profiling-threat-actor-groups

# Profiling Threat Actor Groups

## When to Use

Use this skill when:
- Updating the organization's threat model with profiles of adversary groups recently observed targeting your sector
- Preparing an executive briefing on APT groups that align with geopolitical events affecting your business
- Enabling SOC analysts to understand attacker objectives and TTPs to improve detection tuning

**Do not use** this skill for real-time incident attribution — attribution during active incidents should be deprioritized in favor of containment. Profile refinement occurs post-incident.

## Prerequisites

- Access to MITRE ATT&CK Groups database (https://attack.mitre.org/groups/)
- Commercial threat intelligence subscription (Mandiant Advantage, CrowdStrike Falcon Intelligence, or Recorded Future)
- Sector-specific ISAC membership for targeted intelligence (FS-ISAC, H-ISAC, E-ISAC)
- Structured profile template (see workflow below)

## Workflow

### Step 1: Identify Relevant Threat Actors

Cross-reference your organization's sector, geography, and technology stack against known adversary targeting patterns. Sources:
- MITRE ATT&CK Groups: 130+ documented nation-state and criminal groups with TTP mappings
- CrowdStrike Annual Threat Report: adversary naming by nation-state (BEAR=Russia, PANDA=China, KITTEN=Iran, CHOLLIMA=North Korea)
- Mandiant M-Trends: annual report with sector-specific targeting statistics
- CISA Known Exploited Vulnerabilities (KEV) catalog: identifies vulnerabilities actively exploited by specific threat actors

Shortlist 5–10 groups most likely to target your organization based on sector alignment and recent activity.

### Step 2: Collect Profile Data

For each adversary, document across standard dimensions:

**Identity**: ATT&CK Group ID (e.g., G0016 for APT29), aliases (Cozy Bear, The Dukes, Midnight Blizzard), suspected nation-state sponsor

**Motivations**: Espionage, financial gain, disruption, intellectual property theft

**Targeting**: Sectors, geographies, organization sizes, technology targets (OT/IT, cloud, supply chain)

**Capabilities**: Custom malware (e.g., APT29's SUNBURST, MiniDuke), exploitation of 0-days vs. known CVEs, supply chain attack capability

**Campaign History**: Notable operations with dates (SolarWinds 2020, Exchange Server 2021, etc.)

**TTPs by ATT&CK Phase**: Document top 5 techniques per tactic phase

### Step 3: Map TTPs to ATT&CK

Using mitreattack-python:
```python
from mitreattack.stix20 import MitreAttackData

mitre = MitreAttackData("enterprise-attack.json")
apt29 = mitre.get_object_by_attack_id("G0016", "groups")
techniques = mitre.get_techniques_used_by_group(apt29)

profile = {}
for item in techniques:
    tech = item["object"]
    tid = tech["external_references"][0]["external_id"]
    tactic = [p["phase_name"] for p in tech.get("kill_chain_phases", [])]
    profile[tid] = {"name": tech["name"], "tactics": tactic}
```

### Step 4: Assess Detection Coverage Against Profile

Compare the adversary's technique list against your detection coverage matrix (from ATT&CK Navigator layer). Identify:
- Techniques used by this group where you have no detection (critical gaps)
- Techniques where you have partial coverage (logging but no alerting)
- Compensating controls where detection is not feasible (network segmentation as mitigation for lateral movement)

### Step 5: Package Profile for Distribution

Structure the final profile for different audiences:
- **Executive summary** (1 page): Who, motivation, recent campaigns, top risk to our organization, recommended priority actions
- **SOC analyst brief** (3–5 pages): Full TTP list with detection status, IOC list, hunt hypotheses
- **Technical appendix**: YARA rules, Sigma detections, STIX JSON object for TIP import

Classify TLP:AMBER for internal distribution; seek ISAC approval before external sharing.

## Key Concepts

| Term | Definition |
|------|-----------|
| **APT** | Advanced Persistent Threat — well-resourced, sophisticated adversary (typically nation-state or sophisticated criminal) conducting long-term targeted operations |
| **TTPs** | Tactics, Techniques, Procedures — behavioral fingerprint of an adversary group, more durable than IOCs which change frequently |
| **Aliases** | Threat actors receive different names from different vendors (APT29 = Cozy Bear = The Dukes = Midnight Blizzard = YTTRIUM) |
| **Attribution** | Process of associating an attack with a specific threat actor; requires multiple independent corroborating data points and carries inherent uncertainty |
| **Cluster** | A group of related intrusion activity that may or may not be attributable to a single actor; used when attribution is uncertain |
| **Intrusion Set** | STIX SDO type representing a grouped set of adversarial behaviors with common objectives, even if actor identity is unknown |

## Tools & Systems

- **MITRE ATT&CK Groups**: Free, community-maintained database of 130+ documented adversary groups with referenced campaign reports
- **Mandiant Advantage Threat Intelligence**: Commercial platform with detailed APT profiles, malware families, and campaign analysis
- **CrowdStrike Falcon Intelligence**: Commercial feed with adversary-centric profiles and real-time attribution updates
- **Recorded Future Threat Intelligence**: Combines OSINT, dark web, and technical intelligence for adversary profiling
- **OpenCTI**: Graph-based visualization of threat actor relationships, tooling, and campaign linkages

## Common Pitfalls

- **IOC-centric profiles**: Building profiles around IP addresses and domains rather than TTPs means the profile becomes stale within weeks as infrastructure rotates.
- **Vendor alias confusion**: Conflating two different threat actor groups due to shared malware or infrastructure leads to incorrect threat model assumptions.
- **Binary attribution**: Treating attribution as certain when it is probabilistic. Always qualify attribution confidence level (Low/Medium/High).
- **Neglecting insider and criminal groups**: Overemphasis on nation-state APTs while ignoring ransomware groups (Cl0p, LockBit, ALPHV) which represent higher probability threats for most organizations.
- **Profile staleness**: Adversary TTPs evolve. Profiles not updated quarterly may miss technique changes, new malware, or targeting shifts.