← Home

Analyst Field Guide · Threat Intelligence

Naming the
Adversary

Two problems, one discipline: describe precisely what an adversary did, and reason honestly about who did it. The three frameworks, ATT&CK mechanics, and attribution as a layered, probabilistic judgment — with a worked incident from alert to assessment.

Behaviors over indicators Convergence over artifacts Cluster before you name

One idea underlies everything here. Indicators — a hash, an IP, a domain — are artifacts of one specific intrusion, and they're cheap for the adversary to change. Behaviors — the techniques and tradecraft, the how — are expensive to change. Every framework in this guide exists to push your analysis up from indicators toward behavior, because behavior-based detection and attribution survive when the adversary rotates infrastructure. Hold that, and the rest follows.

01

Indicators vs. Behaviors

The single most useful model for why this matters is the Pyramid of Pain (Bianco, 2013): it ranks the things you can detect by how much pain it causes the adversary to change them.

TTPs Tools Network / host artifacts Domain names IP addresses Hash values costly cheap DETECT here durable BLOCK here fast, brittle
A hash-based detection dies on one recompile; a behavior-based one forces the adversary to change how they operate. Block on the bottom for speed; detect on the top for durability.

This is why "they ran a script / PowerShell execution / fileless attack" — three analysts describing one behavior three ways — is a problem worth solving. A taxonomy is a controlled vocabulary that pins the behavior down so it can be detected, measured, compared, and handed off.

02

Why Taxonomy (and the Trap)

A shared vocabulary for adversary activity buys five concrete things:

The trap — mapping theater

A taxonomy is a means, not an end. Teams routinely produce a colourful ATT&CK heatmap, declare victory, and change nothing. A wrong or lazy mapping is worse than none — it manufactures false confidence and pollutes metrics. The discipline: map only what the evidence supports, at the granularity it supports, and tie every label to a decision. If a mapping doesn't change what you detect, hunt, or report, you wasted the effort.

03

The Three Frameworks

Three frameworks every analyst holds at once. They aren't competitors — they answer different questions and are most powerful stacked.

FrameworkCore questionShapeBest for
Cyber Kill ChainWhat stage is the intrusion at?Linear lifecycleNarrative, exec comms, early warning
Diamond ModelWho/what/where, and how do the pieces connect?Relationship graphAnalysis, pivoting, attribution
MITRE ATT&CKWhat specific behavior occurred?Behavior catalogDetection, mapping, coverage, hunting
The mental shorthand

Kill Chain is the story · Diamond is the investigation · ATT&CK is the dictionary. You'll usually use all three together on the same incident. (Others you'll meet but shouldn't confuse: VERIS for breach statistics, STRIDE for design-time threat modeling, D3FEND for defensive countermeasures — none is a substitute for the three above.)

04

The Cyber Kill Chain

Lockheed Martin's model (Hutchins, Cloppert & Amin, 2011) frames an intrusion as seven sequential phases. The doctrine: break any one link, break the chain — and the earlier you break it, the cheaper the outcome.

1 Reconresearch 2 Weaponizeexploit+payload 3 Deliveryphish/exploit 4 Exploitcode fires 5 Installfoothold 6 C2beacon 7 Actionsthe goal Break any one link → break the chain. Earlier detection = cheaper outcome. Real intrusions loop (discover → move → escalate → discover) — the clean 1→7 line is a simplification.
Great for narrative and executive comms. Weak on insiders, valid-credential abuse, and living-off-the-land — it was built around an external actor delivering malware, and it's coarse (one "Installation" hides thousands of techniques). That granularity is what ATT&CK adds.

Courses of Action — turning the chain into a plan

The chain's one genuinely operational output: pair the seven phases against six defensive actions (from DoD Information Operations doctrine), weakest-to-strongest interference — Detect · Deny · Disrupt · Degrade · Deceive · Destroy. Fill each cell with the specific control you have; the empty cells are your coverage gaps. (Destroy is rarely available to defenders and is legally constrained.)

