Decoding Cyber Threats: Applying Analysis of Competing Hypotheses (ACH) for Attribution

Attribution in the world of cybersecurity is a highly complex, challenging, and critical task. Identifying the actors behind cyberattacks can guide the defensive measures an organization takes, influence geopolitical decisions, and determine legal consequences. However, traditional methods of cyber attribution are fraught with pitfalls, particularly the risk of cognitive biases. To address these challenges, cybersecurity professionals can turn to Analysis of Competing Hypotheses (ACH), a structured methodology for evaluating multiple possible explanations for an event. Originally developed by the U.S. intelligence community, ACH is now emerging as a powerful tool for cyber threat attribution, helping to reduce cognitive biases and increasing confidence in identifying responsible threat actors.

What is Analysis of Competing Hypotheses (ACH)?

ACH is a structured, evidence-based approach designed to systematically evaluate multiple competing hypotheses for a specific situation or event. Originally developed by Richards J. Heuer, Jr. in the field of intelligence analysis, ACH’s purpose is to minimize cognitive biases by forcing the analyst to methodically assess evidence in relation to each hypothesis. Instead of focusing solely on confirming evidence for a favored hypothesis, ACH emphasizes the importance of disconfirming evidence—making it a particularly useful tool for high-stakes scenarios like cyber attribution, where assumptions or biases can easily skew analysis.

The ACH process works by presenting multiple possible explanations for an event and then rigorously evaluating all available evidence to rule out the less likely explanations, leaving the most plausible hypothesis. This framework is especially valuable in situations where the available data is complex, incomplete, or ambiguous—conditions that are typical in cyberattack investigations.

Step-by-Step Breakdown of the ACH Process for Cyber Attribution

Attribution in cybersecurity is notoriously challenging because of the various ways attackers can obfuscate their identity. ACH’s structured approach can mitigate many of these challenges by offering a systematic way to evaluate the available evidence.

Here’s a more detailed, step-by-step guide to applying ACH in cyber attribution, including the complexities at each stage.

1. Define the Problem and Generate Hypotheses

The first step in ACH is defining the exact problem. This step is crucial, as it establishes the scope and goals of the investigation. For example, the problem might be to determine who is responsible for a Distributed Denial of Service (DDoS) attack that disrupted a financial institution’s operations. Properly framing the problem ensures that the hypotheses generated in the next step are directly relevant.

In cyber attribution, you begin by generating all possible hypotheses for who might be behind the attack. This phase is critical because biases can influence analysts to dismiss certain actors too early. ACH forces analysts to consider every plausible explanation, even those that seem initially unlikely.

Hypotheses should be broad and cover a range of possible actors. For instance, in an attack on critical infrastructure, potential hypotheses might include:

• Hypothesis A: A nation-state actor targeted the infrastructure for political or military gain.
• Hypothesis B: A sophisticated cybercriminal group sought financial gain through ransom.
• Hypothesis C: A hacktivist group launched the attack as part of a protest against corporate actions.
• Hypothesis D: The attack was executed by an insider with access to the institution’s systems.
• Hypothesis E: The attack was a false flag operation designed to mimic the tactics of a known actor, misleading investigators.

It's important to ensure that hypotheses are mutually exclusive and that they cover the full range of possibilities. Prematurely narrowing the list of hypotheses may lead to overlooked explanations.

2. Gather All Available Evidence

Once the hypotheses have been established, the next step involves gathering every piece of relevant evidence. In cyber attribution, evidence can come in many forms, including:

• Technical indicators: Malware signatures, IP addresses, domain names, hashes, and command-and-control infrastructure.
• Tactics, Techniques, and Procedures (TTPs): These are patterns of behavior that different threat actors use during an attack. TTPs are crucial for distinguishing between different groups.
• Geopolitical context: Evidence that places the attack within a larger geopolitical strategy. For instance, nation-state actors might attack during times of international tension.
• Motivations and objectives: Understanding the attacker's goal can help align the evidence with certain hypotheses. Was the objective financial gain, sabotage, espionage, or disruption?
• Victimology: Who was targeted in the attack? Certain actors consistently target specific industries or geographic regions, so knowing the victim can help narrow the field of actors.
• Malware artifacts: Malware types, techniques used for persistence, encryption routines, and the way an attack is executed often point toward specific actors.

As evidence is gathered, it is vital to avoid confirmation bias by not prematurely aligning the evidence with any specific hypothesis. The ACH framework helps avoid this by requiring the evidence to be tested against all hypotheses in parallel.

