Building a translation guide, not a standard: The collaboration is analyst-driven, focusing on harmonizing known adversary profiles through direct cooperation between the companies’ threat research teams. Already, the effort has led to alignment on more than 80 threat actors, confirming connections that had previously been uncertain.The companies describe their effort as creating a “Rosetta Stone” for cyber threat intelligence, a reference guide that translates threat actor names across naming systems without forcing anyone to adopt a single industry standard.Microsoft’s weather-themed taxonomy categorizes actors into five groups: nation-state actors, financially motivated actors, private sector offensive actors, influence operations, and groups in development. Weather families indicate either country attribution, Typhoon for China, Blizzard for Russia, or motivation, such as Tempest for financially motivated actors.The collaboration validates specific connections, such as confirming that CrowdStrike’s Vanguard Panda and Microsoft’s Volt Typhoon both represent the same China-nexus threat group. Similarly, Secret Blizzard and Venomous Bear have been identified as aliases for a known Russian state-affiliated actor.”This effort is not about creating a single naming standard,” Vasu Jakkal, corporate vice president at Microsoft Security, said in the statement. “Rather, it’s meant to help our customers and the broader security community align intelligence more easily, respond faster, and stay ahead of threat actors.””While advisory names could have effectively been used for correlations, the lack of standard naming was a big challenge,” said Sunil Varkey, advisor at Beagle Security. “Correlations were mainly happening through TTP-based correlation, IoC, or other methods, which gave only fragmented views, leading to delayed responses, analyst fatigue, and inconsistencies.”
Challenges ahead: Despite the promise, experts identify several potential hurdles that could complicate implementation. Singh notes that different security companies might have varying levels of certainty about who is behind an attack, making it complicated to agree on a single name when confidence levels differ.”Cyber attacker groups don’t stay static. They might split up or join forces with others, making it hard to keep naming consistent over time,” Singh explained. He warns that attackers targeting specific regions could be overlooked: “Attackers specifically targeting India, such as ‘SideWinder’ or ‘Transparent Tribe,’ might not be as well-known globally and could be overlooked in a global naming system.”Singh emphasized the broader implications for developing regions: “When new attacks or attacker groups appear, updating the shared naming system might take time, meaning the information could be slightly behind the real-time threat landscape.”Avijit pointed out that every time a vendor introduces a fresh label, Microsoft renaming “Strontium” to “Forest Blizzard” or CrowdStrike coining “Kryptonite Panda”, the mapping registry needs updating. “Failing to promptly incorporate these changes risks reintroducing the confusion the initiative seeks to solve,” he said.A good analogy is the cyclone naming system, which evolved through decades of international coordination to solve confusion during weather emergencies, much like what the cybersecurity world is now attempting, Varkey said.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4000860/one-hacker-many-names-industry-collaboration-aims-to-fix-cyber-threat-label-chaos.html
