An information handling system performs a method for analyzing attacks against a networked system of information handling systems. The method includes detecting a threat indicator, representing the threat indicator in part by numerical parameters, normalizing the numerical parameters, calculating one or more measures of association between the threat indicator and other threat indicators, finding an association of the threat indicator with another threat indicator based upon the normalized numerical parameters, and assigning to the threat indicator a probability that a threat actor group caused the attack, wherein the threat actor group was assigned to the other threat indicator.