Palo Alto Unit 42’s Attribution Framework
Intro
The Unit 42 Attribution Framework by Palo Alto Networks provides a structured, evidence-based method for attributing cyber threat activity.
Represents a systematic approach for analyzing threat data. This framework facilitates the attribution of observed activities to formally named threat actors, temporary threat groups or activity clusters.
The Attribution Framework promotes analytical rigor and transparency by enabling tiered tracking of threat actors with appropriate confidence. Its purpose is to serve as a model for other threat research teams.
Attribution Framework and MITRE ATT&CK
The Unit 42 Attribution Framework and the MITRE ATT&CK® Framework are complementary, not competing — they serve different but interrelated purposes in the realm of cyber threat intelligence.
Purpose & Scope
MITRE ATT&CK provides the language and structure for describing adversary behaviors (e.g., T1059 for command-line execution). Unit 42 uses these behaviors (TTPs) as evidence in its multi-phase attribution process — from clusters to named actors.
Unit 42 analysts may track an adversary that consistently uses T1055 – Process Injection, T1566 – Phishing, and a unique PowerShell loader. These ATT&CK techniques become part of the TTP pattern that strengthens the link between observed activity and a known actor (e.g., Stately Taurus).
Framework Differences and Intersections
MITRE ATT&CK is the “what” and “how”, while
Unit 42 Attribution Framework is the “who” and “why”.
Together, they form a powerful combination for threat detection, analysis, and strategic response.
During the detection phase, SOC teams use MITRE ATT&CK to identify and categorize tactics and techniques in incident data.
Analysis & Attribution Phase: Threat intelligence teams feed these categorized TTPs into the Unit 42 Attribution Framework to:
- Group into clusters or temporary groups.
- Compare against historical actor profiles.
- Assign motivation and confidence scores.
Strategic Reporting: Use the output of attribution to:
- Publish APT reports.
- Inform geopolitics or cybercrime risk assessments.
- Guide long-term defensive strategy.
MITRE ATT&CK helps answer “How are adversaries operating?”, “What techniques should we watch for?”, “Where are our detection gaps?”
Unit 42 Attribution helps answer: “How are adversaries operating?”, “Who is likely behind these operations?”, “What techniques should we watch for?”, “Which actor/campaign do these behaviors belong to?”, “Where are our detection gaps?”, “How persistent or coordinated is this actor?”
Purpose and Philosophy of the attribution framework
Traditionally, threat attribution has been ad hoc and informal. Unit 42 introduces this framework to standardize and bring rigor to attribution. It integrates the Diamond Model of Intrusion Analysis and Admiralty System for scoring reliability and credibility of sources and evidence.
Levels of Attribution
Activity Cluster (CL- prefixed)
Attribution begins by assigning observed activity to a cluster, either by creating a new cluster or by linking the activity to a pre-existing one.
- Entry-level grouping of related cyber events.
- Based on overlapping IoCs, TTPs, infrastructure, and victimology.
- Does not require knowledge of the full attack lifecycle or actor identity.
Example: CL-STA-0001 (suspected state-sponsored cluster)
Temporary Threat Group (TGR- prefixed)
Establishing temporary threat groups enables more focused tracking and analysis of a threat actor’s operations while we develop the intelligence picture further.
- Elevated from clusters when evidence points to a single actor.
- Requires Diamond Model mapping (adversary, infrastructure, capability, victim).
- Must be observed for at least 6 months to ensure persistence.
Example: TGR-CRI-0002 (crime-motivated group)
Named Threat Actor
Publicly associating an attack with a specific threat actor or country of origin can have significant repercussions. For example, destructive threat actors might launch retaliatory attacks.
If an association is incorrect, this could lead to intelligence consumers misprioritizing security controls. Any public mention of an association between activity and a named threat actor must include appropriate estimative language to convey our confidence levels regarding the connection. This prevents misattribution within the community and misspent resources from our stakeholders.
- Requires strong, corroborated evidence from multiple reliable sources.
- Named using the Unit 42 constellation naming schema.
- Attributes motivations, infrastructure, TTPs, and targeting over time.
Attribution Criteria
Unit 42 uses the following categories to evaluate and elevate clusters:
TTPs (Tactics, Techniques & Procedures): From general (e.g., malware usage) to procedural specifics (e.g., commands/configs).
Infrastructure & Tooling: Includes IPs, domains, DNS/WWhois patterns, custom toolkits. Deep analysis of shared infrastructure and code similarities is vital.
Targeting & Victimology: Common sectors, regions, or objectives (e.g., espionage, disruption). Also, victim characteristics and exploitation motives examined.
Timeline Analysis: Temporal proximity for clusters and correlation with geopolitical/industry events for groups. Sustained, long-term operations for named actors.
OPSEC Mistakes: Coding typos, developer handles, open infrastructure — can reveal identity.
Minimum Standards and Cautions
Attribution can carry political and operational consequences. Public disclosures require estimative language (e.g., high/medium/low confidence). It’s important to avoid premature promotion of clusters or groups without strong evidence. That’s why the framework recommends an internal Attribution Review Board assesses evidence and justifications before elevation.
Need Help?
The functionality discussed in this post, and so much more, are available via the SOCFortress platform. Let SOCFortress help you and your team keep your infrastructure secure.
Website: https://www.socfortress.co/
Contact Us: https://www.socfortress.co/contact_form.html
