Skip to main content

Adversary Group Naming: A Cyber Threat Intelligence Practice

N2K NetworksJuly 7, 202510 min38 views
22 connections·40 entities in this video

The Practice of Adversary Group Naming

  • 🎯 Adversary group naming is a cyber threat intelligence best practice involving the assignment of arbitrary labels to collections of hacker activity.
  • 🔑 This practice helps in tracking and discussing various hacker activities across the intrusion kill chain.

Origins and Evolution of Naming

  • 💡 The US government is credited with early adoption in 1998, using code names like Solar Sunrise and Maze for cyber incidents.
  • 🚀 The practice evolved significantly with milestones like Lockheed Martin's white paper on intelligence-driven defense, Mandiant's exposure of Chinese espionage units, and the release of the MITRE ATT&CK framework.
  • 🧩 Modern naming shifted from cool code names to labels associated with observed attack patterns and sequences, simplifying communication among analysts.

Challenges and Confusion in Naming

  • ⚠️ Security vendors developed their own naming schemes (e.g., Mandiant's AP numbers, CrowdStrike's animal associations, Microsoft's periodic table elements), leading to massive confusion.
  • 🧐 It became difficult for security professionals to recognize that multiple names (e.g., Lazarus Group, AP37, Hidden Cobra) often referred to the same adversary group.
  • ⚠️ The practice of attributing activity to nation-states based on circumstantial evidence from security vendors is cautioned against, as it's often not necessary for developing defensive controls.

Best Practices for Naming

  • 🛠️ Avoid naming groups after the tools they use, as this can muddy the waters and cause confusion.
  • ✅ Choose easy-to-read and easy-to-spell names to improve understandability, such as "Wicked Panda" instead of "win TI umbrella group".
  • 🎯 The primary goal should be to identify the attack sequence for developing prevention and detection controls, rather than focusing solely on nation-state attribution.
Knowledge graph40 entities · 22 connections

How they connect

An interactive map of every person, idea, and reference from this conversation. Hover to trace connections, click to explore.

Hover · drag to explore
40 entities
Chapters4 moments

Key Moments

Transcript36 segments

Full Transcript

Topics13 themes

What’s Discussed

Adversary Group NamingCyber Threat IntelligenceIntrusion Kill ChainSolar SunriseMazeMITRE ATT&CK FrameworkCyber EspionageNation State AttributionSecurity VendorsMalwareExploit KitsCommand and ControlThreat Research
Smart Objects40 · 22 links
Events· 4
Medias· 4
Concepts· 14
Companies· 11
Locations· 3
People· 3
Product· 1