The world of threat actors reads like a roll call of code names. Depending on which security vendor you follow, these names might refer to the same group, different groups, or sub-groups with overlapping tools and tactics. It’s no wonder security teams are confused.
According to Verizon’s 2025 Data Breach Investigations Report, more attackers are exploiting company vulnerabilities to gain access and cause security breaches compared to 2024 data. While it can be tempting to try to figure out who’s behind these attacks, for most small to mid-sized businesses, the question of attribution just isn’t important. What matters most is the action and impact.
Threat actors drink from the same metaphorical watering hole when it comes to attack techniques. These techniques are common across all types of attackers and impact all business sizes. When time and resources are limited, every minute spent researching aliases is time not spent improving resilience. Security teams that tune out threat actor names and focus on understanding how attackers operate set themselves up for long-term resiliency and success.
The What and Why of Behavior-First Detection
Understanding attacker behavior is far more productive than attribution. Whether you’re facing a state-sponsored group or a financially motivated actor, most rely on the same core set of tactics, techniques, and procedures (TTPs). Spotting these common moves early improves efficiency, strengthens defenses, and builds resilience that lasts.
- Phishing and Persistence: Attackers often gain initial access through phishing, then use persistence techniques like creating new user accounts, adding scheduled tasks or inserting programs into startup folders to maintain control. Spotting these early can make all the difference.
- Unfamiliar or Misused Tools: If a legitimate but rarely used tool like TeamViewer suddenly appears on a machine where it doesn’t belong, that should raise an immediate red flag. Instead of asking, “Who is behind this?” the more urgent question becomes, “Why is this unfamiliar tool running here, and what did it just do?”
- Large Data Transfers or Script Abuse: Unusual outbound transfers to cloud storage or unauthorized PowerShell commands are reliable signs of compromise. Detecting these behaviors helps teams prevent data theft and catch attackers using the same techniques across multiple breaches.
Focusing on attacker behaviors rather than names improves both efficiency and effectiveness. First, it allows security teams to spend less time hunting down threat intelligence that may not be relevant to their environment. Second, it strengthens defenses against both known and unknown adversaries, since many actors use overlapping TTPs.
Behavioral models are also easier to explain to leadership. It’s much easier to walk an executive through how your team is defending against common threat actions than to explain why you’re tracking the latest evolution of a specific threat group.
As threat actors evolve, their names may change, but the core techniques often stay the same. By detecting those behaviors early, you create a security strategy that’s adaptive and sustainable.
What Small and Mid-Sized Businesses Should Focus On
For small businesses and mid-market organizations, chasing attribution often drains limited security resources. Instead, teams should focus on four key areas to build a behavior-first defense:
1. Assess Gaps and Reduce the Attack Surface.
Figure out where the gaps exist and focus on addressing those that are low lift and high reward. Then, patch vulnerabilities, enforce multi-factor authentication (MFA), limit administrative privileges and segment the network to contain lateral movement. These foundational controls reduce opportunities for attacks.
2. Detect Behavioral Patterns Early.
Look for indicators of privilege escalation, lateral movement and anomalous access patterns. Behavior-based detection tools, especially those with SIEM + XDR capabilities, can help surface these patterns quickly, even in smaller environments.
3. Build Response Playbooks Around Actions, Not Names.
Instead of creating threat group-specific playbooks, build incident response procedures around specific tactics such as phishing, credential theft, ransomware execution, etc. Tabletop exercises help you actually run through and test playbooks and ensure your team is prepared for likely threats and nonstandard scenarios.
4. Aim for Continuous Improvement.
Teams should regularly test their defenses against real-world TTPs to validate what’s working and what isn’t. If you aren’t actively exercising your detection and response capabilities, how can you be confident they’ll hold up during a real incident?
5. The MITRE ATT&CK Framework.
This framework offers a structured way to map attacker behaviors and identify gaps in coverage. Using this framework, organizations can prioritize detections that cover a wide range of real-world threats. MITRE’s open-source mappings are vendor-agnostic, behavior-based and continually updated, which makes them a better long-term resource than a name-based threat feed.
Attribution Has Its Place, But Probably Not Here
Attribution can be exciting. There’s drama in tracking adversaries and linking attacks to nation-states. But for most organizations, it’s not actionable and often not relevant.
Knowing how attackers operate, detecting early signs of a security problem, and reducing the likelihood of a successful attack are more important. Ask yourself: Does your current strategy emphasize who is behind an attack or how they’re getting in? If it’s the former, it might be time to realign your focus.
__
About the Author
Jake Ouellette is a Lead Incident Detection Engineer at Blumira, where he contributes to research and design efforts to continuously improve the detection, analysis, and disruption capabilities of the Blumira platform.
Join our LinkedIn group Information Security Community!
