How Threat Modeling, Actor Attribution Grow Cyber Defenses

By: The Center for Internet Security, Inc. (CIS®) Cyber Threat Intelligence (CTI) team

Published May 15, 2025

As cyber threats continue to grow and evolve, U.S. State, Local, Tribal, and Territorial (SLTT) government organizations must implement proactive steps to secure systems, data, and infrastructure before cyber threat actors (CTAs) strike. Two important components of proactive defense are threat modeling and threat actor attribution. Understanding an organization’s attack surface and anticipating how CTAs will exploit vulnerabilities or conduct cyber attacks can help organizations align their security practices with real-world attack scenarios. One way to enhance threat modeling is to pair it with threat actor attribution — the process of identifying CTAs or gathering as much information about the CTAs responsible for cyber attacks as possible. Combining these two disciplines together creates a more dynamic and forward-leaning defensive posture for preventing and detecting adversary tactics, techniques, and procedures (TTPs) to improve organizational defenses.

Threat Modeling

As defined by Cisco, threat modeling is the process of “using hypothetical scenarios, system diagrams, and testing to help secure systems and data.” It enables organizations to identify what needs to be protected, who might try to compromise or steal that data, and how a breach might occur. The Open Web Application Security Project (OWASP) notes that threat modeling “enables informed decision-making about application security risks.” It goes on to explain that threat modeling can be used across organizations’ infrastructure, including “software, applications, systems, networks, distributed systems, Internet of Things (IoT) devices, and business processes.”

The exact number of steps in threat modeling vary, but according to Microsoft, they generally involve:

1. Defining security requirements
2. Creating a diagram
3. Identifying threats
4. Mitigating threats
5. Validating threats have been mitigated

A key aspect of threat modeling is to look at a system from the perspective of a CTA, not as a defender. Multiple frameworks and methodologies, such as STRIDE (spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privilege) and DREAD (damage, reproducibility, exploitability, affected users, discoverability), have been developed to assist network defenders in working through threat modeling, per Fortinet.

Threat Actor Attribution

Threat actor attribution is the process of identifying individuals or groups that are responsible for a cyber attack or network intrusion. Google Cloud notes that researchers and analysts examine TTPs to identify common patterns and link attacks to specific groups, or specific categories of attackers, such as ransomware groups or state-sponsored CTAs. Understanding adversary TTPs allows for proactive security measures, such as implementing targeted threat hunting, hardening attack surfaces, and improving detection capabilities. Knowing the TTPs that threat actors use, and their preferred targets, allows organizations to tailor their defensive strategies for maximum protection.

Attribution is a complex process and does not always result in specific knowledge of an adversary. As pointed out by Google Cloud, attribution may only go so far as general clusters of activity related to specific IP addresses or domains. Groups may overlap, merge, or dissolve and re-form over time. For example, as we know from the U.S. Cybersecurity & Infrastructure Security Agency (CISA), multiple ransomware groups have a history of ceasing operations only to re-appear later under a different name. Though attribution is not always absolute, it provides valuable context for understanding threats. Even if an organization is not identifying a specific individual, or group, behind an attack, identifying behavioral signatures related to observed activity is valuable for network defenders. Combining it with other tools such as threat modeling allows for a more proactive and threat-informed defensive strategy.

Sector-specific organizations benefit from using threat intelligence to understand their adversaries, as well. Threat intelligence and attribution can provide key insights into the TTPs used by adversaries with a focus on specific sectors. For example, adversaries with a history of targeting the healthcare sector may prioritize data exfiltration and ransomware, while adversaries with a focus on the energy sector may be more likely to focus on disruption. Understanding the opportunities, capabilities, and intent behind actors targeting specific sectors allows for more informed decision-making to stay ahead of the threats and effectively allocate resources.

Combining Threat Modeling and Threat Actor Attribution

Incorporating threat actor attribution into threat modeling shifts the process from hypothetical to actionable. Threat modeling traditionally focuses on more technical risk without necessarily considering the actors that may exploit weaknesses. Modeling threats to an organization based on an actor’s historical behavior provides more insight than a more generic threat modeling process by itself. For example, understanding that a ransomware group like LockBit has an established track record of leveraging Remote Desktop Protocol (RDP), as shared in a CISA cybersecurity advisory, may influence how an organization sets up access controls or configure monitoring priorities. Similarly, a hospital may view recent threat actor trends and focus on defensive strategies for recent ransomware operations, while a financial institution may choose to focus on credential theft. Mapping threat models and attribution to additional frameworks, such as MITRE’s ATT&CK framework, can further allow for threat intelligence to inform defensive strategies. MITRE D3FEND also shows countermeasures that can be implemented to defend against specific TTPs.

Incorporating the latest findings from intelligence teams regarding attribution allows defensive strategies to evolve with the changing threat landscape. Organizations that combine threat modeling and attribution pivot from preparing for what could go wrong to preparing for what is most likely to go wrong. To keep up with today’s threats, U.S. SLTTs must go beyond basic security checklists. Threat modeling and threat actor attribution, when used together, give U.S. SLTTs an opportunity to prioritize defense, tailor response strategies, and make well-informed security investments.

Putting It Into Practice

U.S. SLTTs should leverage tabletop exercises (TTXs), vulnerability assessments, and penetration tests to help identify weaknesses and plan for incident response. Threat modeling and actor attribution can play a key role in these activities. For example, TTXs can include discussions on how an organization’s response could differ if a state-sponsored group is carrying out a cyberattack versus a criminal organization.

The CIS Critical Security Controls (CIS Controls), particularly Control 7: Continuous Vulnerability Management, Control 17: Incident Response and Management, and Control 18: Penetration Testing, serve as natural starting points. This structured framework can shape TTX discussions as well as identify gaps in existing security postures, allowing you to reinforce your defenses.