Palo Alto Networks’ Unit 42 threat intelligence team has unveiled a comprehensive new methodology for attributing cyber attacks to specific threat actors, addressing long-standing challenges in the cybersecurity industry where attribution has been “more art than science.”
The Unit 42 Attribution Framework establishes a systematic three-tier approach that progresses from initial observations to confirmed threat actor identification.
The framework aims to eliminate confusion in threat group naming while providing greater analytical rigor to the attribution process.
Three-Level Classification System
The framework categorizes threats into three distinct levels. Activity Clusters represent the initial grouping of related cybersecurity events, requiring at least two connected incidents sharing indicators of compromise (IoCs), similar tactics, techniques, and procedures (TTPs), or targeting patterns.
These clusters receive names with the prefix “CL-” followed by motivation tags like STA (state-sponsored), CRI (crime-motivated), or UNK (unknown).
Temporary Threat Groups constitute the second tier, requiring six months of observation and rigorous analysis using the Diamond Model of Intrusion Analysis.
These groups, designated with “TGR-” prefixes, represent confirmed single-actor operations with persistent behavior patterns but insufficient evidence for full attribution.
The highest level consists of Named Threat Actors using Unit 42’s constellation naming schema, requiring high-confidence assessment with compelling evidence from multiple sources, including internal telemetry, trusted partners, and corroborated open-source intelligence.
Enhanced Analytical Standards
A key innovation involves integrating the Admiralty System, which assigns reliability scores (A-F) to sources and credibility ratings (1-6) to information.
Internal telemetry data receives a default reliability score of “A,” while IP addresses typically start with a credibility rating of 4 (“Doubtfully True”) due to their volatile nature.
The framework analyzes multiple data types, including malware code analysis, operational security consistency, network infrastructure, victimology, and timeline analysis.
Analysts examine TTP evolution patterns, custom infrastructure tools, and unique configurations to distinguish between different threat actors.
Real-World Application
Unit 42 demonstrated the framework’s effectiveness through their analysis of Stately Taurus, a threat actor linked to the Bookworm malware family.
The team successfully traced connections between infrastructure overlaps and malware variants, documenting their findings in an internal Attribution Framework scoresheet that tracks IoCs, TTPs, and intelligence artifacts with detailed justifications for scoring decisions.
The framework includes an internal Attribution Framework Review Board comprising multiple research teams to ensure accuracy and prevent premature attribution.
This systematic approach aims to avoid misattribution that could lead to misprioritized security controls and wasted resources.
Unit 42 hopes this framework will serve as a model for other threat research teams, contributing to the continued maturation of the threat intelligence profession while providing greater transparency into their internal analytical practices.
