Threat Actor Profiles: How to Read Threat Intelligence

# Threat Actor Profiles: How to Read Threat Intelligence

Definition

A threat actor profile is a structured assessment of a specific adversary: who they are, what motivates them, who they target, what techniques they use, and what infrastructure they operate. Threat actor profiles are the building blocks of strategic and operational threat intelligence. They answer the questions that generic security controls cannot: who is most likely to attack us, and how will they do it?

The cybersecurity industry produces enormous volumes of threat intelligence: vendor reports, government advisories, ISAC alerts, and open-source analysis. The challenge is not the availability of intelligence. It is the ability to consume, evaluate, and operationalize it. A 50-page APT report that a SOC analyst cannot interpret in 30 minutes is intelligence that does not improve defense. A structured understanding of how threat actor profiles work, what the naming conventions mean, what the confidence levels indicate, and how to extract actionable information from a report transforms intelligence from background reading into operational input.

This article is the practitioner guide to reading and using threat intelligence.

How It Works

Threat Actor Categories

Threat actors are categorized by motivation, which determines their targeting, techniques, and operational patterns:

Nation-state actors (APTs). Government-sponsored groups that conduct espionage, pre-positioning, and destructive operations. Motivated by national strategic objectives: intelligence collection, military advantage, economic competitiveness, and geopolitical influence. Characteristics: high sophistication, long-term persistence, significant resources, willingness to develop and use zero-day exploits. Examples: APT29 (Russia/SVR), APT41 (China/MSS), Lazarus Group (North Korea), APT33 (Iran).

Cybercriminal groups. Financially motivated organizations that conduct ransomware, data theft, financial fraud, and extortion. Operate as businesses: revenue targets, organizational structures, customer service (for ransom negotiation), and product development (ransomware platform improvements). Examples: LockBit, BlackCat/ALPHV, Cl0p, FIN7, Evil Corp.

Hacktivists. Politically or ideologically motivated groups that conduct defacement, DDoS, data leaks, and disruptive attacks to advance a cause. Lower sophistication than nation-state actors but capable of significant disruption. Examples: Anonymous, KillNet (pro-Russia), IT Army of Ukraine, various hacktivist collectives aligned with geopolitical conflicts.

Insider threats. Individuals with authorized access who use that access for unauthorized purposes. Motivated by financial gain, grievance, ideology, or coercion. Not external threat actors but included in threat profiling because their access model and detection requirements differ fundamentally from external threats.

Naming Conventions

The cybersecurity industry uses multiple naming conventions for the same threat actors, which creates confusion. Understanding the conventions enables cross-referencing between reports from different vendors:

Government designations. APT (Advanced Persistent Threat) numbers assigned by Mandiant (APT1 through APT43+). Originally the most widely used naming convention. APT29 = Russia/SVR. APT41 = China/MSS. APT38 = North Korea/Lazarus financial operations.

Microsoft naming convention (2023+). Weather-themed names organized by nation-state: Blizzard (Russia), Typhoon (China), Sandstorm (Iran), Sleet (North Korea), Tempest (financially motivated), Storm (developing/unattributed). Midnight Blizzard = APT29. Volt Typhoon = China/critical infrastructure pre-positioning. Salt Typhoon = China/telecommunications.

CrowdStrike naming convention. Animal-themed names organized by nation-state: Bear (Russia), Panda (China), Kitten (Iran), Chollima (North Korea), Spider (cybercriminal). Cozy Bear = APT29. Fancy Bear = APT28/GRU Unit 26165. Wicked Panda = APT41.

Other vendor names. Kaspersky, ESET, Symantec, Recorded Future, and other vendors use their own naming conventions. A single threat group may have 5 to 10 names across different vendor reports. The MITRE ATT&CK Groups page cross-references names: searching "APT29" shows all known aliases (Cozy Bear, The Dukes, Midnight Blizzard, UNC2452, Nobelium, etc.).

Cross-referencing tip: When reading a threat intelligence report, identify the actor name, then check the MITRE ATT&CK Groups page for aliases. This enables cross-referencing with reports from other vendors that may use different names for the same group.

The Diamond Model

The Diamond Model of Intrusion Analysis provides the analytical framework for understanding threat actor operations. Every intrusion has four vertices:

Adversary. The threat actor conducting the operation: their identity (if known), their organizational affiliation, their motivation, and their capability level.

Infrastructure. The systems the adversary uses to conduct the operation: C2 servers, exploit delivery servers, phishing domains, VPN infrastructure, and compromised systems used as hop points. Infrastructure is the most observable and most changeable vertex: adversaries rotate infrastructure frequently to evade blocking.

Capability. The tools and techniques the adversary uses: malware families, exploit kits, living-off-the-land tools, and the specific ATT&CK techniques employed. Capability is more stable than infrastructure: an adversary may change their C2 server daily but continue using the same exploitation technique for months.

Victim. The target of the operation: the organization, the sector, the geography, and the specific systems or data targeted. Victim profiling reveals the adversary's strategic objectives (targeting pharmaceutical companies suggests IP theft; targeting critical infrastructure suggests pre-positioning).

The Diamond Model enables analysts to pivot between vertices: a known adversary (APT29) maps to known capabilities (SAML token forging, OAuth abuse), which maps to known infrastructure (C2 domains with specific registration patterns), which maps to expected victims (government agencies, technology companies). Each vertex provides a detection or defense opportunity.

