As the cybersecurity industry navigates the complexities of threat actor identification, TrendAI, part of Trend Micro, has released a guide outlining how threat attribution should operate based on evidence, rather than relying on renaming or differences between vendors.
Variations in threat actor naming are often seen as discrepancies, but this perspective oversimplifies the underlying complexity. Different research teams may analyse distinct datasets, use different clustering methods, and reach varying confidence levels. Complete alignment across all entities is neither realistic nor necessary.
TrendAI's guide explains its approach to tracking activity using structured evidence rather than pre-existing labels. It introduces provisional SHADOW designations, which allow analysts to monitor emerging or overlapping activity without prematurely assigning firm attribution or overstating certainty.
The framework aims to clarify how attribution decisions are made within the industry, highlighting the reasons for differing naming practices and emphasising the importance of evidence over labels.
For business leaders, accurate attribution affects risk management and response planning. Overreliance on threat actor names alone can create a false sense of certainty, potentially affecting priorities and defensive measures.
When attribution decisions are reviewed by stakeholders such as boards, auditors, or regulators, labels on their own may not suffice. An evidence-based approach provides a foundation rooted in verifiable data, supporting clearer communication, justification, and adaptation as new information emerges.
