Attribution is about validating a threat or adversary by recording their actions. With an understanding of annoyance and identifying the threats (internally or externally) we can start to:

1. Validate the reality of the threat or threat actor and their potential impact
2. Map specific actions to identified threats
3. Create opportunities for our adversaries to reveal themselves in our network prior to their attempts at exploitation

For example:

• The CIO and CISO of Dadi Inc wanted to ensure that they addressed their capability to manage and monitor privileged users. One of the threats they identified is employees with privileged access leave. What are the processes to ensure that they do not have access to the network? How will they flag an incident if a terminated employee with privileged access tries to log in (validation and threat mapping)? What actions do they take? 
• Duyen, a database administrator at a small agricultural organization, reads a news article online that reports that the hacker group Date Shake is using a variant of malware to infect systems in an effort to exfiltrate intellectual property. After attending an IT security awareness training, she knows that groups such as Date Shake have an interest in what her company is doing with hybridization of different species of fig trees. Knowing that the systems that are being infected around the world are using the same operating system as her organization, and that Date Shake is a known threat to the organization, Duyen makes the calls to her IT teammates to report the possible vulnerability and to take action.