Skip to content

Industry Insights: Knowing Your Adversary in Cybersecurity

By Keith Mularski, Chief Global Ambassador, Qintel

In the world of cybersecurity, certain words dominate the conversation—alerts, visibility, incident response, threat detection. But there’s one word that too often gets left out: attribution.

Attribution answers the question every defender should be asking: Who is my adversary? In sports, business, and national security, knowing your opponent is the first step toward beating them. Yet in cybersecurity, too many organizations overlook this critical step focusing instead on blocking the next attack without ever understanding who’s launching the attack or why. During my career, I’ve seen this play out time and time again.

Recently, a CISO told me, “I don’t care about attribution—I just want to stop it.” On the surface, this makes sense, but in reality, it’s like a football coach putting a random group of 11 players on the field and saying, “Stop the Pittsburgh Steelers from scoring.” That’s just not going to work.

Understanding the Playbook

Good coaches look at the schedule, study their opponents, and understand their tendencies. Does this team like to run or do they like to pass? Coaches and players watch game films, study opponents’ habits, recognize formations, and prepare specific defenses based on that preparation. For example, Mike Tomlin is not going to prepare the same game plan he uses against the Cleveland Browns that he does against Patrick Mahomes and the Kansas City Chiefs.

The situation is the same in Cyber. Cyber adversaries have playbooks, too. A nation-state threat actor has different tactics, techniques, and procedures (TTPs) than a ransomware crew. An access broker’s goals and tradecraft differ entirely from a hacktivist group or a “script kiddie” experimenting for fun.

Knowing which category your adversary falls into changes everything:

• Your defensive strategy

• Where you allocate resources

• How you detect and respond

• What partnerships you prioritize

When you understand your adversary’s playbook, you can use intelligence to anticipate their moves—not just react to them.

Lessons from the FBI

Before entering the private sector, I spent 20 years in the FBI, tracking some of the most advanced cyber adversaries in the world. I led the Bureau’s first-ever indictments against members of the Chinese military for hacking—the group known as APT1.

In the FBI, attribution wasn’t optional. We built cases by connecting infrastructure, identities, motivations, and tradecraft. We understood the entire intelligence lifecycle. At the end of the day, it’s important to understand there is a living, breathing person behind the computer.

The mindset that cybersecurity is an intelligence problem, not just a technology problem, is often missing in corporate environments. In many businesses, the default mode is purely reactionary: patching vulnerabilities, closing alerts, restoring operations. But without understanding the who and the why of the attack, you’re treating the symptom, not the cause. Your problem is a human one, not an IOC.

When Context is the Difference

I’ll never forget one case I worked at the FBI that illustrates this perfectly.

A company’s security tools were consistently flagging suspicious threat actor activity where the threat actors were downloading certain email inboxes each week. When I talked with the CISO about this, he responded, “We have it covered, they’re just pulling emails, nothing sensitive….wOur crown jewels are safe.”

When I asked exactly whose emails they were downloading, it turned out to be the emails of the team attempting to broker a multi-billion-dollar deal in China. As you can probably guess, they weren’t just “pulling emails”— hey were gathering intelligence, monitoring strategy, and using it to outmaneuver the company, and the results were devastating.

The Chinese knew their whole negotiating strategy and knew their bottom line. This resulted in billions of dollars in lost revenue all because of the theft of emails. This loss didn’t happen because detection failed—it happened because the context of that theft was missing.

Attribution is what provides that context. It connects the dots between seemingly isolated events and reveals the bigger picture. Without attribution, defenders are left blind to the true scope and intent of the threat.

Connecting the Dots

Think of Sherlock Holmes. He didn’t solve cases because he had more clues than anyone else—he solved them because he could connect those clues.

That’s what attribution enables in cybersecurity. The goal is not simply to say, “This is Group X,” but to understand Group X’s capabilities, intent, and likely next move. It’s about seeing the attack in a much broader context—where it came from, how it fits into a broader campaign, and what that means for your company and defense.

Modern intelligence platforms—like the one we built at Qintel, Platform Blue — help organizations do exactly that. They combine technical indicators with behavioral analysis, infrastructure mapping, and historical patterns. This turns raw data into actionable intelligence. Even if your organization doesn’t have such a platform, you should at the very least be using tools that allow you to track adversary behavior over time.

The Case for Sharing Intelligence

Attribution has value inside your organization—but it also has value far beyond it. From my time leading public/private partnerships with the FBI, often industry had the missing piece we needed to get a case over the finish line or provide vital insight into the threat actor’s TTPs. If you don’t already, I highly recommend making sure you have contacts at the FBI, U.S. Secret Service, DHS, or all of the above.

When companies share intelligence with law enforcement, they don’t just protect themselves—they contribute to dismantling the adversary’s entire operation. During my time at the FBI, private-sector cooperation led directly to arrests, takedowns, and even diplomatic action against hostile nation-states.

Law enforcement agencies have investigative authorities and partnerships that no single company can match, but they need actionable intelligence to act. The more organizations share, the more we can collectively raise the cost for attackers.

Cybersecurity is a team sport. Your company might be the target today, but if you can help identify the adversary, you might prevent them from hitting the next organization tomorrow—or from hitting you again in a different way.

Why It All Matters

By Keith Mularski, Chief Global Ambassador, QintelAttribution isn’t about blame. It’s about intelligence. It’s about giving your defenders the same advantage a great coach gives— knowing the opponent, anticipating their plays, and countering them before they can score.

When intelligence is shared—with peers, with industry groups, and with law enforcement—we shift the balance. We make it harder for adversaries to hide. We turn isolated defenders into a united front.

The threats we face in cyberspace are not going away, but the more we understand who’s coming after us, the better we can prepare, the faster we can respond, and the more likely we are to make a difference.