Confused at all the threat group names? You’re not alone. CrowdStrike and Microsoft want to change that

‘Cozy Bear’, Nobelium, ‘Midnight Blizzard’, we’ve all heard various names used to identify cyber threat groups, and these three in particular refer to the same group.
It’s all rather confusing at times, prompting cybersecurity professionals and laymen alike to ponder who exactly they’re dealing with or reading about.
You mean to tell me this group is the same one that hit a separate company months ago, just with a different name?
The reason for this is based on how they’re tracked. These groups are given identifiers based on which company detects and tracks certain activities. Given the number of big tech companies and threat intelligence firms keeping tabs on the cybersecurity landscape, there’s not exactly been a sense of unity or alignment– at least until now.
Microsoft and CrowdStrike have announced a first-of-its-kind collaboration to build a shared mapping system for naming cyber threat actors. CrowdStrike believes the move will “bring clarity and coordination” in how threat actors are both identified, and crucially, tackled by cybersecurity professionals.
“By reducing ambiguity in how adversaries are labeled, this mapping enables defenders to make faster, more confident decisions, correlate threat intelligence across sources, and better disrupt threat actor activity before it causes harm,” CrowdStrike said in a statement confirming the move.
Essentially, by making it easier to join the dots with these naming conventions, cybersecurity defenders across the industry can make a concerted, unified effort to tackle ongoing threats.
Adam Meyers, SVP, Counter Adversary Operations, CrowdStrike, describes the move as a “watershed moment” for the cybersecurity industry, and one that’s been a long time coming.
“Adversaries hide behind both technology and the confusion created by inconsistent naming,” he said. “As defenders, it’s our job to stay ahead and to give security teams clarity on who is targeting them and how to respond.”
Meyers said that combining CrowdStrike’s deep expertise in threat intelligence with Microsoft’s “valuable data sources on adversary behavior” will ultimately prove beneficial to the broader industry.
“Together, we’re combining strengths to deliver clarity, speed, and confidence to defenders everywhere,” he added.
How will the naming convention changes work?
To begin with, CrowdStrike said the collaboration has started with a “shared analyst-led effort to harmonize adversary naming” between the two company’s threat research teams.
This deeper level of information sharing has delivered results so far, according to CrowdStrike, with the companies having already “deconflicted” more than 80 adversaries.
These include threat groups such as Microsoft’s ‘Volt Typhoon’ and CrowdStrike’s ‘Vanguard Panda’ – both of which are names used to refer to Chinese state-sponsored threat actors.
Volt Typhoon has wreaked havoc on US critical infrastructure in recent years, with analysis in March detailing how it was able to remain undetected in the US national electric grid for nearly a year.
Similarly, ‘Secret Blizzard’ and ‘Venomous Bear’, two separate names used to identify a Russian threat group, have been deconflicted.
Analysis from Tanium shows Secret Blizzard has links to ‘Center 16’ of the FSB and specializes in global corporate espionage.
Big tech partners chime in
Microsoft and CrowdStrike aren’t the only organizations leading the charge on this change on adversary naming practices. Google has also agreed to contribute to the scheme alongside its Mandiant threat intelligence group.
Similarly, Palo Alto Networks’ Unit 42 has committed to the naming convention approach.
Ilia Kolochenko, CEO of ImmuniWeb, welcomed the move as a proactive step to creating a more aligned cyber defense ecosystem.
However, he questioned whether complete alignment can be achieved. The industry has “long lasting” issues with regard to unified defense efforts, he said.
“The creation of a unified naming framework for cyber threat actors is certainly a laudable idea, however, whether all other vendors will follow it remains largely uncertain,” he told ITPro.
“The cybersecurity industry knows many similar and long-lasting issues with unification, for example, vulnerability scoring frameworks remain a largely heterogeneous patchwork across different vendors and platforms,” Kolochenko added.
“Having said this, the existing diversity is not necessarily bad: it provides more ground for critical thinking and flexibility in sophisticated and ofttimes subjective questions of attack attribution or risk scoring.”
MORE FROM ITPRO
Source link