Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Cyber conflict attribution: what it means for IAM teams


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9079
Topic starter  

TL;DR: Security leaders misread cyber conflict when they treat attacks as isolated technical events; attribution, intent, and campaign context change how defenders prioritise response and forecast what comes next, according to 1Password’s Chasing Entropy episode with Allie Mellen. The practical shift is that identity, authority, and delegated action now matter as much as malware indicators when interpreting operations.

NHIMG editorial — based on content published by 1Password: Chasing Entropy with Dave Lewis and Allie Mellen on cyber conflict, attribution, and AI

Questions worth separating out

Q: How should security teams use attribution in incident response?

A: Security teams should use attribution to determine likely motive, target selection, and next actions, not just to name an attacker.

Q: Why does AI make cyber attribution harder?

A: AI makes deception cheaper because it lowers the cost of generating plausible noise, false flags, and rapid changes in tooling or infrastructure.

Q: What should organisations do when cyber activity may be part of a larger campaign?

A: Organisations should stop treating incidents as isolated technical artefacts and start correlating them with possible strategic objectives.

Practitioner guidance

  • Map authority chains for high-risk operations Document who can initiate, delegate, and obscure actions across humans, service accounts, and AI-supported workflows.
  • Add attribution context to incident triage Classify events by likely objective, not just by malware or infrastructure indicators.
  • Unify identity telemetry across actor types Bring human, NHI, and autonomous activity into one evidence model so campaign analysis is not split across separate tools or teams.

What's in the full article

1Password's full podcast discussion covers the strategic context this post intentionally leaves at a higher level:

  • The historical examples behind US, China, and Russia cyber doctrine and why they still shape operational behaviour.
  • The episode’s discussion of how public narratives like WarGames influenced security thinking in the 1980s.
  • The detailed argument for why attribution changes defensive prioritisation and response sequencing.
  • The closing commentary on how AI changes deception, false flags, and interpretation in live operations.

👉 Read 1Password's Chasing Entropy conversation on cyber strategy and attribution →

Cyber conflict attribution: what it means for IAM teams?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8508
 

Attribution is becoming an identity governance problem, not just a threat-intelligence problem. The article makes clear that defenders need to know who is behind an operation, what authority they had, and what objective they were serving. That is the same governance logic IAM teams apply to humans and NHIs when they trace delegated access and responsibility. Practitioners should treat attribution as part of identity control, not as an afterthought once the incident is already understood.

A few things that frame the scale:

  • 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months, according to The State of Non-Human Identity Security.
  • Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.

A question worth separating out:

Q: How can identity teams support better cyber threat interpretation?

A: Identity teams can support interpretation by preserving delegation evidence, access history, and actor context across humans, NHIs, and automated systems. That evidence helps analysts explain who had the ability to act, what changed, and whether the action fits a broader campaign pattern. It turns identity telemetry into decision support for security operations.

👉 Read our full editorial: Cyber conflict attribution is becoming an identity problem



   
ReplyQuote
Share: