Adversary Group Naming: A Cyber Threat Intelligence Practice
N2K NetworksJuly 7, 202510 min38 views
22 connections·40 entities in this video→The Practice of Adversary Group Naming
- 🎯 Adversary group naming is a cyber threat intelligence best practice involving the assignment of arbitrary labels to collections of hacker activity.
- 🔑 This practice helps in tracking and discussing various hacker activities across the intrusion kill chain.
Origins and Evolution of Naming
- 💡 The US government is credited with early adoption in 1998, using code names like Solar Sunrise and Maze for cyber incidents.
- 🚀 The practice evolved significantly with milestones like Lockheed Martin's white paper on intelligence-driven defense, Mandiant's exposure of Chinese espionage units, and the release of the MITRE ATT&CK framework.
- 🧩 Modern naming shifted from cool code names to labels associated with observed attack patterns and sequences, simplifying communication among analysts.
Challenges and Confusion in Naming
- ⚠️ Security vendors developed their own naming schemes (e.g., Mandiant's AP numbers, CrowdStrike's animal associations, Microsoft's periodic table elements), leading to massive confusion.
- 🧐 It became difficult for security professionals to recognize that multiple names (e.g., Lazarus Group, AP37, Hidden Cobra) often referred to the same adversary group.
- ⚠️ The practice of attributing activity to nation-states based on circumstantial evidence from security vendors is cautioned against, as it's often not necessary for developing defensive controls.
Best Practices for Naming
- 🛠️ Avoid naming groups after the tools they use, as this can muddy the waters and cause confusion.
- ✅ Choose easy-to-read and easy-to-spell names to improve understandability, such as "Wicked Panda" instead of "win TI umbrella group".
- 🎯 The primary goal should be to identify the attack sequence for developing prevention and detection controls, rather than focusing solely on nation-state attribution.
Knowledge graph40 entities · 22 connections
How they connect
An interactive map of every person, idea, and reference from this conversation. Hover to trace connections, click to explore.
Hover · drag to explore
40 entities
Chapters4 moments
Key Moments
Transcript36 segments
Full Transcript
Topics13 themes
What’s Discussed
Adversary Group NamingCyber Threat IntelligenceIntrusion Kill ChainSolar SunriseMazeMITRE ATT&CK FrameworkCyber EspionageNation State AttributionSecurity VendorsMalwareExploit KitsCommand and ControlThreat Research
Smart Objects40 · 22 links
Events· 4
Medias· 4
Concepts· 14
Companies· 11
Locations· 3
People· 3
Product· 1