Here's a surprise for you: We actually have a fairly good understanding of who is attacking us on the Internet and why. Various entities know not only which groups are doing the attacking, but also the names of the people in those groups. They know where they live, who their family members are, where they went to school, and when they go on vacation.
A great example of this is the Russian Business Network crimeware group. With a little searching, you can find a decade of evidence trails, pictures of the leader, and even business relationships. Want to see who's sending all that spam? Then check this link out. Want to know who is doing most of the industrial espionage? Then read this report. They even give you the hacker's physical address.
When I tell friends about this, especially after their computer has been thoroughly compromised, they ask the obvious: Why aren't these criminals in jail?
The answer is pretty easy. For the most part, these criminals work across international boarders, so there are issues of legal jurisdiction -- and their home countries often can't or don't want to stop them. Even if we have all the evidence in the world, we can't just invade a country and arrest its citizens. Yes, many countries do have treaties that support extradition, but most countries don't. Not surprisingly, the countries with the most prolific hacking cultures don't, which why most of the world's malicious hackers live in them.
Persons of interest
Many industries have groups in which they share industry-targeted information. For example, U.S. retailers share cyber threat data. Other industries have been doing the same for years.
Most of the big anti-malware companies not only understand who is doing the crime and what they are after, but know within minutes whenever one of these groups initiates a new "campaign" (such as using a new malware program or new phishing strategy) or when they are initiating from new IP addresses.
There are literally a hundred companies and thousands of people that have a pretty good understanding about the badness on the Internet. They can see the new trends as they are happening. Individually, none of the groups has all the information. But if you put all these groups together sharing information we'd have a pretty good lock on all the bad guys.
So why isn't this information collected and shared with everyone immediately?
The answer is that information and knowledge is valuable, and most companies don't want to give away such telemetry for free. Information is power. When a security company has that information, it's going to be better at protecting us from those threats than we would be on our own.