Microsoft and CrowdStrike Collaborate to Standardize Cyber Threat Actor Naming Conventions

In the rapidly evolving realm of cybersecurity, the ability to swiftly and accurately identify threat actors is paramount. However, the proliferation of disparate naming conventions across the industry has often led to confusion and delayed responses. Recognizing this challenge, Microsoft and CrowdStrike have announced a strategic collaboration aimed at harmonizing threat actor nomenclature, thereby enhancing clarity and coordination among security professionals.

The Challenge of Divergent Naming Conventions​

Traditionally, cybersecurity firms have developed their own systems for naming threat actors, leading to a landscape where a single adversary might be known by multiple aliases. For instance, the Russian state-sponsored group responsible for various cyberattacks has been referred to as "Cozy Bear," "APT29," "Midnight Blizzard," and "UNC2452" by different organizations. This fragmentation complicates threat intelligence sharing and can impede timely defensive actions.
The National Institute of Standards and Technology (NIST) has highlighted the importance of standardized threat information sharing. In its guidance, NIST emphasizes that aligning descriptions and categorizations of cyber threats can significantly improve understanding, coordination, and overall security posture.

Microsoft's Weather-Themed Taxonomy​

In April 2023, Microsoft introduced a weather-themed taxonomy to categorize threat actors. This system assigns specific weather events to denote the origin or motivation of threat groups. For example:

• Blizzard: Russia
• Typhoon: China
• Sandstorm: Iran
• Sleet: North Korea
• Tempest: Financially motivated actors

Within each category, adjectives are used to distinguish between different groups. For instance, "Midnight Blizzard" refers to a specific Russian threat actor. This approach aims to provide a more organized and memorable framework for identifying adversaries.

CrowdStrike's Cryptonym-Based System​

CrowdStrike employs a two-part cryptonym system that conveys both the adversary's origin and their specific characteristics. The second part of the name indicates the actor's country of origin or motivation:

• Bear: Russia
• Panda: China
• Spider: Cybercriminals motivated by monetary gain
• Jackal: Hacktivists

The first part of the cryptonym often reflects prominent tools, techniques, or other distinguishing features of the actor. For example, "Fancy Bear" is a well-known Russian state-sponsored group.

The Collaborative Initiative​

The collaboration between Microsoft and CrowdStrike seeks to map their respective threat actor taxonomies, creating a reference guide that aligns common actors across both systems. This guide includes:

• A list of common actors tracked by both companies, mapped to their respective taxonomies
• Corresponding aliases from each group's taxonomy

By providing this cross-referenced information, the initiative aims to:

• Improve Confidence: Enhance the accuracy of threat actor identification
• Streamline Correlation: Facilitate the correlation of threat intelligence across different platforms and reports
• Accelerate Response: Enable faster and more effective responses to active cyber threats

This effort is not about creating a single naming standard but rather about helping customers and the broader security community align intelligence more easily, respond faster, and stay ahead of threat actors.

Industry-Wide Implications​

The initiative has garnered support from other major cybersecurity firms, including Google/Mandiant and Palo Alto Networks' Unit 42, who have expressed interest in contributing to this effort. The collaboration represents a significant step toward unifying threat naming conventions, thereby streamlining the identification and tracking of cyber adversaries.
However, some experts remain skeptical, citing a culture of information hoarding in the cybersecurity sector. They argue that unless there is a fundamental shift toward greater information sharing, such initiatives may have limited impact.

Looking Ahead​

As the cyber threat landscape continues to evolve, initiatives like this collaboration between Microsoft and CrowdStrike are crucial for enhancing the effectiveness of threat intelligence sharing. By providing a clearer and more consistent framework for identifying threat actors, security professionals can make more informed decisions and respond more swiftly to emerging threats.
The success of this initiative will depend on the willingness of the broader cybersecurity community to adopt and contribute to the shared taxonomy. As more organizations align their threat actor naming conventions, the collective ability to defend against cyber threats will be significantly strengthened.
In conclusion, the strategic collaboration between Microsoft and CrowdStrike marks a pivotal moment in the quest for greater clarity and coordination in the cybersecurity industry. By bridging the gap between different naming conventions, this initiative has the potential to enhance the speed and effectiveness of threat response efforts, ultimately contributing to a more secure digital environment.

---

Source: Microsoft Announcing a new strategic collaboration to bring clarity to threat actor naming | Microsoft Security Blog