Microsoft, CrowdStrike Partner to Bring Clarity to Threat Actor Identities
Microsoft and CrowdStrike are coming together to solve an ongoing challenge in the cybersecurity industry: the myriad names that threat groups are given by different vendors and the attributes for each that those vendors apply to the cybercriminal gangs.
The two companies this week said that the hope is that by combining their information about bad actors, giving them a single name and creating a common outline of the threats they pose, it will give cybersecurity vendors and businesses better clarity into the adversaries they’re dealing with.
“As cybersecurity becomes increasingly central to business resilience and national security, the challenge of adversary attribution has grown more urgent,” Adam Meyers, senior vice president for counter-adversary at CrowdStrike, wrote in a column. “Over the past several decades, multiple naming systems have emerged — each shaped by the unique vantage points of vendors and researchers. While these systems offer valuable insights, they’ve also created fragmentation, confusion and complexity.”
While creating a universal naming standard may not be possible, “defenders shouldn’t have to spend countless cycles trying to delineate if COZY BEAR is the same as APT29, or UNC2452, or Midnight Blizzard,” Meyers added.
That same group at the time had been known as Nobelium.
If Not Now, When?
Now is the time for Microsoft, CrowdStrike and others to address the naming and intelligence issue to reduce the time needed to respond to a threat, according to Vasu Jakkal, corporate vice president of Microsoft Security.
“Even seconds of delay can mean the difference between stopping a cyberattack or falling victim to ransomware,” Jakkal wrote in a blog post. “One major cause of delayed response is understanding threat actor attribution, which is often slowed by inaccurate or incomplete data as well as inconsistencies in naming across platforms. This, in turn, can reduce confidence, complicate analysis and delay response.”
He noted that “our mutual customers are always looking for clarity. Aligning the known commonalities among these actor names directly with peers helps to provide greater clarity and gives defenders a clearer path to action.”
A Good Step for the Good Guys
Rob Enderle, principal analyst with The Enderle Group, said the vendors’ initiative is a big deal, particularly at a time when state-funded malware groups are accelerating their attacks.
“This kind of move may be the only way to truly mitigate the risk going forward,” Enderle told Security Boulevard. “The greater the collaboration, the stronger the defenses put forward by the collaborators and we need them to be as strong as possible to keep us safe.”
Cybersecurity vendors and companies are at a disadvantage because they don’t get government funding and the job of defending against threats is more difficult to perform well, the analyst said.
“The defender has to get it right all of the time; the attacker just once, giving the attacker – particularly a state-funded attacker – a massive advantage,” Enderle said. “Collaborations like this offset that advantage and should result in far stronger malware defenses.”
First Steps
Microsoft and CrowdStrike are starting off the effort by publishing an initial version of the joint mapping of threat actors.
Microsoft, for several years, has been using the same weather-themed naming taxonomy for threat groups – names with “blizzard” in them indicated the bad actor is from Russia, while those with “typhoon” come from China. Others include “sandstorm” (Iran), “sleet” (North Korea) and “dust” (Turkey). They also categorize the threat actors in each, such as nation-state threats, financially motivated groups and influence operations.
“For nation-state actors, we assigned a family name to a country/region of origin tied to attribution,” Microsoft wrote. “For example, Typhoon indicates origin or attribution to China. For other actors, the family name represents a motivation. For example, Tempest indicates financially motivated actors.”
In the joint mapping initiative, Microsoft now lists not only its name for a threat actor and their country of origin, but also names given to the group by other vendors. In one case, the high-profile Chinese-linked Volt Typhoon is also known as Vanguard Panda (by CrowdStrike) and Bronze Silhouette. The North Korean bad actor that Microsoft calls Onyx Sleet is also known as Plutonium, Silent Chollima (by CrowdStrike), Black Chollima and DarkSeoul.
“This reference guide serves as a starting point, a way to translate across naming systems so defenders can work faster and more efficiently, especially in environments where insights from multiple vendors are in play,” Microsoft’s Jakkal wrote.
More Companies Joining In
He said that while the initial effort is an initiative between Microsoft and CrowdStrike, Google and its Mandiant threat intelligence group and Palo Alto Networks’ Unit 42 group also will contribute.
CrowdStrike on Meyers’ blog also published a list of more than five dozen threat groups, along with the names that Microsoft and CrowdStrike assigned to them. For example, the group Microsoft calls Silk Typhoon and dubbed Murky Panda by CrowdStrike.
“By clarifying who is being referenced in threat reports, SOC analysts, incident responders and CISOs can more quickly assess risk, prioritize response and communicate with clarity across internal teams and external partners,” wrote Meyers, adding that the two vendors are “building what many might call a ‘Rosetta Stone.’ … Better alignment leads to faster decisions, and in cybersecurity, speed is a defensive advantage.”
