Skip to main content

Adversary Group Naming: A Cyber Threat Intelligence Best Practice

N2K NetworksJuly 8, 20258 min72 views
25 connections·40 entities in this video→
Capture as you watch

Save any video to veridive in one click.

The free veridive Chrome extension pulls the transcript from any YouTube video or podcast you're watching β€” ready to ask, cite, and connect.

Add to Chrome

The Practice of Adversary Group Naming

  • πŸ’‘ Adversary group naming is a cyber threat intelligence best practice involving the assignment of arbitrary labels to collections of hacker activity across the intrusion kill chain.
  • 🎯 This practice helps to categorize and discuss various cyber threat actor campaigns in a concise manner.

Historical Origins of Naming

  • πŸš€ The US government pioneered this practice in 1998 with the code name Solar Sunrise for a series of hacks, initially attributed to Iraq but later found to be the work of teenagers.
  • πŸ“Œ Another early example is Moonlight Maze, a separate attack targeting US government entities, which was also given a code name.
  • ⚠️ These early instances established a precedent for using distinct names to classify and track cyber intrusions.

Evolution of Naming Conventions

  • πŸ”‘ The practice evolved significantly around 2010-2013 with the publication of key white papers and the release of the MITRE ATT&CK framework.
  • 🧩 Naming shifted from cool code names to labels associated with observed attack sequences and the intrusion kill chain.
  • πŸ’¬ This allowed analysts to use shorthand, like referring to an attack sequence as "Wicked Panda" instead of detailing specific malware and exploit kits.

Challenges and Vendor Naming Schemes

  • 🀯 Security vendors developed their own naming schemes, such as Mandiant's APT numbers, CrowdStrike's animal associations, and Microsoft's periodic table elements, leading to significant confusion and overlap.
  • πŸ” Many different names, like Lazarus Group, APT37, and Hidden Cobra, can refer to the same adversary group.
  • ⚠️ Nation-state attribution by security vendors is often circumstantial and should be approached with caution; focusing on the attack sequence is often more practical for developing defenses.

Best Practices for Naming

  • πŸ› οΈ When naming adversary groups, avoid using the tools they employ, as this can cause confusion (e.g., naming a group after the "Bumblebee malware").
  • βœ… Choose easy-to-read and easy-to-spell names to enhance understandability, such as "Wicked Panda" over more complex or obscure designations.
Ask, don't scrub

Discover the spoken web.

veridive answers questions with exact timestamps and citations β€” across every podcast, video, and article you've saved.

Open Chat
Knowledge graph40 entities Β· 25 connections

How they connect

An interactive map of every person, idea, and reference from this conversation. Hover to trace connections, click to explore.

Hover Β· drag to explore
40 entities
Chapters4 moments

Key Moments

Transcript30 segments

Full Transcript

Follow the thread

Find every place these ideas show up.

veridive maps the same people, claims, and topics across thousands of sources β€” so you can trace an idea from one conversation to the next.

Explore more
Topics12 themes

What’s Discussed

Adversary Group NamingCyber Threat IntelligenceIntrusion Kill ChainSolar SunriseMoonlight MazeMITRE ATT&CKAPTNation-State AttributionCyber EspionageThreat ResearchMalwareExploit Kits
Smart Objects40 Β· 25 links
CompaniesΒ· 7
MediasΒ· 5
ConceptsΒ· 9
EventsΒ· 5
LocationsΒ· 3
PeopleΒ· 9
ProductsΒ· 2
veridive

Hours of content, seconds to the answer.

Save what you listen to. Ask it anything. Watch the threads between sources surface on their own.

Get started free