Cyber Attribution Blueprint – From Vision to Impact Y1

Key Concepts

• Cyber Attribution: The process of identifying and assigning responsibility for a cyberattack to a specific threat actor, including determining the "who," "why," and "how."
• CADC (Cyber Attribution Data Center): A specialized research center at the University of New Brunswick (UNB) focused on developing tools and frameworks to enhance Canada’s cyber defense capabilities.
• TTPs (Tactics, Techniques, and Procedures): The specific methods and behaviors used by threat actors, which are analyzed to improve defensive posture.
• Data Sovereignty: The principle that data is subject to the laws and governance structures of the nation where it is collected and stored.
• Cyber Deception: The use of "honeypots" or decoy systems to attract and observe attackers in a controlled environment to gather high-fidelity intelligence.
• AI-Powered Attribution: The use of machine learning and large language models (LLMs) to cluster fragmented evidence and identify links between disparate threat groups.

---

1. Overview of the Cyber Attribution Data Center (CADC)

The CADC, part of the Canadian Institute for Cyber Security (CIC) at the University of New Brunswick, celebrated its one-year anniversary. The center serves as a national hub for understanding, attributing, and responding to sophisticated cyber threats. It is supported by a $9.7 million investment from the Government of Canada (via ACOA).

• Strategic Goal: To move beyond simple defense and actively identify the actors behind attacks to enable better deterrence, policy-making, and strategic responses.
• Operational Scale: In its first year, the center hired 26 employees, developed seven proprietary tools, and established two fully redundant data centers.

2. Methodologies and Frameworks

The CADC operates on a structured approach to cyber intelligence:

• The CADC Attribution Framework: A multi-step process involving the verification of data sources followed by AI-powered analysis.
• Data Sovereignty: A core design principle ensuring all intelligence and data remain within Canadian borders.
• Modular Platform: The center developed a "Cyber Attribution Platform" that is modular, allowing it to be used for commercial purposes or by government entities in a collective, secure manner.

3. Key Tools and Technologies

The team demonstrated three primary technologies developed at the center:

• Luminor: An interactive, AI-powered clustering engine. It processes fragmented evidence from cyber incidents to provide a clear "adversary picture," reducing guesswork for decision-makers. It utilizes an offline, local LLM to ensure privacy.
• CIC Sigil: A threat actor profiling platform. It identifies hidden links and collaborations between different hacking groups.
  • Case Study: The platform successfully correlated the "Scattered Spider" and "Shiny Hunters" groups during a 2025 Salesforce-focused phishing campaign, providing high-confidence attribution.
• CIC Deception (Deak): An evolution of the traditional "Honeypot" project. It creates a high-interaction, intentionally vulnerable network to attract skilled attackers, allowing researchers to observe real-time behavior and collect high-fidelity intelligence.

4. Key Arguments and Perspectives

• National Security: Dr. Kathy Wilson and Deputy Minister Patricia Gadis emphasized that cyber operations are now a core instrument of national power. Cyber resilience is framed as essential to Canada’s economic sovereignty and the protection of critical infrastructure (energy, health, and finance).
• Whole-of-Society Approach: The government advocates for a collaborative model involving academia, industry, and government to address the evolving geopolitical threat landscape.
• The "Scouting Report" Analogy: Dr. Ali Ghorbani compared cyber attribution to sports scouting reports. Just as a team must study an opponent’s past games and tactics to win, the CADC studies the TTPs of threat actors to secure Canada’s digital future.

5. Notable Quotes

• "Wars aren't won by weapons only. They're won by good intelligence." — Attributed by Ali Resza, emphasizing the role of deception and data in modern conflict.
• "Cyber security is not just a technical issue. It's a matter of national security, economic resilience, and public trust." — Dr. Kathy Wilson, Acting President of UNB.

6. Synthesis and Conclusion

The CADC has successfully established itself as a unique, world-class facility in Canada within its first year. By combining academic research with operational, AI-driven tools, the center is bridging the gap between theoretical cyber security and practical, actionable intelligence. The roadmap for the coming years focuses on expanding the talent pipeline, strengthening government-industry partnerships, and disseminating intelligence reports to key stakeholders to ensure Canada remains a leader in the global cyber attribution landscape.