How we analyse, compare, and integrate multiple threat actor attribution assessments

Attributing activity to cyber threat actors isn't always a straightforward task. It's an analytical process subject to variations based on the nature of threat activities, available data points, how tradecraft standards are implemented and reinforced, and the granularity of attribution needed or possible. The complexity rises with the threats themselves: how threat actors operate, their resources and management, and their interactions within the threat landscape. Understanding these elements enables sound attribution assessments that guide prioritisation, mitigation and response strategies.

We developed a comparative attribution framework that helps analysts in navigating multiple attribution assessments developed by different organizations on the same or similar threat actor or clusters of activity. Our goal is to support crucial tradecraft discussions—internally and externally—to help analysts build stronger attribution assessments and potentially elevate confidence levels.

We introduced our framework at the SANS CTI Summit 2025, presented by Jono Davis, Manager at PwC US and member of PwC Global Threat Intelligence.

Understanding the attribution assessment process

Attribution can be a lengthy process that begins with analysing observable evidence, or data linked to the threat actor like infrastructure, victimology and tools, techniques and procedures (TTPs). Analysts may see things differently, based on their unique sources and methods. This can lead to a diverse web of assessments, each capturing a blend of overlapping and distinct traits of the same threat actor or activity cluster.

Some organisations develop unique nomenclature for their attribution assessments, while others may adopt existing threat actor names from other sources. The choice depends on the organisation's analysis goals and objectives. In some cases, creating new names isn't preferred. However, for those with specialised insights or unique collection and analytical capabilities, custom naming conventions are essential. 

Cyber security professionals face the challenge of navigating various threat actor names and attribution assessments from different organisations. However, assessments can provide new opportunities to pivot, corroborate, and enhance their analysis. Structured Analytic Techniques (SATs) are essential tools. They help analysts organise and evaluate evidence, as well as align differing assessments to ensure clarity and consistency when dealing with multiple perspectives on the same threat actor or cluster of activity.

Key Assumptions Checks (an SAT designed to prompt intelligence analysts to deliberately identify and challenge assumptions in their analysis that may or may not have impacted their assessments or analytic conclusions) are crucial for examining our own assumptions, biases and thought processes in attribution assessments. They help address historical views of threat activity and biases in data collection and visibility.

Framework for comparative attribution 

We’ve crafted a framework for comparative attribution—a tool for analysts juggling multiple, often conflicting, attribution assessments related to high-interest threats. This framework's purpose is simple: to elevate your confidence in attribution by systematically analyzing and comparing related assessments and evidence. It encourages a dynamic and iterative process, refining assessments to become more precise over time.

Key elements and activities of attribution assessments  

When tackling your attribution assessment, it’s important to understand these foundational elements of your analysis:

• Observable evidence of threat activity
• Sources directly or indirectly supplying data points
• Collection or visibility gaps influencing your analysis
• Methodologies used and their potential limitations or biases
• Assumptions identified or highlighted by peers or reviewers

Understanding these key elements bolsters your analysis, making it more robust and allowing a comprehensive examination of relevant evidence and assessments, from both within and outside your organization.

Conditions for change are signposts that prompt you to revisit your attribution assessment. These could include new infrastructure discoveries, TTPs and information from advisories or other official notifications about threat activity, as well as enhancements in your visibility of the threat.

Beyond imagining how these changes might appear, you need a change management process. This process modifies and cascades attribution updates where needed, like in internal knowledge repositories, threat libraries, and other tracking venues.

Your change management process must also address formal documentation, including finished reports and information shared with third parties.

Evaluating and analysing multiple attribution assessments

When analysing an external attribution assessment, you'll likely need to make assumptions about the other organisation's evidence, sources, and methods. 

You might pivot from the evidence provided, layering in additional context and insights to integrate during your internal assessment process.

It's important to clearly identify and document what you know, what you don't, and what you've inferred—everything impacting your evaluation of the other organisation's assessment. Ideally, analysts would be able to connect, addressing questions and gaps to align and enrich both assessments whilst fostering a robust, collaborative view of the threat. This level of collaboration isn't always possible, so maintaining an inventory of questions, gaps, assumptions, and conditions for change is vital. These will shape your confidence level for the assessment itself.

We've created a high-level template for analysts. Use it for evaluating your own assessments or your organisation’s assessment against others. This template is flexible—adaptable for evaluation across multiple organisations and their attribution assessments.

Attribution assessments are vital for understanding threat activity and strengthening your cyber defences. Intelligence analysis and tradecraft are essential in developing and refining these assessments––especially with multiple or conflicting threat actor names and evaluations. Our framework for comparative attribution empowers analysts, fostering rigorous tradecraft and collaboration. It gives us another opportunity to work together to understand, detect, mitigate, and respond to cyber threats.