05

The Diamond Model

Where the Kill Chain is a timeline, the Diamond (Caltagirone, Pendergast & Betz, 2013) is a relationship graph for a single intrusion event. Four connected vertices, two axes.

Adversary Capability Infrastructure Victim social-political axis = intent technology axis = delivery
An adversary uses a capability over infrastructure against a victim. The engine is pivoting: know one vertex, traverse an edge, discover the next. event → thread → activity group = level-1 attribution.

Six meta-features add context to each event — timestamp, phase (maps to a Kill Chain stage, which is how the two frameworks integrate), result, direction, methodology, and resources. And six centered approaches formalize the pivot, one entry point per feature; infrastructure-centered (passive DNS, WHOIS, TLS certs) is usually the most productive, because infrastructure is the most externally observable. The social-political approach is the odd one out — alone it yields hypotheses, not indicators.

06

ATT&CK: the Object Model

MITRE ATT&CK (first released 2013) is a knowledge base of real-world adversary behavior, not a lifecycle. It's hierarchical — internalize the four levels as why / how / specific-how / actual-instance:

LevelIs the…ID looks likeExample
Tacticwhy — the goalTA0002Execution — run malicious code
Techniquehow — the methodT1059Command & Scripting Interpreter
Sub-techniquespecific how — a variantT1059.001PowerShell
Procedureactual instance(not ID'd)the literal powershell -enc <base64> one-liner
The property that makes IDs trustworthy

T-IDs are persistent. A technique's number doesn't change when it's renamed — or even moved to a different tactic. T1059 is T1059 regardless of which column it sits under in a given version. That's why you reference techniques by ID, not name or placement: names and placement drift; the ID is the anchor.

The 15 Enterprise tactics (current — v19.1, April 2026)

Roughly the order an intrusion progresses — but the columns are categories, not a timeline; adversaries revisit, skip, and loop.

IDTacticGoal
TA0043ReconnaissanceGather info to plan
TA0042Resource DevelopmentBuild infra, accounts, capabilities
TA0001Initial AccessGet in
TA0002ExecutionRun code
TA0003PersistenceKeep the foothold
TA0004Privilege EscalationHigher permissions
TA0005StealthHide, blend in with normal
TA0112Defense ImpairmentBreak defenses & telemetry
TA0006Credential AccessSteal credentials
TA0007DiscoveryLearn the environment
TA0008Lateral MovementMove through
TA0009CollectionGather target data
TA0011Command & ControlControl hosts
TA0010ExfiltrationSteal data out
TA0040ImpactDisrupt, destroy, manipulate
The v19 change — and why it's the standing lesson

The April 2026 release split the old single "Defense Evasion" tactic: TA0005 kept its ID but was renamed Stealth (concealment/blending), and a new Defense Impairment (TA0112) absorbed the "actively break defenses" behaviors — taking Enterprise from 14 to 15 tactics. If your playbooks or dashboards reference "Defense Evasion," they predate v19 and need review. This is the standing example of why you verify the live matrix before citing tactic placement.

07

ATT&CK in Practice

ATT&CK is a graph, not a list, and the relationships are the value. The objects — each a pivot point:

The workflow that pays off: in Navigator, build a threat layer (the techniques of the actors that realistically target your sector) → build a coverage layer (your detections) → compare → the uncovered, high-relevance techniques are your detection-engineering backlog. Pull ATT&CK programmatically (STIX 2.1 / TAXII, the mitreattack-python library) rather than hand-copying the website, and pin the version.

