Actor Update Workflow
Purpose
Provide a repeatable process for refreshing actor profiles without source drift or overclaiming.
Practitioner-Level Explanation
Actor profiles decay. Aliases change, sponsor language evolves, tools are reclassified, and old IOCs become stale. Updates need a workflow, not ad hoc edits.
Every update should identify what changed, what source supports it, what confidence changed, and which downstream hunts, detections, or reports are affected.
CTI Relevance
Actor update discipline keeps CTI repositories accurate and prevents stale actor pages from driving bad detection priorities.
Common Mistakes
- Adding new reports without updating old contradictions.
- Changing sponsor language without source support.
- Leaving detections linked to deprecated claims.
- Failing to mark old IOCs as stale.
Practical Workflow
- Check latest primary sources.
- Compare against existing profile.
- Add new claims to evidence register.
- Update aliases and sponsor language only with sources.
- Review TTP and tool mappings.
- Check affected detections and hunts.
- Record changelog and review date.
Example / Mini Case
A new source reports a tool previously associated with one actor under a different cluster. The analyst records the contradiction, updates confidence, and marks affected detections as behavior-based rather than actor-specific.
Analyst Checklist
- Is the update source-backed?
- Are contradictions recorded?
- Are downstream links reviewed?
- Is the review date updated?
Output Artifact
Actor:
Update Date:
New Sources:
Changed Claims:
Evidence IDs:
Confidence Changes:
Affected TTPs:
Affected Detections:
Gaps:
Reviewer: