Security experts have long faced challenges in tracking Advanced Persistent Threat (APT) groups. Traditionally, identifying consistent patterns, tools, and infrastructure helped link activities to specific threat actors. However, this method is becoming less reliable as APT groups evolve.
Challenges in Current Attribution Methods
Historically, threat tracking relied on Tactics, Techniques, and Procedures (TTPs). While effective in the past, this approach is faltering as adversaries frequently change operators, swap tools, and adjust their objectives. The dynamic nature of these groups often leaves analysts with fragmented data, complicating the attribution process.
Recognizing these challenges, researchers from DarkAtlas have proposed a new campaign-based attribution framework. This model addresses the limitations of traditional methods by focusing on discrete, temporally bound clusters of activity defined by their objectives and operational behaviors.
The Campaign-Based Attribution Framework
DarkAtlas’s framework shifts the focus from fixed group identities to analyzing campaigns. It considers the ‘Ship of Theseus’ problem: if an adversary changes all operational components, does it remain the same entity? This new approach measures relationships between campaigns without assuming a consistent threat actor identity.
The framework introduces a confidence model, categorizing conclusions as high, medium, or low confidence based on multi-layered evidence. High-confidence attribution requires significant overlap across strategic, operational, technical, and human dimensions.
Implementing the Overlap Model
The core of this framework is the Overlap Model, which uses a multi-dimensional correlation approach. Rather than relying on single indicators, it assesses evidence across six analytical layers, including strategic, operational, tactical, technical, infrastructure, and human factors.
Each campaign is represented as a node in a Campaign Linkage Graph, with edges indicating relationships between campaigns. Strong links denote substantial overlap, while weak links suggest connections needing further investigation. This graph-based method naturally adapts to adversary evolution.
Future of APT Tracking and Recommendations
Security teams are encouraged to adopt a campaign-centric tracking model, requiring multi-layer evidence before concluding campaign origins or group identities. TTPs should be viewed as behavioral signals, not definitive fingerprints, since adversaries may share techniques to mislead analysts.
Confidence tiers should be assigned to all attribution assessments, revisiting earlier conclusions as new data emerges. Emphasis should be on stable indicators like victimology and geopolitical timing, which tend to persist longer than specific tools or infrastructure.
For continuous updates, follow us on Google News, LinkedIn, and X. Set CSN as a preferred source on Google for more insights.
