Building a Threat Actor Profile
Cyber threat intelligence is only useful when it changes a decision. A good actor profile turns scattered observations into something a defender can act on this week, not just read.
Structure beats prose
A profile that reads like a story is hard to operationalise. Capture it as structured fields instead:
- Aliases and overlapping clusters
- Targeted sectors and regions
- Observed techniques (mapped to ATT&CK)
- Known infrastructure patterns
Intelligence without a confidence level is just a rumour with good formatting. State what you know, how well you know it, and how you’d be proven wrong.
A minimal machine-readable record
Keep the canonical version in a structured format so tooling can consume it:
profile = {
"name": "SUSPICIOUS-PANDA",
"aliases": ["BYTE-42"],
"targets": ["finance", "logistics"],
"techniques": ["T1566.001", "T1059.001", "T1021.002"],
"confidence": "moderate",
}
print(profile["techniques"])
Confidence language
Standardise the words so “likely” means the same thing to everyone:
| Term | Rough probability | Use when |
|---|---|---|
| Almost certain | 90–100% | corroborated, high-quality |
| Likely | 55–80% | consistent but single-source |
| Possible | 25–50% | plausible, thin evidence |
Revisit the profile as new reporting lands. A CTI artifact is a living document, and a stale one quietly erodes the trust your stakeholders place in it.