Threat Actor Attribution & Profiling
Build comprehensive profiles of threat actors using digital footprints and TTPs.
Threat actor profiling combines technical analysis with behavioral psychology to understand and attribute cyber attacks. This advanced OSINT discipline helps security teams predict threats and respond effectively.
You'll learn to analyze tactics, techniques, and procedures (TTPs), track infrastructure reuse, correlate code signatures, examine language patterns, and build comprehensive threat actor profiles.
These skills are essential for cyber threat intelligence teams, incident responders, and security researchers tracking nation-state actors and cybercriminal groups.
MITRE ATT&CK
Framework for understanding threat actor tactics and techniques
Find in directory →VirusTotal
Malware analysis and threat intelligence aggregation
Find in directory →Shodan
Search engine for internet-connected devices and infrastructure
Find in directory →PassiveTotal
Investigate infrastructure and track threat actor campaigns
Find in directory →ThreatConnect
Threat intelligence platform for correlation and analysis
Find in directory →- 1
Collect indicators of compromise (IOCs) from incidents: IPs, domains, hashes
- 2
Map TTPs to the MITRE ATT&CK framework to identify patterns
- 3
Track infrastructure reuse across multiple campaigns
- 4
Analyze malware code for unique signatures or coding styles
- 5
Examine operational security mistakes that reveal identity clues
- 6
Correlate timing patterns (working hours, holidays) to estimate timezone
- 7
Study language artifacts in code comments or ransom notes
- 8
Cross-reference with threat intelligence databases for known actors
- 9
Build a comprehensive profile including motivation, capability, and opportunity
Attribution is difficult - avoid jumping to conclusions without strong evidence
Nation-state actors often false-flag their operations to mislead investigators
Infrastructure reuse is one of the strongest attribution indicators
Pay attention to OPSEC mistakes - even sophisticated actors make errors
Code similarity doesn't always mean same actor - tools get reused/sold
Timing analysis can reveal geographic location or working patterns
Language analysis from text can indicate native speaker regions
Track cryptocurrency wallets associated with ransomware groups
Maintain detailed timelines of actor activities and campaigns
Share your own tips or learn from the community's experience
Share Your Tip
I've found that combining multiple reverse image search engines in parallel significantly improves results. Don't rely on just one!
Always document your methodology step-by-step. This helps with reproducibility and explaining your findings to others.