3. Evaluate Each Piece of Evidence

The core of the ACH process is evaluating the evidence in relation to each hypothesis. This step involves asking how consistent or inconsistent each piece of evidence is with each hypothesis. Analysts should be particularly vigilant for contradictory evidence, which can help eliminate unlikely hypotheses.

For example, if malware associated with a known cybercriminal group was used in the attack, this would be consistent with Hypothesis B (cybercriminal group), but it might contradict Hypothesis A (nation-state actor) if that group typically uses different tools or malware families. Likewise, if the infrastructure for the attack was hosted in a country with known ties to a specific nation-state, this evidence might support Hypothesis A and disconfirm Hypothesis D (insider threat).

A matrix can be created to visually map out the evidence against each hypothesis. Each row represents a piece of evidence, and each column represents a hypothesis. The matrix helps analysts systematically evaluate how well each piece of evidence fits (or doesn’t fit) with each hypothesis. Below is an example:

For each hypothesis, analysts should determine whether each piece of evidence supports, contradicts, or is neutral. Contradictory evidence is the most valuable because it can help eliminate hypotheses.

4. Assess the Strength of the Evidence

While ACH is designed to reduce cognitive bias by focusing on disconfirming evidence, it’s also essential to assess the reliability and strength of the evidence being used. Not all pieces of evidence are created equal. For example, some technical indicators, like IP addresses, are easier to spoof, while the use of specific TTPs may offer more reliable attribution information because they are harder to fake.

The evaluation of evidence should consider:

• How easy is the evidence to manipulate? IP addresses, for instance, can easily be obfuscated, while custom malware designed for a specific operation might be more unique and reliable for attribution.
• Is the evidence consistent with known actor behaviors? Actors often leave behind traces of their unique operational approaches, such as methods of persistence or the way they interact with their command-and-control infrastructure.
• Is there corroborating evidence from external sources? Cross-referencing the attack with threat intelligence reports from other organizations or public sources can strengthen the attribution process.

Analyzing the strength of each piece of evidence is crucial, especially when false flag operations are a possibility. Attackers may intentionally manipulate certain indicators (e.g., IP addresses, TTPs) to mislead investigators, so analysts must be careful not to place too much weight on easily spoofed evidence.

5. Identify Inconsistencies and Eliminate Hypotheses

The next step is to use the evidence to eliminate hypotheses. ACH emphasizes disconfirming hypotheses by identifying contradictions between the evidence and the hypotheses. The goal is not necessarily to prove which hypothesis is correct, but rather to systematically eliminate those that are inconsistent with the available evidence.

For example, if multiple pieces of evidence contradict the hacktivist hypothesis (e.g., the presence of sophisticated malware used primarily by cybercriminals), that hypothesis can be ruled out. The goal is to reduce the number of plausible hypotheses to a select few by identifying inconsistencies.

However, analysts must be cautious not to discard hypotheses prematurely, particularly when dealing with ambiguous or incomplete evidence. The process of elimination should only occur when contradictions are substantial and based on robust evidence.

6. Consider the Role of False Flags

In many cyberattacks, especially those involving nation-states, attackers may employ false flags to mislead investigators into attributing the attack to the wrong actor. False flags involve intentional misdirection, where the attacker deliberately incorporates techniques, infrastructure, or tactics associated with another actor to obfuscate their identity.

ACH is particularly useful in scenarios where false flags may be in play. Analysts must remain vigilant for evidence that may have been planted to deceive. For example, attackers might use tools commonly associated with a known nation-state group, but subtle inconsistencies—such as the lack of sophistication in certain malware routines or unusual timing—might point toward a false flag operation.

When considering false flags, ACH encourages analysts to critically assess the motivation behind such misdirection. What would the attacker gain by framing another actor? Are there strategic or geopolitical incentives for creating this confusion? Incorporating these factors into the analysis can help analysts avoid falling into the trap of attribution based on surface-level evidence.

7. Weigh the Remaining Hypotheses

Once the inconsistent hypotheses have been eliminated, the remaining hypotheses should be evaluated in terms of likelihood. ACH is not designed to provide absolute certainty but instead to narrow the range of possibilities and increase confidence in the most likely explanation.

At this stage, analysts may assign probability estimates to each remaining hypothesis. The weight of each hypothesis should be based on the amount and quality of supporting evidence and the absence of significant contradictions.

For example:

• Hypothesis A (nation-state actor): 70% likelihood
• Hypothesis B (cybercriminal group): 20% likelihood
• Hypothesis E (false flag operation): 10% likelihood

In practice, ACH can also be enhanced by incorporating Bayesian analysis, which allows for the incorporation of prior probabilities and updating the likelihood of each hypothesis as new evidence becomes available. This quantitative approach can help formalize the final assessment and offer more refined probabilities for each hypothesis.

