To hide the attackers' identity

To gain a complete picture of the attack

To promote cyber attacks

To ignore cyber attacks

Unlimited jurisdictional power

Lack of resources & expertise

Abundance of resources & expertise

Easy identification of intruders

Analyzing metadata connected to the attack

Ignoring metadata

Avoiding forensic investigation

Not examining tactics and procedures

Incident Severity

Lack of intelligence

Minimal attribution information

Geopolitical Situation

To have serious consequences

To promote cyber attacks

To conduct investigations

To hide cyber attacks

Only Intent and Indicators from external sources

Tradecraft, Infrastructure, Malware, Intent, and Indicators from external sources

Only Tradecraft and Infrastructure

Only Malware and Intent

Ignoring human error

Avoiding collaboration and information sharing

Looking for machine error

Rigorous analytic tradecraft