Threat Actor Naming Taxonomies: the never ending debate

Few days ago Microsoft announced they are moving away from their previous naming convention for threat actors, which was based on chemical elements from the periodic table, to a new one aligned to the theme of weather. [1][2]

As expected, this caused an avalanche of comments and takes on it (and this is yet another one :) ), but surprisingly I found a lot of superficial criticisms without an actual critical look at what this change means and the reasoning behind.

TL;DR

I applaud Microsoft’s decision to 1) move away from a sub-optimal naming taxonomy to a more mnemonic and flexible one, 2) documenting and sharing their decision and process publicly.

However, I do agree that some of the specific names chosen are a bit questionable decisions, just because of the confusion they may generate with either previous names (e.g. Sandstorm is the new name of all Iran sponsored groups with the good old Sandworm, which refers to the well known Russian apt group we all came to “love”) or the commonality of the word and/or adjective associated with it may lead to. And yes, there could have been less common names than weather themes I believe.

The only one I do really disagree with is moving the unknown/in development cluster naming from DEV-#### to Storm-####: this is not helping towards more mnemonic names (a 4 digit code is still a 4 digits code) and the word Storm is just too common, while actually DEV makes more sense for an “in development” cluster.

But let’s dive a bit more on the why I believe some naming conventions are sub-optimal and what a good one may look like, imho.

A deeper look: why the previous taxonomy wasn’t a great choice

A good naming taxonomy should help the intel consumer to quickly remember, identify and associate the threat group they are referring to, as well as not limiting the intel organization in terms of how many groups it may track.

The previous Microsoft taxonomy based on chemical elements of the periodic table, as well as few (similar?) others from other vendors, didn’t meet those criteria for a few reasons:

1. Difficult to pronounce, spell and remember. Because most scientific related names have latin or greek roots, they may not all be easy to spell or understand when pronounced, leading to confusion and errors. Also, those are not really mnemonic: sure, more than a number with few digits, but still not easy to remember the who is who.
2. Clustering. If you want to do clustering of groups, i.e. espionage vs financially motivated, or state-sponsored type of attribution, you cannot easily cluster that way. You would need a (theme) name for the cluster and another, usually an adjective, for the specific group of that cluster. This way the association of the group to a specific cluster is immediate, regardless of whether you know anything about the group already or not (the aspect of whether or not one should do attribution, if it matters or not, the risks of naming directly based on the state attributed, etc, it’s a whole different pandora’s box which deserves a separate post probably).
3. Finite number of options. Even though the elements are many, it’s still a very finite set of names. Indeed Microsoft exceeded that with the number of groups tracked.
4. If you go “scientific” to another domain, make sure your people know it well or you list all possible names in an internal document first. You don’t want your analyst having to go Googling for a new name when the time comes (like if you decide for the chemical elements of the periodic table but then pick another chemical element, e.g. a synthetic one, outside of the periodic table because, well, chemistry wasn’t your strength in high school? ¯\_(ツ)_/¯ )

Therefore, a good naming taxonomy should have mnemonic names, the human brain has hard times to remember numbers. As much as I love the APT/TA/Somethingelse-###, mostly for romantic reasons as the APT1 is when it all started in the modern, commercial, private intel space, I do have hard time to remember what number is who, outside of the super famous ones or the specific one I may be working on at the moment.

Does the new taxonomy make sense or not?

There is no perfect taxonomy probably, but as long as it works for you and your customers, you are consistent in using it and you document how you define it, it works. Even though you should really try to follow the above principles to have an ideal one.

Among the several complains to the new taxonomy, I feel those two summarize a big chunk of them:

Complaint #1 : why can’t we all have the same naming convention?

This is a recurring complaint in general, I would say this is THE complaint. An evergreen, and I’m not sure it will ever end. The answer is simple and it’s still the same: no, we cannot.

Why? Although there is some overlaps, even a lot of them sometimes, among some groups, especially the big ones, we cannot and we should not have the same naming convention because:

1. Every organization has very different (and limited, except probably Google and Microsoft) visibility
2. Every organisation defines threat groups (slightly?) differently

This means that the way organization A sees and tracks actor BADWEATHER will be different and may change overtime so, even if there is some overlap, it is not wise for organization B to fully rely on BADWEATHER and should keep tracking it as CLUBSANDWICH. This is also a good reminder on Rosetta Stones: there are many, for obvious reasons, and they are very useful and you should look at those. HOWEVER, be mindful that those are not and should not be intended as a 1:1 mapping, rather as reference of similar groups that share some/many ttps and characteristics. (if you don’t know what a rosetta stone is, have a look at the public Google Spreadsheet “APT Groups and Operations”[4] started years ago by Florian Roth as an example).

Complain #2: the previous MSTIC scheme was already a brand and well accepted with cool names, why change?

True, it was. But as we have seen above, ideally we want the naming to be useful other than cool. They were cool, still better than many others, but had lots of limitations.

Further readings and discussions

Too strict naming convention and analysis models may not be the best option in general because they are, indeed, strict descriptors for the dynamic nature of the threat. For example, while the Diamond Model may be helpful for initial clustering of the characteristic of a group, I find it not to be a good fit to track the evolution of threat groups in the long term.

I plan to write more about current models and also on the pros and cons of naming conventions that are tight to an attribution. But in the meantime, if the topic is of interest to you I would strongly suggest the following readings by some smart folks in our industry:

“Draw Me Like One of Your French APTs - Expanding Our Descriptive Palette for Cyber Threat Actors” by JAGS

• https://www.youtube.com/watch?v=t5xd5drCPT0
• https://www.epicturla.com/previous-works/vb2018
• https://twitter.com/juanandres_gs/status/1648447291647479809

“The Newcomer’s Guide to Cyber Threat Actor Naming” by Florian Roth

• https://cyb3rops.medium.com/the-newcomers-guide-to-cyber-threat-actor-naming-7428e18ee263

“Conceptualizing a Continuum of Cyber Threat Attribution” by Joe Slowik

• https://www.domaintools.com/wp-content/uploads/conceptualizing-a-continuum-of-cyber-threat-attribution.pdf

I would be happy to hear your view as well, you can find me on twitter or mastodon.

References

1. https://twitter.com/JohnLaTwC/status/1648371963751174144
2. https://twitter.com/MsftSecIntel/status/1648342286160257027
3. Microsoft threat group names mapping
   • https://github.com/microsoft/mstic/blob/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json
   • https://download.microsoft.com/download/4/5/2/45208247-c1e9-432d-a9a2-1554d81074d9/microsoft-threat-actor-list.xlsx
4. Rosetta Stone by Florian Roth and other contributors; “APT Groups and Operations”; https://docs.google.com/spreadsheets/d/1H9_xaxQHpWaa4O_Son4Gx0YOIzlcBWMsdvePFX68EKU/edit#gid=1864660085