Our framework for comparative attribution in threat intelligence

How we analyse, compare, and integrate multiple threat actor attribution assessments

  • Insight
  • 8 minute read
  • June 20, 2025
Sierra Stanczyk

Sierra Stanczyk

Senior Manager, Advisory, PwC United States

Jono Davis

Jono Davis

Manager, PwC United States

Attributing activity to cyber threat actors isn't always a straightforward task. It's an analytical process subject to variations based on the nature of threat activities, available data points, how tradecraft standards are implemented and reinforced, and the granularity of attribution needed or possible. The complexity rises with the threats themselves: how threat actors operate, their resources and management, and their interactions within the threat landscape. Understanding these elements enables sound attribution assessments that guide prioritisation, mitigation and response strategies.

We developed a comparative attribution framework that helps analysts in navigating multiple attribution assessments developed by different organizations on the same or similar threat actor or clusters of activity. Our goal is to support crucial tradecraft discussions—internally and externally—to help analysts build stronger attribution assessments and potentially elevate confidence levels.

We introduced our framework at the SANS CTI Summit 2025, presented by Jono Davis, Manager at PwC US and member of PwC Global Threat Intelligence.

Video Player is loading.
Current Time 0:00
Loaded: 0%
Duration 0:00
  • descriptions off, selected
    More tools
    • Transcript
    • Full screen
    • Share
    • Closed captions
    34:49

    Playback of this video is not currently available

    Transcript
    Video 09/06/25

    A Case Study in Threat Actor Collaboration & Framework for

    Understanding the attribution assessment process

    Attribution can be a lengthy process that begins with analysing observable evidence, or data linked to the threat actor like infrastructure, victimology and tools, techniques and procedures (TTPs). Analysts may see things differently, based on their unique sources and methods. This can lead to a diverse web of assessments, each capturing a blend of overlapping and distinct traits of the same threat actor or activity cluster.

    Some organisations develop unique nomenclature for their attribution assessments, while others may adopt existing threat actor names from other sources. The choice depends on the organisation's analysis goals and objectives. In some cases, creating new names isn't preferred. However, for those with specialised insights or unique collection and analytical capabilities, custom naming conventions are essential. 

    AttributionassessmentEvidenceSources andmethodologyEvaluate and analyseKey AssumptionsCheck, other SATsConditions forchangeUpdateDocument

    Cyber security professionals face the challenge of navigating various threat actor names and attribution assessments from different organisations. However, assessments can provide new opportunities to pivot, corroborate, and enhance their analysis. Structured Analytic Techniques (SATs) are essential tools. They help analysts organise and evaluate evidence, as well as align differing assessments to ensure clarity and consistency when dealing with multiple perspectives on the same threat actor or cluster of activity.

    Key Assumptions Checks (an SAT designed to prompt intelligence analysts to deliberately identify and challenge assumptions in their analysis that may or may not have impacted their assessments or analytic conclusions) are crucial for examining our own assumptions, biases and thought processes in attribution assessments. They help address historical views of threat activity and biases in data collection and visibility.

    Framework for comparative attribution 

    We’ve crafted a framework for comparative attribution—a tool for analysts juggling multiple, often conflicting, attribution assessments related to high-interest threats. This framework's purpose is simple: to elevate your confidence in attribution by systematically analyzing and comparing related assessments and evidence. It encourages a dynamic and iterative process, refining assessments to become more precise over time.

    AttributionassessmentsEvidenceEvidenceSources andmethodologySources andmethodologyEvaluate and analyseKey AssumptionsCheck, other SATsConditions forchangeUpdateGaps andquestionsDocumentExternalInternal

    Key elements and activities of attribution assessments  

    When tackling your attribution assessment, it’s important to understand these foundational elements of your analysis:

    • Observable evidence of threat activity
    • Sources directly or indirectly supplying data points
    • Collection or visibility gaps influencing your analysis
    • Methodologies used and their potential limitations or biases
    • Assumptions identified or highlighted by peers or reviewers

    Understanding these key elements bolsters your analysis, making it more robust and allowing a comprehensive examination of relevant evidence and assessments, from both within and outside your organization.

    Attribution assessment Evidence Sources and methodology Evaluate and analyse Key Assumptions Check, other SATs Conditions for change Update Document Infrastructure TTPs Victimology Other data points Direct Indirect Forms of analysis Enrichment Corroboration Identify and challenge assumptions related to attribution assessment.

