A guide to threat actor profiling: A deliverable-first approach

Source: Feedly Blog

Author: Ondra Rojčík

URL: https://feedly.com/ti-essentials/posts/a-guide-to-threat-actor-profiling-a-deliverable-first-approach

ONE SENTENCE SUMMARY:

Deliverable-first threat actor profiling uses 5W1H, the Diamond Model, graded sources, and audience tailoring to produce actionable intelligence.

MAIN POINTS:

1. Threat actor profiles unify IOCs, TTPs, motives, and trends into one analytical entity.
2. Clarifying “tracking” versus “incident-driven” intent determines scope, depth, and usefulness.
3. Internal tracking prioritizes structured telemetry over narrative implications and recommendations.
4. Incident-driven profiles emphasize timelines, extortion behavior, stakeholder updates, and decisions support.
5. 5W1H frames core questions, ensuring complete narrative coverage of adversary activity.
6. Diamond Model maps Adversary, Infrastructure, Capability, and Victim to explain operations.
7. Collection should combine internal telemetry with external intelligence for context and linkage.
8. Admiralty Code improves transparency by scoring source reliability and information credibility.
9. Profiling should include identity, victimology, capability, modus operandi, and activity timeline.
10. Tailored deliverables add forecast, implications, recommendations, references, executive BLUF, and cut-off date.

TAKEAWAYS:

1. Starting with the intended deliverable prevents building an unused library of disconnected data.
2. Mixing 5W1H with the Diamond Model converts observations into an evolving operational picture.
3. Traceable sourcing and explicit confidence scoring make assessments defensible to stakeholders.
4. Separating technical evidence from narrative analysis helps SOC/IR act without losing context.
5. Audience-specific outputs and a clear cut-off date keep intelligence consumable and time-relevant.