5.5 Threat Intelligence Naming Conventions

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *

Already have an account? Sign In »

4 hours 42 minutes
Video Transcription
Hello and welcome to the last lesson from the model campaign and the license in this video, we're going to talk about threat intelligence naming conventions. In this lesson, we will understand the naming conventions that are used by security researchers and vendors.
We will see common naming conventions and what exactly the reason that leads to different names.
And we will finish this lesson with camera recommendations for your naming conventions.
A naming convention is a set of rules for choosing the names to be used to identify threat actors or A Pts or campaigns or operations.
And if we look at the current threat landscape, we will find so many different names for one and the same threat actor.
And just to let you know from the start off this video, there is no way to standardize all of the names
when it comes to the names themselves. Security firms tend to have their own naming conventions, meaning that there will be multiple aliases for any given a pretty group or threat actor,
it makes a confusing state of affairs, but it is unlikely to be resolved anytime soon.
Here are some examples off naming conventions fire. I'm engine.
Cisco, Tallis and some other vendors use numbers such as a PT 28 or a P T 34.
Well dressed Rick Kaspersky or semantic use fancy names and naming schemes that great an emotional or Michael mythological context
Bundle, for instance, refers to China, while a reference to a cat or care means Iran, the reality is these are not arbitrary Ning's.
In fact, many are similar to schoolyard nicknames. Tired to the attributes off mysterious groups behind cyber attacks on security, researchers timeto have an FBI like refining approach for these groups and activities.
Cybercrime researchers build profiles based on their typical targeting tactics Muller's and techniques in order to follow a PT activity and campaigns around the words.
Sometimes they are also given names, which act as a handy way to organize and catalog threat patterns. Often with no to geography. They are sought to be associated with
what can be the reason to lead to different naming conventions.
There are human, technical and operational reasons that lead toe all the different names.
In this slide, we are going to discuss the different reasons categorized by their type.
We will start with the human reasons for the naming confusions. The first reason is when an operation name is used as a threat. Actor Nate.
The second reason is when a malware name is used as a threat actor name.
The third reason is when vendors, Mr Late Toe All Our Vendors. Research on. The first reason is when journalists are and willing to correct wrong mapping in public articles. When it comes to the technical reasons why all these names divers,
the first reason is that every vendor sees different pieces off the full picture. Different Teepees, IOC clusters, sample sets, see to infrastructure, et cetera. The second reason is that threat actors joined forces or split up.
The third reason is groups share their tool set with others
the fourth reason
groups share their sea to infrastructure with other groups. There are also less technical and more operational reasons. Let Lee two different name it by using the name off another vendor.
You may resent this decision later if the other vendor takes it in the direction that you disagree with.
As vendors have collected and constantly received different pieces of the puzzle.
Agreeing on Mitchell name always beers the risks off diversion to Teepees.
Maintaining one's own name provides flexibility on the option. Togo down different charts by using another vendor's name. You would implicitly admit that the research off the other vendor is more complete and could be seen as the basis off your research. It's a trade off
between that tactical advantage
on a reputation, Gate
reported. First doesn't meet that research is foundational or more thorough, and therefore all the researchers don't see it as an indictment to assign any. So, as you can see, many reasons lead to different naming conventions.
The standardization off threat actor names is not as easy as it sounds. The anti virus industry confronts the same critics since many years and cannot comply with the demands for the very similar reasons.
When you are naming a campaign that you are investigating,
it's highly recommended to avoid numbers. Even though some of the vendors are doing. It doesn't mean that it's the best option,
because you may lose track off the campaign numbers after a certain time. The second recommendation is naming after it all used in the campaign. My end up creating confusion and analysts might find themselves Lincoln unrelated campaigns just because they are using the same talk.
My third recommendation is more about threat actor naming conventions and here I am taken the example off ground strike naming convention.
It's definitely clever option, but if you are not sure about the origins of the Threat actor, you might end up naming multiple duck.
I have also some recommendations for naming conventions that would make your campaigns or threat actor naming more appropriate.
Basically, it's not good to be serious all the time, and it is fine to add some humor tour naming convention. It will make it easier to remember.
It's also significant to create the name based on the incidents that you are facing, not the one that you read about.
Keep in mind that there might be related at the first sight, but you might be wrong, after all,
briefly just be creative and flexible.
In summary, this lesson was a quick overview off the naming conventions that are used by cyber security researchers on security vendors. We've seen some of the reasons that may lead to different names, and I gave you some recommendations
to name your own campaigns or name the threat after such are currently tracking
this lesson was the last video from the campaign and a license module. In the next video, we'll start the new module about attribution and the first lesson will be an introduction to the module.
Up Next