adversary group naming (noun) [Word Notes]

A

You're listening to the CyberWire network.

B

Powered by N2K.

A

The word is adversary Group naming spelled adversary as in a cyber threat actor group as in a unit of people working together and naming as in a label that pins a collection of activity to a simple word or phrase definition A cyber threat Intelligence best practice of assigning arbitrary labels to collections of hacker activity across the intrusion kill chain Example sentence Adversary group names are an inescapable consequence of threat research. Origin and context 1998 was a banner year for adversary group naming, and the US Government gets credit for being first to adopt the practice. In February, tensions were high between the United States and Iraq when President Saddam Hussein expelled UN weapons inspectors out of his country, and international pundits believed that President Clinton would bomb Iraq in retaliation. At the same moment, Defense Department security systems discovered a hack at Andrews Air Force Base and over the next two weeks detected similar attacks across the country directed at military, commercial, and academic networks. The prevailing assumption was that Iraq was behind it. Richard Clark, the national coordinator for security infrastructure protection and counterterrorism at the time, said, for days, critical days, as we were trying to get forces to the Gulf, we didn't know who was doing it. We assumed, therefore, it was Iraq. It turns out that it wasn't Iraq at all, but a couple of teenagers from Cloverdale, California, who the FBI promptly scooped up and arrested. But before that, the US Government classified all of the activity around the hacks to with a cool codename, Solar Sunrise, because the hackers exploited a vulnerability in the Sun Solaris operating system. One month later, the US Government discovered a separate hacker attack not associated with Solar Sunrise, targeting the Pentagon, NASA, and the Department of Energy, and classified it with a codename Moonlight Maze. Many researchers attributed the attack to Russia, but the evidence was and is mostly circumstantial. But the die had been cast. From then on, cyber threat intelligence analysts would attach some arbitrary name to most hacker activity. The practice evolved significantly 10 years later, with three major developments. Lockheed Martin published their white paper Intelligence Driven Computer Network Defense, Informed by Analysis of Adversary Campaigns and Intrusion kill chains. In 2010, Mandian published their white paper, APT1, exposing one of China's cyber espionage units in 2013. Finally, MITRE released their first version of the attack framework, also in 2013. With these three milestones, adversary group naming evolved away from cool codenames to labels associated with hacker attack sequences across the intrusion kill chain. In other words, intelligence analysts would observe an attack pattern in the wild, a hacker's sequence of steps. See it repeated on multiple victims and give it a unique name as sort of a shorthand to discuss the issue. Instead of saying to a colleague, remember the attack with the Bumblebee malware and the Star Trek exploit kit that connected to the Tajikistan command and control server? You would just say, remember the Wicked Panda attack sequence? It's a lot easier. About the same time, security vendors started publishing intelligence reports on hacker activity as thought leadership marketing opportunities, and they all had their own naming schemes. Mandiant is famous for the apt number moniker, as in apt1, apt3, apt5, etc. CrowdStrike associates animals with hacker activity, bears for Russia, kittens for Iran, buffaloes for Vietnam, spiders for crime, and jackals for hacktivism. Microsoft uses elements from the periodic table. Needless to say, this just led to massive confusion. Unless you were paying very close attention, the average security professional wouldn't know that The Lazarus group, Apt 37, Hidden Cobra, and about 19 other colorful names all refer to the same adversary group activity. Adding more confusion to the mix is a typical pattern for many security vendor threat intelligence teams. When the vendor established a name for an adversary group that they had witnessed repeating their attack sequence on multiple victims, which they have high confidence in. Since their products collect that intelligence from their customer networks, some then take the next step of associating that activity with a nation state like China, Russia or Iran, which at best is mostly circumstantial and induced from what other vendors have attributed with their circumstantial evidence. I'm just saying take nation state attribution from security vendors with a grain of salt and for most practitioners it's not necessary anyway. All you need is the attack sequence from a known adversary group. With that information you can develop prevention and detection controls for that sequence at every phase of the intrusion kill chain. It doesn't matter that Deep Panda is from China or that charming kitten is from Iran. Just block them and let the governments of the world with their vast capabilities of intelligence collection, worry about nation state attribution. One last thing, if you're in the business of naming adversary groups, take these two pieces of advice. Don't name the group after the tools they use in their attack. It just causes confusion. In other words, don't name the adversary group the Bumblebee group because they use the Bumblebee malware in the attack sequence. You will just muddy the waters for anybody reading your report later and choose easy to read and easy to spell names. For example, instead of the Winnti umbrella group, use instead Wicked Panda. It just makes everything more understandable. Nerd reference Thomas Ridd, author of Rise of the Machine, a book about many things but also documents the Moonlight Maze story, spoke at the Kaspersky Cyber Conference in Russia in 2017 about the attribution evidence that pins the Russian government to Moonlight Maze. A brazen move considering the audience.

B

It's a true honor to be speaking in front of this audience, especially given the subject of my talk. I will be speaking about a vintage apt, the first big apt that we've seen called Moonlight Maze. I worked on this for more than two years. Multiple Freedom of Information requests in the United States and the United Kingdom. I think we're looking at this point at around 50 interviews and conversations, countless dinners and drinking sessions to build trust. You know how it is. On 7 October 1996, at a small lab in Colorado outside Golden Jefferson county, at a school at the Colorado School of Mines, a system administrator discovered some funny activity one night and filed a report with the Navy. Because that school had a Navy contract at the time and what he found is a root kit that got into a Sun OS 4 system, he was unable to connect the dots. And the Navy at the time also was unable to connect any dots. So only in hindsight we know of this case, but we know that the intrusions that the Navy experienced throughout 1997 coming openly from IP addresses in Moscow, the ISP involved was cityline.ru.

A

Wordnotes is written by Naila Genoe, executive produced by Peter Kilpe and edited by John Pettrick and me, Rick Howard. The mix, sound design and original music have all been crafted by the ridiculously talented Elliot Peltzman. Thanks for listening.