Abstract: In times, where hacking back is increasingly considered as a legitimate reaction to cyber attacks against nation states, misattribution may undermine a state's credibility and lead to political differences. Cyber attribution at this level must deliver reliable results. In recent years, threat intelligence services have often raised concerns regarding the reliability of attribution, and repeatedly pointed out the possibility of false flag operations. The intention of false flag campaigns is not necessarily to trick intelligence services but also to form public opinion. Unfortunately, there is a lack of a reliable approach that deals with the interdisciplinary challenges of cyber attribution. Additionally, there is a lack of concepts designed to deal with possible false flag operations on the technical side (e.g. manipulating digital evidences) and socio-political side (e.g. distributing fake news). Therefore, we propose a novel concept, the Cyber Attribution Model (CAM) to address these aspects. The model is divided into two closely interacting parts: Cyber Attack Investigation and Cyber Threat Actor Profiling. The scope of the CAM is mainly on professional and organized cyber attacks, such as espionage or APT campaigns, and designed for application in national cyber security centres. This paper presents further a literature research and the attribution model, (1) which is adjusted to today's challenges resulting from the information war, such as false flag operations, and (2) which supports security experts - from technical analysts to intelligence services - to master the attribution process on all levels. Finally, we demonstrate the application of the Cyber Attribution Model in context of a real-world scenario.

Keywords: cyber attribution, profiling, cyber investigation