The Unit 42 Attribution Framework provides a systematic approach to attributing threat activity by categorizing observed behaviors into activity clusters, temporary threat groups, and named threat actors with varying confidence levels. This framework enhances transparency, consistency, and accuracy in threat actor attribution, leveraging the Admiralty System for evaluating source reliability and information credibility. #Unit42AttributionFramework #StatelyTaurus #Bookworm
Keypoints
- The Unit 42 Attribution Framework categorizes threat activity into three levels: activity clusters, temporary threat groups, and named threat actors, enhancing systematic threat analysis.
- Attribution incorporates multiple data types including TTPs, malware analysis, infrastructure, victimology, and timeline data.
- The Admiralty System is used to assign reliability and credibility scores to evidence, improving confidence in attribution decisions.
- Activity clusters group related events based on shared indicators, motivation, or targeting without requiring full actor identification.
- Temporary threat groups are established after at least six months of observing persistent, consistent behavior linked to a single actor.
- Named threat actors require high-confidence evidence from multiple reliable sources mapped across the Diamond Model’s four vertices (adversary, infrastructure, capability, victim).
- The framework includes rigorous verification processes supporting transparency, reproducibility, and mitigation of biases and false flags.
MITRE Techniques
- [T1566] Phishing – Used in initial examples illustrating activity clusters, such as phishing emails targeting financial institutions containing malicious attachments (“A phishing email targeting a financial institution containing a malicious attachment with a file that has a specific SHA256 hash”).
- [T1071] Application Layer Protocol – Implied in infrastructure analysis where C2 communication via web servers is discussed (“A specific, non-standard setup of a web server used for C2 communication”).
- [T1059] Command and Scripting Interpreter – Referenced under tooling and commands within TTP analysis to identify unique procedures and tool configurations.
Indicators of Compromise
- [File Hash] Example hashes related to Bookworm malware variant – multiple SHA256 hashes linked to both malware and Stately Taurus infrastructure.
- [Infrastructure] IP addresses and domains – shared IP addresses and suspicious domain registrations used to group activity clusters and temporary threat groups.
- [Email] Malicious phishing email attachments – used as initial evidence in activity clusters targeting financial institutions.
Read more: https://unit42.paloaltonetworks.com/unit-42-attribution-framework/