Recently, Microsoft and CrowdStrike are collaborating in order to streamline the naming conventions of state and nonstate cyber activity in an effort to clarify current inconsistencies across the cybersecurity industry’s attribution taxonomies.  As anyone involved in cybersecurity knows, vendor reporting of hostile campaigns can be confusing as companies use unique identifiers to classify campaigns to differentiate the orchestrators of cyber malfeasance from other perpetrators, even if the activities may appear similar on the surface.  What has emerged is a plethora of catchy naming conventions that can be excessive for network defenders to sift through as reports come out in droves.  Even “master lists” that have been produced in order to get their hands around the volume of hostile cyber activity being tracked can be overwhelming.

Therefore, it is pretty evident that such an undertaking has long been needed, and Microsoft and CrowdStrike released the first iteration of their list. Microsoft provides the company’s naming convention on one side of a table and then aligns other companies’ aliases to them via the correlation of similar characteristics of the tracked activity or the threat actors behind it.  Given the volume of activity coming from places like China and Russia, the list is extensive, and well, still confusing as the chart is littered with flashy nomenclatures that mimic the code names used by the U.S. government to track and classify such activity.  According to recent reporting, other large name companies are expected to join the effort with Google/Mandiant and Palo Alto expected to get into the mix further adding to the existing colorful nomenclature.

And while such an undertaking certainly makes sense especially with the need to clarify what activity has been attributed to what actor, such an effort comes with an assortment of challenges, the biggest of which is trying to agree upon one name per identified cyber threat group. Vendor reports detailing hostile cyber activity and making attributions based on analysis is not only a public service provided by a company but also serves as a way for the organization to promote its offerings to a wider, global clientele. To say that the threat intelligence market is competitive is an understatement. According to one report, the threat intelligence market is projected to reach USD $43 billion by 2033, an astronomic growth spurred on by the need for companies to deliver proactive cybersecurity solutions.  Indeed, one private company threat analyst acknowledged that “historically, security companies have certainly wanted to have their own naming schemes for marketing purposes,” suggesting the importance of a company being able to differentiate itself from competitors. 

Aanother challenge facing this endeavor is how companies arrive at attribution, and how a company makes such a determination is not always clear and is generally not done in the same way or using the same set criteria/standards across the industry writ large.  Furthermore, companies may not want to be share how they do it, especially if there is some proprietary technology used in the process, since companies have different visibility into the threat space, or what is termed as “telemetry.” Because companies engage in different processes of gathering information from sources (e.g., networks, applications, cloud, etc.), the result of the determinations they make can be similar to each other or different bringing in the consistency question of attribution.  For example, one company may consider a group of activity the work of one threat actor, while another company may break it down into two or more different threat groups. This does not add attribution clarity for network defenders.  And while it can be argued that the same offending state source may be the orchestrator of a campaign, what if two different state and/or nonstate threat groups are collaborating? This may be why Microsoft indicates that this current venture is not designed to replace existing threat actor naming taxonomy, nor is it going to change its own approach, per one online cybersecurity news site.

Deconfliction is imperative for such an initiative to be beneficial down the line.  While the current condition of state-driven advanced persistent threat activity has largely been characterized by tactics, techniques, and procedures (TTP) and the targets of these operations, that may not be what occurs in the future.  With adversarial governments like China, Iran, North Korea, Russia, among others, increasing their cybersecurity ties, there is a risk that some may conduct joint or even collaborative cyber efforts in the future.  This ultimately begs the question: what would such a partnership look like?

They may elect to use never seen before infrastructure, tactics, and tools, or perhaps leverage the TTPS used by other groups that have already been published and socialized as a means to further obfuscate the threat actors behind the attacks.  Moreover, such a partnership could up the stakes in mitigating attribution efforts by using different malware, operating out of third-party countries, purposefully attacking benign targets to mislead analytic efforts, and using tools like different language keyboards to further veil their identities.  This type of collaboration may be closer to fruition than many think. If North Korea is willing to dedicate military forces in the Ukraine conflict, joint participation in cyber espionage or other types of cyber attacks do not seem so farfetched, and something that needs to be considered now rather than down the line after it’s already happened.

Still, this initiative deserves to be recognized as a good first step and a necessary evolution, and finding overlapping data points among cybersecurity company stakeholders certainly provides a more confident determination from a network defender position.  How this will work as new threat actor groups and hostile cyber activity emerge remains uncertain, but hopefully successes with retrospective grouping can create a viable path forward.  As more companies join the initiative it would be also good to be cognizant of not having progress succumb to conformity bias or having the input of smaller companies being muted by larger, more resourced organizations.  It may be advantageous to showcase where a company has differed from the majority, much the same way a formal intelligence product would highlight a dissenting view for its readership.  No one expects any company to get it right 100% of the time, making such voices important as it provides alternative views and can uncover blind spots not previously seen and can ultimately improve the outcome.  And in a threat environment that expands daily, this is exactly what inundated network defenders need.