Palo Alto Networks’ Unit 42 has launched a comprehensive Attribution Framework designed to bring scientific rigor and consistency to the challenging process of classifying and naming cyber threat actors.
Addressing a longstanding issue in the industry where attribution often depends on the expertise of a small set of analysts and lacks methodological transparency Unit 42’s new framework lays out a clear progression from initial incident observation to the formal naming of threat groups.
Consistency in Cyber Threat Attribution
At the heart of this methodology are two pivotal analytical models: the Diamond Model of Intrusion Analysis, which emphasizes linking adversaries, infrastructure, capabilities, and victims; and the Admiralty System, an evaluation rubric that scores evidence by source reliability and information credibility.
Sources are rated from A (reliable) to F (reliability unknown), while information is scored from 1 (confirmed) to 6 (difficult to say), guiding the confidence placed in each artifact.
Contrary to traditional practices, the framework assigns default reliability and credibility scores to artifacts such as telemetry, domains, file hashes, and registration details, with researchers empowered to adjust ratings in light of specific evidence and context.
The attribution process itself is structured into three escalating levels of confidence and granularity: activity clusters, temporary threat groups, and finally named threat actors.
Activity clusters represent the basic analytical building block, grouping together related incidents and indicators such as shared infrastructure, TTPs, or victimology even when the attribution is uncertain.
A cluster may evolve into a temporary threat group following at least six months of observed persistent behavior and rigorous Diamond Model mapping, indicating confidence that a single actor is responsible.
Only after long-term analysis, evidence of unique, consistent TTPs and infrastructure, and the corroboration of multiple high-quality sources does Unit 42 assign a formal group name, following its established Constellation naming schema.
Integration of Diamond Model
The framework is careful not to conflate activity clusters essentially incomplete “puzzle pieces” of adversary behaviors with campaigns, which are more coordinated activities with identifiable goals and lifecycle stages.
Analysts use default naming conventions tied to assessed motivation, such as “CL-STA-0001” for an activity cluster suspected of state sponsorship, advancing to “TGR-STA-0001” for temporary threat groups, and eventually to publicly recognized threat actor designations after a high confidence threshold is met.
To minimize misattribution and false positives, Unit 42 incorporates multiple analytical dimensions. These include detailed TTP evolution and code analysis, infrastructure and tool configuration examination, victim profiling, and temporal correlation with external geopolitical or sector events.
According to the report, The integration of OPSEC analysis and ongoing validation against contradictory evidence is also emphasized.
Notably, the process accommodates both scenarios of exceptionally high data volume such as following major breaches where promotion can be expedited, and data scarcity, which warrants continued monitoring rather than premature designation.
Source verification underpins the entire cycle. The framework prioritizes trusted internal telemetry and vetted external partners, cross-checking indicators and rejecting artifacts lacking context or uniqueness.
Consistency is continually audited by a dedicated internal review board, ensuring collective oversight before advancing clusters or groups to higher attribution levels.
The approach has already demonstrated its value in tracking threat actors such as Stately Taurus, where analytical rigor and evidence mapping enabled the confident linking of malware variants like Bookworm to underlying threat operations.
By adopting this systematic approach, Unit 42 aims to strengthen the foundations of cyber threat intelligence, reducing confusion and fostering clearer communication across the security community.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
