Our approach to analysing, comparing, and integrating threat actor attribution assessments - PwC

Our framework for comparative attribution in threat intelligence How we analyse, compare, and integrate multiple threat actor attribution assessments Insight 8 minute read June 20, 2025 Share Sierra Stanczyk Senior Manager, Advisory, PwC United States Email Jono Davis Manager, PwC United States Email Attributing activity to cyber threat actors isn't always a straightforward task. It's an analytical process subject to variations based on the nature of threat activities, available data points, how tradecraft standards are implemented and reinforced, and the granularity of attribution needed or possible. The complexity rises with the threats themselves: how threat actors operate, their resources and management, and their interactions within the threat landscape. Understanding these elements enables sound attribution assessments that guide prioritisation, mitigation and response strategies. We developed a comparative attribution framework that helps analysts in navigating multiple attribution assessments developed by different organizations on the same or similar threat actor or clusters of activity. Our goal is to support crucial tradecraft discussions—internally and externally—to help analysts build stronger attribution assessments and potentially elevate confidence levels. We introduced our framework at the SANS CTI Summit 2025, presented by Jono Davis, Manager at PwC US and member of PwC Global Threat Intelligence. Play Video 34:49 Video Understanding the attribution assessment process Attribution can be a lengthy process that begins with analysing observable evidence, or data linked to the threat actor like infrastructure, victimology and tools, techniques and procedures (TTPs). Analysts may see things differently, based on their unique sources and methods. This can lead to a diverse web of assessments, each capturing a blend of overlapping and distinct traits of the same threat actor or activity cluster. Some organisations develop unique nomenclature for their attribution assessments, while others may adopt existing threat actor names from other sources. The choice depends on the organisation's analysis goals and objectives. In some cases, creating new names isn't preferred. However, for those with specialised insights or unique collection and analytical capabilities, custom naming conventions are essential.  Attribution assessment Evidence Sources and methodology Evaluate and analyse Key Assumptions Check, other SATs Conditions for change Update Document Cyber security professionals face the challenge of navigating various threat actor names and attribution assessments from different organisations. However, assessments can provide new opportunities to pivot, corroborate, and enhance their analysis. Structured Analytic Techniques (SATs) are essential tools. They help analysts organise and evaluate evidence, as well as align differing assessments to ensure clarity and consistency when dealing with multiple perspectives on the same threat actor or cluster of activity. Key Assumptions Checks (an SAT designed to prompt intelligence analysts to deliberately identify and challenge assumptions in their analysis that may or may not have impacted their assessments or analytic conclusions) are crucial for examining our own assumptions, biases and thought processes in attribution assessments. They help address historical views of threat activity and biases in data collection and visibility. Framework for comparative attribution  We’ve crafted a framework for comparative attribution—a tool for analysts juggling multiple, often conflicting, attribution assessments related to high-interest threats. This framework's purpose is simple: to elevate your confidence in attribution by systematically analyzing and comparing related assessments and evidence. It encourages a dynamic and iterative process, refining assessments to become more precise over time. Attribution assessments Evidence Evidence Sources and methodology Sources and methodology Evaluate and analyse Key Assumptions Check, other SATs Conditions for change Update Gaps and questions Document External Internal Key elements and activities of attribution assessments   When tackling your attribution assessment, it’s important to understand these foundational elements of your analysis: Observable evidence of threat activity Sources directly or indirectly supplying data points Collection or visibility gaps influencing your analysis Methodologies used and their potential limitations or biases Assumptions identified or highlighted by peers or reviewers Understanding these key elements bolsters your analysis, making it more robust and allowing a comprehensive examination of relevant evidence and assessments, from both within and outside your organization. Attribution assessment Evidence Sources and methodology Evaluate and analyse Key Assumptions Check, other SATs Conditions for change Update Document Infrastructure TTPs Victimology Other data points Direct Indirect Forms of analysis Enrichment Corroboration Identify and challenge assumptions related to attribution assessment. Conditions for change are signposts that prompt you to revisit your attribution assessment. These could include new infrastructure discoveries, TTPs and information from advisories or other official notifications about threat activity, as well as enhancements in your visibility of the threat. Attribution assessment Evidence Sources and methodology Evaluate and analyse Key Assumptions Check, other SATs Conditions for change Update Document 1. Identify conditions that would cause us to revisit our attribution assessment (e.g., to reaffirm our assessment or shift our view wholly or partially about a set of activity). 2. Identify how significant these changes would be and their potential cascading impact on other assessments about related threat activity. 3. Ensure we have ways to detect these conditions, adapt, and evolve. Beyond imagining how these changes might appear, you need a change management process. This process modifies and cascades attribution updates where needed, like in internal knowledge repositories, threat libraries, and other tracking venues. Attribution assessment Evidence Sources and methodology Evaluate and analyse Key Assumptions Check, other SATs Conditions for change Update Document Threat actor corpus (e.g., profile) and crosswalk of aliases Historical reporting and references Tools, libraries, repositories, and other venues Your change management process must also address formal documentation, including finished reports and information shared with third parties. Attribution assessment Evidence Sources and methodology Evaluate and analyse Key Assumptions Check, other SATs Conditions for change Update Document Finished reporting Formal tracking External sharing Evaluating and analysing multiple attribution assessments When analysing an external attribution assessment, you'll likely need to make assumptions about the other organisation's evidence, sources, and methods.  