Threat Actors: The Real Risk Isn’t Who, It’s How

If you’ve read a cybersecurity headline recently, chances are you’ve seen names like “Fancy Bear,” “APT28,” “Sandstorm,” or “Storm-0539.” These “threat actor” labels are supposed to help defenders understand who might be behind a cyberattack. In practice, though, they often create more confusion than clarity. One vendor might call a group “APT29,” while another might label the same activity as “Cozy Bear.” To an overworked IT or security team at a small or mid-sized organization, it can feel like alphabet soup.

I get why people are drawn to attribution. Knowing who is attacking you feels powerful; it makes the threat more tangible. But in my experience leading incident response investigations, the attacker’s name rarely changes what you need to do next. For most organizations, it’s not who is attacking you that matters most; it’s how they’re doing it.

Attribution Creates Distraction

The Name Game

The cybersecurity community tends to assign creative names to threat groups. While this can help track campaigns at a high level, it often misleads teams into thinking they’re facing countless different adversaries. In reality, these groups frequently use overlapping infrastructure and share tooling. Different vendors slap different labels on the threats, which muddies the water.

It’s like trying to memorize every alias of a burglar when what you really need to know is how they break into houses. The lock they pick matters more than the name they go by.

Vendor Incentives

Vendors often have incentives to make their research stand out. Giving a threat group a catchy new name is a marketing tactic as much as an intelligence exercise. Some organizations spend hours chasing whether they’re up against “Storm-0539” or “APT28,” when in reality the defensive response, resetting compromised credentials, patching vulnerable servers, and monitoring for persistence, would be identical in either case.

Universal Behaviors

When you strip away the branding, most attackers use the same building blocks:

• Initial access through phishing, stolen credentials, or exploiting unpatched systems.
• Privilege escalation to gain higher-level access once inside.
• Persistence mechanisms to maintain a foothold over time.
• Data exfiltration or ransomware deployment as the endgame.

Based on recent real-world incidents, an attacker in Russia, China, or your own backyard often looks very similar once they’re inside your network. The TTPs (Tactics, Techniques, and Procedures) are what matter. That’s where you can detect and stop them.

Diminishing Returns of Attribution

For the average organization, spending cycles on attribution doesn’t move the needle. Whether the attack came from a cybercriminal ring or a state-sponsored actor, your first steps are the same: lock down accounts, investigate lateral movement, and contain the incident. Unless you’re in government or a Fortune 100 enterprise with geopolitical stakes, attribution just doesn’t change your day-to-day defense strategy.

Teams can easily get sidetracked by attribution. They’ll debate endlessly about whether an incident ties back to a named actor while attackers remain active in their environment. That time and attention would be better spent fixing the misconfigurations, tightening access controls and running through incident response playbooks. Chasing the “who” too often delays the urgent work of stopping the “how.”

Shifting the Focus: Behaviors Over Names

So, what should security teams focus on instead? Behaviors. Monitoring attacker behaviors provides insights that are both actionable and broadly applicable, regardless of which group is behind the attack.

Monitoring Attacker Behavior

Rather than asking “Is this APT28?” you should ask : “Is someone using a valid account to log in from an unusual location at 2 a.m.?” This question lets you quickly detect, investigate, and respond to this behavior.

Scenario-Based Detection

Practical examples of behavior-focused detection include:

• Lateral Movement: Detecting multiple failed logins followed by a sudden success on a privileged system.
• Persistence: Watching for the creation of unexpected administrator accounts or modifiying scheduled tasks.
• Unusual Data Transfers: Monitoring spikes in outbound traffic to suspicious or unknown destinations.

These scenarios capture the essence of attacker behavior. Whether the adversary is a ransomware attacker or a nation-state, these patterns are consistent, making them more valuable for defense.

The MITRE ATT&CK framework is an essential tool for this scenario. It provides a shared language and catalog of adversary techniques. By mapping detected activity to ATT&CK techniques, organizations can identify coverage gaps and ensure their defenses address the most common methods attackers use.

The beauty of ATT&CK is that it makes your defenses stronger. New groups will always emerge, but their behaviors often fall into familiar categories. If you’re prepared for those, you’re already ahead of the curve.

Practical Steps for Small and Mid-Sized Companies

For organizations, shifting the focus from attribution to behavior boils down to a few concrete practices:

1. Reduce the Attack Surface
   • Patch known vulnerabilities quickly.
   • Require multi-factor authentication (MFA) for all accounts.
   • Enforce least-privilege access and strong password hygiene.
   • Segment networks to limit lateral movement opportunities.
2. Implement Behavioral Threat Detection
   • Use security tools that look for suspicious activity, not just signatures.
   • Prioritize detections for privilege escalation, unusual logins and data exfiltration.
   • Correlate signals across endpoints, servers, cloud apps and authentication systems.
3. Incident Readiness
   • Build incident response playbooks around attacker behaviors like phishing, ransomware and privilege misuse.
   • Run regular tabletop exercises to rehearse how to respond to common TTPs.
   • Clearly assign ownership for key processes in your system security plan and verify that the team follows those processes.
4. Continuous Improvement
   • Test your defenses against common attacker behaviors using penetration testing or red team exercises.
   • Review incidents, even minor ones, to identify trends and improve monitoring.
   • Continuously update and refine detection logic to account for evolving techniques.

In my work with mid-market organizations, the ones that thrive are the ones that commit to this ongoing process. They treat security as a living, breathing program that adapts to change.

Benefits of a Behavior-First Model

Making this shift can change the way organizations defend themselves.

• Efficiency: Teams stop wasting cycles researching attribution and start closing fundamental gaps.
• Resilience: By covering common attacker behaviors, you’re protected against various actors, including the ones you don’t know about yet.
• Clarity for Leadership: It’s much easier to explain to executives that “we stopped a ransomware attempt” than “we might have been targeted by Group X, but we’re still investigating.” Framing threats in terms of actions and impacts makes risk easier to understand.
• Stronger Defense: New threat actors will emerge with new names but often reuse old techniques. A behavior-based defense means you don’t have to start from scratch whenever the headlines change.

The Threat Actor Alphabet Soup

Attribution can be exciting. It grabs headlines, fuels conference talks, and sometimes plays a role in national security investigations. But for most organizations, it’s overrated. Whether it’s a named state-sponsored group or a small cybercriminal crew, the actions they take inside your environment will look remarkably similar.

As someone who spends my days helping organizations respond to incidents, I can tell you this: you’ll make more progress by focusing on the “how” of an attack than by trying to pin down the “who.” Invest your energy in monitoring behaviors, building playbooks, reducing your attack surface and continually improving your defenses.

The alphabet soup of threat actor names might be interesting, but it won’t stop an attacker from logging into your network with stolen credentials at 2 a.m. Paying attention to their tactics just might.

Jake Ouellette

Jake is an Incident Detection Engineer Team Lead at Blumira, where he contributes to research and design efforts to continuously improve the detection, analysis, and disruption capabilities of the Blumira platform.