The Role of ACH in Reducing Cognitive Bias in Cyber Attribution

One of ACH’s primary strengths is its ability to reduce cognitive biases that can often influence attribution efforts. Common cognitive biases in cyber attribution include:

• Confirmation Bias: The tendency to focus on evidence that supports pre-existing beliefs or assumptions while ignoring disconfirming evidence.
• Anchoring Bias: Overreliance on the initial evidence or information, even if subsequent evidence contradicts the initial conclusion.
• Availability Heuristic: Overemphasizing recent or memorable examples of attacks, leading analysts to attribute a new attack to a known actor based on similarity to previous events.

ACH’s structured methodology helps reduce these biases by systematically evaluating evidence for and against each hypothesis, requiring analysts to actively search for disconfirming evidence. This shift in focus—disproving hypotheses rather than proving them—ensures a more objective and rigorous approach to attribution.

For example, analysts might begin with the assumption that a known APT group is behind a cyberattack based on the group’s history of targeting similar organizations. However, ACH forces the analyst to also consider evidence that might contradict this hypothesis, such as the use of malware typically associated with financially motivated cybercriminals rather than state-sponsored actors.

Practical Applications of ACH in Cyber Attribution

1. Attributing Nation-State Attacks

Nation-state actors often employ advanced tactics, making attribution particularly challenging. In these cases, ACH is invaluable for sifting through complex and often deceptive evidence. Nation-states may use a combination of false flags, proxies, and infrastructure obfuscation, requiring careful analysis to distinguish between plausible hypotheses.

A high-profile example is the NotPetya attack. Initially, the malware appeared to be ransomware due to its encryption of victims’ data, which would seem to align with cybercriminal motives. However, a detailed ACH-based analysis revealed that the attack had hallmarks of a nation-state operation, including its devastating impact on Ukraine’s infrastructure and the fact that it did not include a functional ransom payment mechanism. Ultimately, ACH helped attribute the attack to Russian actors, revealing it was a destructive wiper disguised as ransomware.

2. Defending Against Insider Threats

Insider threats are notoriously difficult to detect because the attacker already has legitimate access to an organization’s systems. ACH helps analysts evaluate multiple hypotheses when suspicious activity is detected, such as determining whether the activity is the result of a compromised external account, an insider attempting to exfiltrate data, or simply an anomalous but legitimate action.

By considering all possibilities and using disconfirming evidence, ACH can help eliminate hypotheses that might point to external threats when the attack is internally motivated, or vice versa.

3. Cybercriminal Attribution and Law Enforcement

In cybercriminal investigations, ACH can help law enforcement agencies narrow down potential suspects. Cybercriminal groups often leave behind patterns of behavior that can be tracked through their TTPs. However, many groups share tools and infrastructure, so distinguishing between different actors can be challenging.

ACH allows investigators to systematically evaluate different hypotheses about which group might be responsible by comparing the details of the attack against known TTPs, infrastructure, and past behaviors of various groups. This helps reduce the risk of false attribution, which can have serious legal and operational consequences.

Challenges and Limitations of ACH in Cyber Attribution

While ACH offers a systematic and rigorous approach to cyber attribution, it does come with limitations:

1. Incomplete Evidence: In many cyberattacks, investigators do not have access to the full range of evidence, making it difficult to conclusively eliminate hypotheses. ACH is only as good as the available data, and if key pieces of evidence are missing, the analysis may remain inconclusive.
2. Time-Consuming: ACH is a structured, methodical process that can be time-intensive. In fast-moving incident response scenarios, the time required to fully evaluate competing hypotheses may be a challenge.
3. Analyst Expertise: ACH relies heavily on the expertise of the analysts applying the method. Analysts must have deep technical knowledge of cyberattacks as well as an understanding of the geopolitical context in which the attack occurs. Poorly trained analysts may misinterpret evidence, leading to incorrect conclusions.

Despite these challenges, ACH remains a valuable tool for cybersecurity professionals, particularly when accurate attribution is critical for national security, legal, or operational reasons.

Conclusion

As cyberattacks become more sophisticated and the stakes of attribution rise, the need for structured, unbiased methods like ACH becomes ever more critical. ACH helps organizations and governments systematically evaluate competing hypotheses, reduce cognitive biases, and improve the accuracy of their attribution efforts. By applying ACH, cybersecurity analysts can make more informed, evidence-based decisions, improving both defensive measures and strategic responses to cyber threats.