Naming Adversaries and Why It Matters to Your Security Team

This blog was originally published by CrowdStrike here.

Written by Bart Lenaerts-Bergmans, CrowdStrike.

What is it with these funny adversary names such as FANCY BEAR, WIZARD SPIDER and DEADEYE JACKAL? You read about them in the media and see them referenced by MITRE in the ATT&CK framework.

Why are they so important to cyber defenders? How is an adversary born?

You may think you have a problem with ransomware, bots or distributed denial of service (DDoS) attacks, but you would be wrong. Because humans are behind every cyberattack, what you really have is an adversary problem. Understanding the adversaries most likely to target your business is critical because it helps you focus your resources and better prepare your defenses to defeat them.

Let’s dive into the world of adversaries and understand why attribution and an adversary-focused approach to cybersecurity is crucial to defending against modern cyberattacks.

Attribution 101: What’s in a name?

Every adversary is motivated by a specific objective whether it is financial, espionage or political gain. CrowdStrike uses a two-part cryptonym so adversaries can be easily identified based on these three critical motivating factors:

• SPIDERs are cybercriminals motivated by monetary gain
• Nation-states perform espionage and are identified by their country of origins’ national animal such as BEAR (Russia) or PANDA (China)
• Hacktivists, looking to create political disruption, are JACKALS

The honor of providing the name used for the first part of the cryptonym goes to the CrowdStrike threat intelligence analyst or team who attributed the activity to a specific threat actor or group. While this part of the name may be arbitrary, CrowdStrike analysts are typically influenced by prominent tools and techniques they have observed being used by the actor.

Identifying Activity Clusters

As you have probably guessed, observing related activity or “activity clusters” is a crucial aspect of threat research that helps determine attribution.

The first step in identifying an activity cluster is to collect the right data in order to expose illicit actions. Collect raw intelligence from several sources including incident response engagements, millions of malware samples processed per day, the deep and dark webs, underground communities, social media, open source and much more.

The second step is analyzing this data using machine-based analytics as well as human intelligence analysts.

Activity clusters are typically based on one or more related technical attack techniques, tools or infrastructure that are leveraged by the adversary. For nation-state sponsored adversaries, intelligence analysts can overlay an understanding of the geopolitical-nexus of all observed activities to raise the confidence level from a cluster to a named state-sponsored adversary. The process is slightly different for cybercrime, where intel analysts focus on adversarial tooling, tradecraft and infrastructure, with careful emphasis on actor threat operations such as usage of “as-a-service” frameworks, shared infrastructure or inclusion of public commodity tooling during the attack steps.

Maintaining Rigorous Naming Standards

Make sure to define rigid analytic integrity standards that are routinely reinforced among the analytic cadre. All intelligence analysts should be trained to ensure proper use of estimative language, bias awareness and elimination, and on using analytic tools such as “alternative competing hypotheses.”

Throughout the attribution process, integrity is maintained through an extended judicious review among the different teams holding threat expertise. Only after a series of rigid analytic steps will an actor be given a name and added to the list of named adversaries.

How Defenders Benefit from an Adversary-Focused Approach

Adversary attribution enables defenders to understand the “who, how and why” behind the cyberattacks targeting their business. By understanding their adversaries’ motivation, tools and tactics, defenders can apply proactive and preventative actions.

For instance, targeted attacks may be driven by espionage, which indicates the threat will most likely be persistent and comprise multiple sophisticated attacks that can be expected to attempt to gain access to your sensitive company data. Knowing this about the espionage-motivated adversary provides guidance on where to place defensive “shields-up” measures and how you can best prepare. This could include proactively patching vulnerabilities or blocking file hashes or IP addresses at the perimeter, defensive tactics based upon attack vendors the adversary is known to have used in the past. Attribution enables security teams to understand their true risk posture by defining who could come after them and how, and preemptively adjust their security strategy.

Adversary attribution also enables security teams to reduce noise by filtering an overload of security data to focus on specific tactics. A good place to start is to filter security data according to adversaries’ preferred targets, typically by industry and geographic region. Security analysts can focus on this much smaller subset instead of focusing on lower-risk, commodity attacks that are blocked by the security controls they have in place.

In addition, once a known, sophisticated adversary has been spotted inside your organization’s infrastructure, alert levels can be raised, shields-up declared, and the available intel on the adversary can drive the threat hunting process to find and expel the adversary. Without this knowledge, security operations center (SOC) analysts waste time and resources, playing “whack a mole” in chasing every commodity attack or being blind to adversary activity that may be seen as normal activity without the context provided by threat intelligence.

While attribution provides the information that helps security teams prepare, there is additional intrinsic value in taking an adversary-focused approach to security. Attribution enables the entire team — proactive and reactive defenders alike — to orient their actions toward specific actors that target the organization, create their behaviors and tools, and begin to communicate across all teams with a common language including the adversary’s name, attack steps and point of view. This approach helps teams step away from tool- or process-heavy tactics and build strategies to increase the effectiveness of their security efforts.

In addition, security organizations are often split into operational silos, with each silo focusing on specific detection or protective tools. This structure with attention to “tools in use” and “small-team objectives” is not always advantageous. Focusing instead at a higher level — fighting the adversaries that are trying to breach your defenses — changes the dynamics for the entire team and starts with knowing the adversary, which benefits the individual security practitioner as well as the entire organization.