Honest mapping — the rules
  1. Collect the evidence first; map from evidence, not from a story you've already decided.
  2. Behavior → tactic (the goal) → technique. The same action serves different tactics depending on intent.
  3. Map at the granularity the evidence supports. Over-mapping a sub-technique you can't prove is fabrication.
  4. Tie every mapping to its supporting data; separate observed from inferred.
  5. "A rule named after T#" ≠ "we detect T#." Validate with emulation — paper coverage isn't coverage.
The defensive counterpart — D3FEND

Where ATT&CK catalogs what adversaries do, MITRE D3FEND (NSA-funded; reached v1.0 in January 2025) catalogs what defenders do about it — a knowledge graph of countermeasures across seven tactics (Model, Harden, Detect, Isolate, Deceive, Evict, Restore), linked to ATT&CK techniques through a shared "digital artifact" ontology. Practically: take the techniques from your Navigator coverage gap, look up the D3FEND countermeasures that act on the same artifacts, and you get a structured shortlist of defenses to weigh — the bridge from "here's how they'd attack" to "here's what to consider deploying" (which the Detection Engineering guide then turns into actual rules, with its own false-positive discipline). Note the asymmetry: ATT&CK spans three matrices (Enterprise, Mobile, ICS); D3FEND is a single matrix. And like ATT&CK it's versioned and still growing — cite the version rather than assuming a technique exists.

08

Attribution: Three Levels

Attribution is not a yes/no fact — it's a layered, probabilistic judgment, in three levels of increasing difficulty and consequence.

Level 1 · Tacticalcluster the activitymost defensible & useful Level 2 · Operationalactor type, intent,resourcing Level 3 · Strategicthe true nameneeds non-network intelrare · slow · loaded difficulty & consequence ↑
Most defensive value lives at Level 1. You can detect, segment, and harden against a coherent cluster without ever naming a country. Beware the organizational gravity toward Level 3 — the evidence usually supports only a cluster.

Attribution synthesizes evidence across the Diamond's vertices — infrastructure (registration patterns, TLS reuse), capability (code reuse, builder artifacts), victimology (often the strongest signal of intent), and TTPs (the behavioral signature). Strong attribution comes from convergence — multiple independent streams pointing the same way — never from a single artifact.

09

Doing Attribution Honestly

Attribution is reasoning under uncertainty with an adversary who actively deceives. Four disciplines keep it honest.

Structure the reasoning (ACH)

Analysis of Competing Hypotheses (Heuer): enumerate all plausible hypotheses up front — including "unknown criminal group" and "false-flag operation" — matrix the evidence as consistent / inconsistent with each, and seek to disprove, not confirm. The surviving hypothesis is the one with the fewest inconsistencies, not the most confirmations. ACH forces you to test the alternative you'd rather ignore.

Separate probability from confidence (ICD 203)

Two distinct things, routinely conflated. Probability is how likely the judgment is true (a verbal scale: almost no chance · very unlikely · unlikely · roughly even · likely · very likely · almost certain). Confidence is the quality of the evidence and reasoning behind it (low / moderate / high). You can be highly confident that something is unlikely, or hold a likely judgment with low confidence. State both, always: "moderate confidence it is likely…" Never bare-fact attribution; name what would change the call; avoid false-precision numeric scores.

False flags — demand convergence

Capable actors plant misleading evidence: reused tools, foreign-language strings, borrowed infrastructure. The canonical case is Olympic Destroyer (2018), salted with artifacts mimicking several actors, which caused public misattribution before deeper analysis untangled it. Single low-pyramid artifacts are cheap to fake; faking infrastructure and deep TTPs and victimology and operational tempo consistently is expensive. Internal inconsistency — tooling of actor A, victimology of actor B, working hours of neither — is the red flag ACH surfaces.

Mind the naming zoo, and know when to stop

A vendor's group name is that vendor's cluster with that vendor's boundaries — don't blindly merge "the same" group across vendors. Temporary labels (UNC/TEMP/DEV-style) are deliberate placeholders that resist premature closure — good tradecraft. And sometimes the right call is not to attribute: when the evidence supports only clustering, when you can't rule out a false flag, or when a name wouldn't change the response. You patch, contain, and detect the same way regardless of who's behind it.

10

Worked Example

A manufacturing SOC gets EDR alerts on a finance workstation. Reconstruction: an invoice-themed email with a macro attachment → macros spawned a PowerShell loader → it pulled a beacon → the beacon added a scheduled task → the operator dumped credentials, moved laterally to a file server, staged and compressed data, and exfiltrated over C2 before containment. All three frameworks, stacked:

Instructional synthesis — not a real incident

Kill Chain (exec brief): Delivery (phishing) → Exploitation (macro) → Installation (scheduled task) → C2 (beacon) → Actions (credential theft, lateral movement, data theft). Detected at C2/Actions; contained before full exfiltration.

