The 2016 US Government report detailing Russian malicious cyber activity named 40 separate Russian state-aligned cyber threats, drawn from security vendor marketing and research. Indeed, the advisory came with its own monicker ‘Grizzly Steppe’, bringing the names involved to 41 (plus suspected civilian groups). Despite this apparent proliferation, Russian state-aligned cyber activity is suspected to be aligned to just three main bodies – the GRU, FSB and potentially the SVR.
Russia currently occupies a place at the top of the geopolitical agenda, and and has a corresponding focus from the security industry – but still, something here doesn’t add up. A scratch beneath the surface reveals that in several cases, each security vendor had simply assigned the exact same threat group a different name.
Clearly, this adds significant confusion to an already complex problem, as demonstrated here. While we don’t know for sure which state bodies are involved, each column represents a single cyber threat actor – with the different names below assigned by different vendors.
The question is, why as an industry do we default to over-complicating the threat? Surely it’s hard enough to deal with without adding artificial layers of obfuscation? And what can we do about it?
How did we get here?
It’s no secret that the APT1 report from Mandiant in 2013 helped propel what was a fairly niche business into a global incident response and consulting powerhouse. By evidencing attacks on Western organizations by a Chinese state-aligned cyber-group (APT1), Mandiant became headline news and were able to set the security agenda.
Mandiant’s (now FireEye’s) naming convention was and is fairly simple – APT is the prefix given to nation state groups (eg APT1, APT10, APT28), while FIN is the prefix given to criminal groups (eg FIN1, FIN7). Problem is, unless you work in the industry it’s hard to remember who’s who – and as a CISO, if you tell your CEO that based on your threat profile you need budget to defend against APT10, you may get a blank stare in return. Still, it’s only one set of names to remember, and there’s always Google.
However, this is where we take a turn for the worse. The cyber security industry noted Mandiant’s success in setting the narrative, and crucially, realised it was actually Mandiant’s naming convention that was dominating the boardroom – regardless of the vendor in question.
With significant budgets being allocated to R&D and threat research, vendors simply could not risk their work, IP and reputation being referenced in a framework drawn up by Mandiant. In a highly competitive space, it was akin to admitting defeat before the battle for budgets had even begun.
There was only one thing for it – in the struggle for influence and thought leadership, each vendor would adopt its own naming convention in order to protect their research and brand investments – and if that meant confusing the customer then so be it.
The naming arms-race
Let’s use a well-known threat group as an example, the Russian GRU – whose remit is foreign military and political intelligence, manifesting itself in alleged cyber attacks on NATO, Eastern European Governments, a French TV station, The White House, foreign democratic processes and the Olympic Games.
Speak to FireEye and they’ll tell you that you need to defend against ‘APT28’. Get Crowdstrike in the room and it’s all about ‘Fancy Bear’, with ‘Bear’ their Russian suffix. Trend Micro will say ‘what about Pawn Storm, did you consider that?’. Yet this is actually the same threat actor.
Indeed, it doesn’t stop there. Going one level deeper, security vendors also love to name the tooling and techniques used by threat groups. For example, in 2015, APT29 used a backdoor that FireEye called ‘HammerToss’, while F-Secure named it ‘HammerDuke’ in line with their own Russian naming convention of ‘TheDukes’.
Faced with this level of naming complexity it starts to become difficult to prioritise actual security activities and remediation, let alone attempt to communicate what is actually important to the wider business.
So what’s the answer?
With so much money riding on percentage points of marketing influence, it’s unlikely that the cyber security industry is ready to give up on its complex system of multiple naming conventions just yet. The research -> name -> publish -> market -> sell model is simply too entrenched, and while at a technical level the industry can be extremely collaborative; at a marketing / sales level it is not yet there (there are exceptions).
In addition, and in fairness to the industry, the threat landscape is moving quickly. Several security firms track the same threats concurrently, and will publish at similar times.
One solution? There may be arguments for a government body such as the DHS or NCSC to maintain and arbitrate a centralised naming convention, but there are clear counter-arguments that this may make it political and potentially biased – even to the point of discouraging research, which in the face of the threat as it stands is the last thing we need.
For the time being, firms should continue to ask the question ‘based on what it is we do, who is it we need to defend against’, while looking beyond vendor-marketing to the motivations that underpin what remains a genuine threat. Although in the current naming arms-race, that’s easier said than done.