tradecraft, that are essential in assigning attribution to attacks. Also discussed are best practices for presenting cyber attribution analysis as well as assigning a confidence level to said analysis.