ATT&CK (detection — v19.1, ID-anchored, evidence-tied): Phishing (T1566) · PowerShell (T1059.001) · Scheduled Task/Job (T1053) · OS Credential Dumping (T1003) · Valid Accounts (T1078) + Remote Services (T1021) · Exfiltration Over C2 Channel (T1041). Data staging left at technique level where the evidence didn't justify a specific sub-technique — honest granularity.

Diamond (pivot): pivot on the C2 domain via passive DNS → two more domains, same registrant pattern → same beacon family → prior victims also regional mid-market manufacturers. Victimology + capability reuse cluster these into one activity group.

Attribution judgment (proper language): "We assess with moderate confidence that this is very likely part of a single activity cluster responsible for at least two prior intrusions against regional mid-market manufacturers, based on shared beacon tooling, consistent C2 registration patterns, and consistent victimology. We make no judgment on sponsorship; the reused loader hash alone is insufficient and could be shared tooling."

The Level-3 counterpart — SolarWinds (public reporting)

ATT&CK tracks the supply-chain operation discovered December 2020 as campaign C0024, attributed to group G0016 (APT29 — also Cozy Bear, The Dukes, NOBELIUM, Midnight Blizzard, UNC2452: one cluster, many vendor names). The nation-level call — attributing it to Russia's SVR — came only in April 2021, from governments drawing on intelligence beyond network forensics. The takeaway: you can track and defend the C0024/APT29 cluster with ATT&CK without making the nation-state call yourself. The defensive actions (detect the techniques, segment, harden the build pipeline) are identical whether or not the name "SVR" is ever spoken.

11

Field Rules

Battle-tested wisdom, distilled

Taxonomy

A mapping that changes no decision was wasted. Map from evidence, not the story in your head. Honest granularity beats impressive granularity — a guessed sub-technique is a fabrication someone downstream treats as fact. Reference by ID; pin the version; re-baseline on every ATT&CK upgrade.


Detection

Climb the Pyramid of Pain — block on indicators for speed, detect on behavior for durability. Paper coverage ≠ real coverage; validate by emulation. Document false-positive/false-negative exposure on every rule.


Attribution

It's a layered judgment, not a fact — cluster (Level 1) is where the value is and where evidence usually stops. Demand convergence; a single artifact is spoofable and maybe planted. Run ACH when stakes are high. Separate observed/inferred/assumed, and probability/confidence, in writing.


Judgment

You usually don't need attribution to respond — patch, contain, detect regardless. Beware the named-group illusion (a vendor's name is that vendor's cluster). Write for the analyst acting at 3 a.m.: lead with the judgment and the so-what. Verify every ID-specific claim at attack.mitre.org before it goes in a report.

Adapted from the Attack Taxonomy & Attribution guide in this set. ATT&CK content pinned to v19.1 (April 2026); the Defense Evasion → Stealth (TA0005) + Defense Impairment (TA0112) split and the 15-tactic count were verified against MITRE's v19 release. Object IDs (G0016/APT29, S0154/Cobalt Strike, S0002/Mimikatz, C0024/SolarWinds, M1017/User Training) reflect the live knowledge base and open-source reporting, which grows over time. Treat any technique ID, sub-technique number, or tactic placement carried from memory as probably stale — verify against attack.mitre.org before it goes in a report. The SolarWinds → SVR attribution is a public government judgment drawing on non-public intelligence, not a claim reproducible from network artifacts alone. D3FEND is pinned to v1.0 (January 2025); it revises, so verify the current version before citing a countermeasure or tactic. Companion to the Critical Thinking Field Guide (ACH, calibrated probability/confidence), Detection Engineering (turning coverage gaps into validated rules), Incident Response (mapping during an incident), and Root Cause Analysis.