    Conditions for change are signposts that prompt you to revisit your attribution assessment. These could include new infrastructure discoveries, TTPs and information from advisories or other official notifications about threat activity, as well as enhancements in your visibility of the threat.

    Attribution assessment Evidence Sources and methodology Evaluate and analyse Key Assumptions Check, other SATs Conditions for change Update Document 1. Identify conditions that would cause us to revisit our attribution assessment (e.g., to reaffirm our assessment or shift our view wholly or partially about a set of activity). 2. Identify how significant these changes would be and their potential cascading impact on other assessments about related threat activity. 3. Ensure we have ways to detect these conditions, adapt, and evolve.

    Beyond imagining how these changes might appear, you need a change management process. This process modifies and cascades attribution updates where needed, like in internal knowledge repositories, threat libraries, and other tracking venues.

    Attribution assessment Evidence Sources and methodology Evaluate and analyse Key Assumptions Check, other SATs Conditions for change Update Document Threat actor corpus (e.g., profile) and crosswalk of aliases Historical reporting and references Tools, libraries, repositories, and other venues

    Your change management process must also address formal documentation, including finished reports and information shared with third parties.

    Attribution assessment Evidence Sources and methodology Evaluate and analyse Key Assumptions Check, other SATs Conditions for change Update Document Finished reporting Formal tracking External sharing

    Evaluating and analysing multiple attribution assessments

    When analysing an external attribution assessment, you'll likely need to make assumptions about the other organisation's evidence, sources, and methods. 

    Attribution assessments Evidence Evidence Sources and methodology Sources and methodology Evaluate and analyse Key Assumptions Check, other SATs Conditions for change Update Gaps and questions Document External Internal What the other organisation provided or conveyed What we know or can infer about the organisation’s sources and methodology, and what the organisation shared What we do not know about the other organisation’s assessment, and what would ask the organisation

    You might pivot from the evidence provided, layering in additional context and insights to integrate during your internal assessment process.

    Attribution assessments Evidence Evidence Sources and methodology Sources and methodology Evaluate and analyse Key Assumptions Check, other SATs Conditions for change Update Gaps and questions Document External Internal Can we conduct our own analysis and pivot based on what was provided by the other organisation? Can we corroborate or enrich the other organisation’s findings based on our sources, tooling, expertise, and analytic capabilities? What assumptions do we have about the other organisation’s assessment, as well as our comparison?

    It's important to clearly identify and document what you know, what you don't, and what you've inferred—everything impacting your evaluation of the other organisation's assessment. Ideally, analysts would be able to connect, addressing questions and gaps to align and enrich both assessments whilst fostering a robust, collaborative view of the threat. This level of collaboration isn't always possible, so maintaining an inventory of questions, gaps, assumptions, and conditions for change is vital. These will shape your confidence level for the assessment itself.

    We've created a high-level template for analysts. Use it for evaluating your own assessments or your organisation’s assessment against others. This template is flexible—adaptable for evaluation across multiple organisations and their attribution assessments.

    Attribution assessments Internal External Attribution assessment (if we have one, or if we need to weigh in on an external assessment) Attribution assessment conveyed by external party Known aliases and relevant information on threat actor/activity related to the assessment (e.g., have other groups previously provided analysis, assessments, or other information?) Internal Evidence External Sources and methodology Gaps and assumptions Conditions for change Comparative analysis (what is similar, different, overlapping, etc., between attribution assessments) Internal External Internal External

    Attribution assessments are vital for understanding threat activity and strengthening your cyber defences. Intelligence analysis and tradecraft are essential in developing and refining these assessments––especially with multiple or conflicting threat actor names and evaluations. Our framework for comparative attribution empowers analysts, fostering rigorous tradecraft and collaboration. It gives us another opportunity to work together to understand, detect, mitigate, and respond to cyber threats.


    Authors

    Sierra Stanczyk
    Sierra Stanczyk

    Senior Manager, Advisory, PwC United States

    Jono Davis
    Jono Davis

    Manager, PwC United States

    Cyber Threat Intelligence

    Learn more about our team and our services.

    Maturing intelligence capabilities

    We unite expertise and tech so you can outthink, outpace and outperform
    See how
    Follow us