Are you aware your APT28 out of your Fancy Bear? Your Pawn Storm out of your Swallowtail? Your IRON TWILIGHT out of your SNAKEMACKEREL? In the event you mentioned sure, GTFO as a result of they’re all allegedly the identical factor.
And therein lies the issue with the cybersecurity business’s naming conventions – they’re shit. Corporations investigating the identical risk group will provide you with totally different, although equally silly, names then it is a complete factor when researchers notice, “Ohhh, your guys are additionally my guys! The whole lot is sensible now!”
Microsoft does its share of “risk intelligence” too, do not you realize, and reckons it might probably make all this confusion go away if solely individuals undertake its model spanking new strategies.
And what does it suggest? To call numerous teams after climate situations.
You understand that xkcd comedian the place the man is complaining that there are 14 competing requirements so we want one common normal?
Yeah. There at the moment are 15 competing requirements.
“The complexity, scale, and quantity of threats is growing, driving the necessity to reimagine not solely how Microsoft talks about threats but additionally how we allow prospects to know these threats shortly and with readability,” lamented the software program biz in an announcement.
“With the brand new taxonomy, we intend to convey higher context to prospects and safety researchers which are already confronted with an awesome quantity of risk intelligence information. It would provide a extra organized, memorable, and straightforward option to reference adversary teams in order that organizations can higher prioritize threats and defend themselves. Merely put, safety professionals will immediately have an thought of the kind of risk actor they’re up in opposition to, simply by studying the identify.”
That, not less than, is the thought. So put together to memorize that Blizzard means the risk group is believed to be from Russia! Sleet means North Korea! Hurricane means China! Sandstorm means Iran!
There are additionally climate warnings for severity, goal, and modus operandi, like Storm for teams in growth, Tempest if the group is financially motivated, Tsunami if primarily centered on the personal sector, and Flood for “affect operations.”
However Microsoft, we hear you cry, there are a great deal of risk teams from Russia they usually all have totally different agendas and infrastructure and working procedures! What can we do now?
Aha, allow us to complicate it for you additional, says Microsoft.
When distinguishing one Russian risk group from one other, they then turn into Midnight Blizzard, Forest Blizzard or maybe even Aqua Blizzard. Clear who we’re speaking about? In Iran, we have now Mint Sandstorm, Grey Sandstorm, and Hazel Sandstorm. For teams in growth, we have now momentary designations like Storm-0257 or Storm-0539.
Microsoft used the instance of Mint Sandstorm, aka Phosphorus, aka Charming Kitten, aka Ajax Safety, aka NewsBeef, aka TA453, aka APT35, aka APT42 – you realize, the group aligned with Iran’s Islamic Revolutionary Guard Corps that targets teachers of curiosity to the state – to roll out its new taxonomy.
To be truthful to Redmond, Mint Sandstorm does neatly illustrate how chaotic monitoring only one risk group has turn into, however whipping up one more naming system will solely actually assist if everybody’s on board. And what good thing about readability does Storm-XXXX have over APTXX?
Microsoft justifies its stance thus:
So what you may must do is preserve Microsoft’s information helpful then cross-reference it with Mitre’s equal or what have you ever, and perhaps, simply perhaps, you may have an thought of what you are up in opposition to.
Tell us what you suppose within the feedback and when you have any clues about the way it may very well be improved. For our half, we’re disillusioned that Sharknado and the Oncoming Storm (à la Physician Who) usually are not presently included within the nomenclature. ®