2nd Edition

Tracking the trends and news for IT and IT Security

Paul

Threat actor naming conventions: a big mess!

Threat actor naming conventions: a big mess!

The task of adversary attribution and how it should be done is a controversial topic in the cyber threat intelligence community. This is because there is no standardized way of doing attribution, starting with naming the threat actors. Each security company has its own telemetry, data, standards, procedures and confidence levels. This is the main reason why most CTI teams use their own naming scheme. Here are some examples where the classification method is officially known: CrowdStrike Uses nickname plus species of animals, each assigned to a specific country/category: |Name||Nation-state or Category| |BEAR||RUSSIA| |BUFFALO||VIETNAM| |CHOLLIMA||DPRK (NORTH KOREA)| |CRANE ROK||(REPUBLIC OF KOREA)| |JACKAL||HACKTIVIST| |KITTEN||IRAN| |LEOPARD||PAKISTAN| |LYNX||GEORGIA| |OCELOT||COLOMBIA| |PANDA||PEOPLEâS REPUBLIC OF CHINA| |SPIDER||ECRIME| |TIGER||INDIA| |WOLF||TURKEY| Examples Mandiant Uses numbered APT, FIN and UNC groups.[name]||A candidate-name is selected once further evaluation is warranted| |3||Advanced Persistent Threat (APT) or Financially Motivated Threat Group (FIN)||Once the motivation is established, the appropriate type is selected, and a formal name is selected| Examples Recorded Future Uses a color plus phonetic alphabet: |Color||Nation-state or Category| |RED||PEOPLEâS REPUBLIC OF CHINA| |GREEN||IRAN| |PURPLE||NORTH KOREA| |BLUE||RUSSIA| |GRAY||CYBERCRIME| Examples Microsoft According to a recent taxonomy update, threat actor groups will be named after weather events.|Name||Nation-state or Category| |Typhoon||PEOPLEâS REPUBLIC OF CHINA| |Sandstorm||Iran| |Rain||Lebanon| |Sleet||North Korea| |Blizzard||Russia| |Hail||South Korea| |Dust||Turkey| |Cyclone||Vietnam| |Tempest||Financially motivated| |Tsunami||PSOAs| |Flood||Influence operations| |Storm||Groups in development| Examples Secureworks Uses elements plus nickname: |Element||Nation-state or Category| |BRONZE||PEOPLEâS REPUBLIC OF CHINA| |ZINC||INDIA| |COBALT||IRAN| |NICKEL||NORTH COREA| |TUNGSTEN||SOUTH KOREA| |COPPER||PAKISTAN| |ALUMINUM||PALESTINE| |IRON||RUSSIA| |PLATINUM||UNITED STATES| |TIN||VIETNAM| |GOLD||CYBERCRIME| Examples IBM Uses numbered ITG or Hive.
Link: https://andreafortuna.org/2023/07/17/threat-actor-naming-conventions-a-big-mess/

Categories:

Tags: