Word Notes 3.8.22
Ep 90 | 3.8.22

adversary group naming (noun)


Rick Howard: The word is: adversary group naming. 

Rick Howard: Spelled: adversary as in a cyber threat actor, group as in a unit of people working together, and naming as in a label that pins a collection of activity to a simple word or phrase. 

Rick Howard: Definition: A cyber threat intelligence best practice of assigning arbitrary labels to collections of hacker activity across the intrusion kill chain. 

Rick Howard: Example sentence: Adversary group names are an inescapable consequence of threat research. 

Rick Howard: Origin and context: 1998 was a banner year for adversary group naming and the U S government gets credit for being first to adopt the practice. In February, tensions were high between the United States and Iraq when President Saddam Hussein expelled UN weapons inspectors out of his country and international pundits believed that President Clinton would bomb Iraq in retaliation. 

Rick Howard: At the same moment, defense department security systems discovered a hack at Andrews Air Force Base, and over the next two weeks, detected similar attacks across the country directed at military commercial, and academic networks. The prevailing assumption was that Iraq was behind it. 

Rick Howard: Richard Clark, the national coordinator for security, infrastructure protection, and counterterrorism at the time said, "For days critical days, as we were trying to get forces to the Gulf, we didn't know who was doing it. We assumed, therefore it was Iraq."  

Rick Howard: It turns out that it wasn't Iraq at all, but a couple of teenagers from Cloverdale, California, who the FBI promptly scooped up and arrested. But before that, the U S government classified all of the activity around the hacks with a cool code name, Solar Sunrise, because the hackers exploit a vulnerability in the Sun Solaris operating system. 

Rick Howard: One month later, the U S government discovered a separate hacker attack, not associated with Solar Sunrise, targeting the Pentagon, NASA, and the Department of Energy and classified it with a code name, Moonlight Maze. Many researchers attributed the attack to Russia, but the evidence was, and is mostly circumstantial. But the die had been cast. From then on, cyber threat intelligence analysts would attach some arbitrary name to most hacker activity. That practice evolved significantly 10 years later, with three major developments.  

Rick Howard: Lockheed Martin published their white paper "Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains" in 2010.  

Rick Howard: Mandiant published their white paper “APT1: Exposing One of China’s Cyber Espionage Units" in 2013. 

Rick Howard: Finally Mitre released their first version of the ATT&CK framework also in 2013.  

Rick Howard: With these three milestones, adversary group naming evolved away from cool code names to labels associated with hacker attack sequences across the intrusion kill chain. In other words, intelligence analysts would observe an attack pattern in the wild, the hacker's sequence of steps, see it repeated on multiple victims and give it a unique name as sort of a shorthand to discuss the issues. 

Rick Howard: Instead of saying to a colleague, "Remember the attack with the bumblebee malware and the Star Trek exploit kit that connected to the Tajikistan command and control server?" you would just say, "Remember the Wicked Panda attack sequence?" It's a lot easier.  

Rick Howard: About the same time, security vendors started publishing intelligence reports on hacker activity as thought leadership, marketing opportunities, and they all had their own naming schemes.  

Rick Howard: Mandiant is famous for the “APT Number” moniker as in APT1,  APT3,  APT5,  etc. CrowdStrike associates, animals with hacker activity: Bears for Russia, Kittens for Iran, Buffaloes for Vietnam, spiders for crime, and jackals for hacktivism. Microsoft uses elements from the periodic table. Needless to say, this just led to massive confusion. Unless you were paying very close attention, the average security professional wouldn't know that the Lazarus Group, APT37, Hidden Cobra and about 19 other colorful names, all referred to the same adversary group activity.

Rick Howard: Adding more confusion to the mix is a typical pattern for many security vendor threat intelligence teams. When the vendor established a name for an adversary group that they had witnessed repeating their attack sequence on multiple victims (which they have high confidence in since their products collected intelligence from their customer networks), some then take the next step of associating that activity with a nation state like China, Russia, or Iran, (which at best is mostly circumstantial and induced from what other vendors have attributed with their circumstantial evidence). I'm just saying, take nation state attribution from security vendors with a grain of salt.  

Rick Howard: And, for most practitioners, it's not necessary anyway. All you need is the attack sequence from a known adversary group. With that information you can develop prevention and detection controls for that sequence at every phase of the intrusion kill chain. It doesn't matter that Deep Panda is from China, or that Charming kitten is from Iran. Just block them and let the governments of the world with their vast capabilities of intelligence collection worry about nation state attribution.  

Rick Howard: One last thing if you're in the business of naming adversary groups, take these two pieces of advice. Don't name the group after the tools they use in their attack. It just causes confusion. In other words, don't name the adversary group, the bumblebee group, because they use the bumblebee malware in the attack sequence. You will just muddy the waters for anybody reading your report later. And choose easy to read and easy to spell names. For example, instead of the Winnti Umbrella group, use instead Wicked Panda, it just makes everything more understandable.  

Rick Howard:Nerd reference: Thomas Rid,  author of  “Rise of the Machine,” a book about many things, but also documents the Moonlight Maze story spoke at the Kaspersky Cyber Conference in Russia in 2017, about the attribution evidence that pins the Russian government to Moonlight Maze, a brazen move; considering the audience. 

Thomas Rid: It's a true honor to be speaking in front of this audience, especially given the subject of my talk. I will be speaking about a vintage APT, the first big APT that we've seen called Moonlight Maze. I worked on this for more than two years; multiple freedom of information requests in the United States and the United Kingdom. I think we're looking at this point at around 50 interviews and conversations, countless dinners and drinking sessions to build trust, you know how it is. 

Thomas Rid: On the 7th of October, 1996 at a small lab in Colorado, outside golden Jefferson County at a school at the Colorado school of mines, a system administrator just discovered some funny activity one night and filed a report with the Navy because that school had a Navy contract at the time. And what he found is the root kit that got into a SUN OS 4 system.  

Thomas Rid: He was unable to connect the dots, and the Navy at the time also was unable to connect any dots. So it's only in hindsight we know of this case.  

Thomas Rid: We know that the intrusions that the Navy experienced throughout 1997 came openly from IP addresses and in Moscow. The ISP involved was cityline.ru.. 

Rick Howard: Word notes is written by Nyla Gennaoui, executive produced by Peter Kilpe, and edited by John Petrik and me, Rick Howard. The mix, sound design and original music have all been crafted by the ridiculously talented Elliott Peltzman. Thanks for listening.