Reading a Threat Intelligence Report

A well-structured threat intelligence report contains several standard elements. Knowing what to look for enables rapid extraction of actionable information:

Executive summary. 1 to 3 paragraphs describing who did what, to whom, using which techniques. Read this first. If the actor does not target your industry or geography, the report is informational, not actionable.

Attribution and confidence. Who is the report attributing the activity to? What is the confidence level? Intelligence reports use a confidence scale: high confidence (multiple independent sources, consistent technical evidence, corroborated by government attribution), moderate confidence (strong technical evidence but limited corroboration), and low confidence (circumstantial evidence, single-source, or analytical inference). Low confidence does not mean wrong. It means the evidence is insufficient for high certainty.

Victimology. Which sectors, geographies, and organization types are targeted? If the report describes targeting of financial services in Southeast Asia and you are a healthcare organization in North Carolina, the report is lower priority for your specific defense. If the report describes targeting of healthcare organizations in the United States, it is high priority.

Techniques (TTPs). The ATT&CK techniques the actor used. This is the most operationally actionable section. Each technique should be mapped to your detection coverage: do your SIEM rules detect this technique? If not, add it to the detection engineering backlog. Each technique should be mapped to your preventive controls: do your controls prevent this technique? If not, add it to the hardening backlog.

Indicators of compromise (IOCs). IP addresses, domain names, file hashes, email addresses, URLs, and other observables associated with the campaign. IOCs are the most immediately actionable element: load them into the SIEM, firewall, DNS filter, and email gateway for blocking and detection. IOC limitation: adversaries rotate infrastructure frequently. IOCs from a report published last week may already be stale. Techniques persist longer than infrastructure.

Mitigations and recommendations. The report's suggested defenses. Evaluate against your current controls: are the recommended mitigations already implemented? If not, prioritize them based on the actor's relevance to your threat profile.

From Report to Action

The workflow for operationalizing a threat intelligence report:

Step 1: Relevance assessment (5 minutes). Read the executive summary and victimology. Does this actor target our industry, geography, or technology stack? If no, file for awareness. If yes, proceed.

Step 2: IOC deployment (15 minutes). Extract IOCs and deploy to blocking and detection infrastructure: SIEM watchlists, firewall blocklists, DNS filter, email gateway. Automate this through the TIP (Threat Intelligence Platform) where possible.

Step 3: Detection gap assessment (30 minutes). Map the reported ATT&CK techniques against your detection coverage. For each technique: do we detect this? If yes, validate the rule is active and tuned. If no, add to the detection engineering backlog with the actor attribution as context (prioritize techniques used by actors that target your sector).

Step 4: Hunting hypothesis (variable). If the report describes a campaign that is currently active against your sector, form a hunting hypothesis: "If this actor targeted our environment using [technique], we would expect to see [evidence] in [data source]." Execute the hunt. Document the results.

Step 5: Control gap assessment (30 minutes). Review the report's mitigations against your current controls. Are the recommended preventive controls implemented? If not, add to the hardening backlog with the actor attribution as justification.

Why It Matters

Threat-Informed Defense

Generic security programs distribute controls evenly across all possible threats. Threat-informed programs concentrate controls on the specific threats most likely to target the organization. The difference is efficiency: a healthcare organization that prioritizes detection for FIN12 and APT41 techniques (actors that specifically target healthcare) achieves better defense per dollar than one that distributes detection equally across all 200+ ATT&CK techniques.

Threat actor profiles provide the targeting data that enables this prioritization. Without profiles, every technique is equally likely. With profiles, the techniques that targeted actors use are higher priority.

Intelligence Is Perishable

IOCs decay within days to weeks. Techniques evolve over months. Strategic assessments shift over quarters. Intelligence that is not consumed, evaluated, and operationalized promptly loses value. A report about an active campaign published Monday is actionable Monday. By Friday, the adversary may have rotated their infrastructure. The techniques, however, remain relevant for months. Prioritize technique-based defense (MITRE ATT&CK detection rules) over IOC-based defense (IP/domain blocklists) because techniques persist longer.

Attribution Informs Response

Knowing who attacked you informs the response. A ransomware event attributed to a sanctioned entity affects the ransom payment decision (OFAC sanctions risk). An espionage campaign attributed to a nation-state affects the notification and disclosure calculus. A financially motivated criminal affects the law enforcement referral strategy. Attribution is not always achievable and is not required for technical response, but when available, it improves every decision downstream.

Related Articles

• Threat Intelligence Operations
• MITRE ATT&CK Framework
• Threat Hunting
• State-Sponsored Cyber Threats: A Global Overview
• Russia's Cyber Warfare Capability
• China's Cyber Espionage Program

Sources

1. MITRE Corporation. "ATT&CK Groups." attack.mitre.org/groups, updated continuously.
2. Caltagirone, Sergio, Andrew Pendergast, and Christopher Betz. "The Diamond Model of Intrusion Analysis." Center for Cyber Intelligence Analysis and Threat Research, 2013.
3. Microsoft. "Microsoft Threat Actor Naming Taxonomy." Microsoft Threat Intelligence Blog, April 2023.
4. CrowdStrike. "CrowdStrike Adversary Universe." crowdstrike.com/adversaries, updated continuously.
5. SANS Institute. "FOR578: Cyber Threat Intelligence (CTI) Course Body of Knowledge." SANS, 2024.

Word count: 2,028