Attribution assessments Evidence Evidence Sources and methodology Sources and methodology Evaluate and analyse Key Assumptions Check, other SATs Conditions for change Update Gaps and questions Document External Internal What the other organisation provided or conveyed What we know or can infer about the organisation’s sources and methodology, and what the organisation shared What we do not know about the other organisation’s assessment, and what would ask the organisation You might pivot from the evidence provided, layering in additional context and insights to integrate during your internal assessment process. Attribution assessments Evidence Evidence Sources and methodology Sources and methodology Evaluate and analyse Key Assumptions Check, other SATs Conditions for change Update Gaps and questions Document External Internal Can we conduct our own analysis and pivot based on what was provided by the other organisation? Can we corroborate or enrich the other organisation’s findings based on our sources, tooling, expertise, and analytic capabilities? What assumptions do we have about the other organisation’s assessment, as well as our comparison? It's important to clearly identify and document what you know, what you don't, and what you've inferred—everything impacting your evaluation of the other organisation's assessment. Ideally, analysts would be able to connect, addressing questions and gaps to align and enrich both assessments whilst fostering a robust, collaborative view of the threat. This level of collaboration isn't always possible, so maintaining an inventory of questions, gaps, assumptions, and conditions for change is vital. These will shape your confidence level for the assessment itself. We've created a high-level template for analysts. Use it for evaluating your own assessments or your organisation’s assessment against others. This template is flexible—adaptable for evaluation across multiple organisations and their attribution assessments. Attribution assessments Internal External Attribution assessment (if we have one, or if we need to weigh in on an external assessment) Attribution assessment conveyed by external party Known aliases and relevant information on threat actor/activity related to the assessment (e.g., have other groups previously provided analysis, assessments, or other information?) Internal Evidence External Sources and methodology Gaps and assumptions Conditions for change Comparative analysis (what is similar, different, overlapping, etc., between attribution assessments) Internal External Internal External Attribution assessments are vital for understanding threat activity and strengthening your cyber defences. Intelligence analysis and tradecraft are essential in developing and refining these assessments––especially with multiple or conflicting threat actor names and evaluations. Our framework for comparative attribution empowers analysts, fostering rigorous tradecraft and collaboration. It gives us another opportunity to work together to understand, detect, mitigate, and respond to cyber threats. Authors Sierra Stanczyk Senior Manager, Advisory, PwC United States Email Jono Davis Manager, PwC United States Email Cyber Threat Intelligence Learn more about our team and our services. Learn more Maturing intelligence capabilities Learn more Further insights Chart a course with PwC’s Cyber Threats 2024: A Year in Retrospect Dive into PwC’s Cyber Threats 2024: A Year in Retrospect for knowledge to help you navigate the shifting tides of cyber threats in 2025 and beyond. COLDWASTREL of space Analysis into infrastructure associated with the threat actor COLDWASTREL (White Dev 185), which targets NGOs. Follow us PwC office locations Site map Contact us © 2017 - 2026 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details. This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors. Legal notices Privacy Cookie policy Legal disclaimer Terms and conditions Cookies: The choice is yours We use cookies to make our site work well for you and so we can continually improve it. The cookies that are necessary to keep the site functioning are always on. We use analytics and marketing cookies to help us understand what content is of most interest and to personalise your user experience. It’s your choice to accept these or not. You can either click the 'I accept all cookies’ or 'Reject all non-essential cookies' button below or use the switches to choose and save your choices. For detailed information on how we use cookies and other tracking technologies, please visit our cookies information page. I accept all cookies Manage Consent Preferences Necessary cookies These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information. Personal preferences cookies Personal preferences cookies These cookies enhance your experience by remembering your selected preferences so that content can be tailored accordingly on future visits. They only store simple preference values and do not collect or retain information that could identify you. Analytical/Performance cookies Analytical/Performance cookies These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance. Functional cookies (personalization) Functional cookies (personalization) These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third-party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly. Targeting cookies (marketing) Targeting cookies (marketing) PwC may present ads to you on other sites to promote relevant services, articles or events. The cookies are used to make advertising messages more relevant to you and your interests. They also perform functions like preventing the same ad from continuously reappearing. These advertisements are solely intended to make you aware of relevant PwC promotions. PwC does not sell your data to any third parties. Please see our privacy policy for more details. Cookie List Clear checkbox label label Apply Cancel Consent Leg.Interest checkbox label label checkbox label label checkbox label label Reject all non-essential cookies Save my cookie choices and close