APT and cybercrime gangs: the benefits of name matching by manufacturers

Contents

"Brass Typhoon" is "Wicked Panda", and "Ghost Blizzard" corresponds to "Berserk Bear": these and other unique name assignments of APT and cybercrime groups are the first visible result of a newly launched collaboration between Microsoft and CrowdStrike.

The aim of these efforts is to achieve a complete taxonomy comparison between the two manufacturers that is as up-to-date as possible with regard to new threats. According to Microsoft's announcement, Google's Mandiant team and Palo Alto's Unit 42 also want to participate in the collaboration in the future.

So much for the plan. But what does the comparison actually achieve in practice, and what can security managers actually do with the resulting taxonomy mappings? We take a look at current developments, the interim status of name matching to date and how useful it has been so far.

Added value: more reliable mappings...

First of all, it should be noted that the collaboration between Microsoft and CrowdStrike is only aimed at systematic name matching; the different names given to cybercrime actors by the companies will not change in the future.

Nevertheless, the fact that two manufacturers are joining forces to make clear assignments based on collected threat information represents real progress in untangling the cybercrime name chaos. Until now, mappings of manufacturer names have primarily been carried out "from outside", for example by the BSI or as part of the MITRE ATT&CK knowledge database. The mappings have not been officially approved by the companies concerned. Their cooperation and direct exchange now gives hope for more reliable – and, above all, binding – name assignments.

... and transferable threat information

Such binding mappings can help save valuable time in the event of security incidents. An example: A company affected by an APT attack wants to warn vulnerable business partners. They may be using different security software – and benefit from the knowledge of reliable alternative vendor names for the threat in question.

Another added value of taxonomy matching is that it improves the accessibility of information on the respective APT or cybercrime groups. This is because if cooperating vendor teams recognize differently named groups as identical, the threat data assigned to them is logically also transferable.

This helps with information research. If, for example, the company's internal CrowdStrike protection suddenly warns of "Vanguard Panda", an additional online search for Microsoft's equivalent "Volt Typhoon" can provide further information on suitable defense, clean-up or preventive measures.

Typical Indicators of Compromise (IoC) of a specific cybercrime group identified by Microsoft also apply to the CrowdStrike counterpart and can therefore be used directly to feed them to the Thor Lite IoC scanner for a system scan, for example. The same applies to existing YARA rules or threat intelligence feeds. This means that security managers do not have to constantly reinvent the wheel.

Interim status: Not really practical (yet)

If Vanguard Panda falls at your feet as described, you naturally want to retrieve the results of the name comparison as quickly as possible.

However, this is not really possible yet. The current interim status of the manufacturer's efforts – a little over 80 mappings of CrowdStrikes to Microsoft's group names – is currently only available on the CrowdStrike website as a zipped Excel table (!). In the event of a threat, you would first have to download and unpack it, then search the document manually and come across Volt Typhoon at the bottom. There are no online search interfaces or similar (at least not yet).

Microsoft, on the other hand, has published a version in JSON format on GitHub in addition to an online table with assignments that can only be searched manually. In a blog entry, the company also refers to the possibility of retrieving name information from Sentinel, Microsoft 365 Defender and Azure Data Explorer, among others, using a special query.

Here, too, it is clear: Simple, fast search options look different. Another confusing aspect of Microsoft's table is that, in addition to CrowdStrike's group aliases, the names of other manufacturers also appear in it. There is no clear assignment of these names to specific companies. It also remains unclear whether this additional information is the result of a direct exchange of content with other security teams or whether it is based solely on Microsoft's assessment. For example, Microsoft lists the slang term "Laundry Bear" (raccoon?) from the Dutch secret service, which does not appear in CrowdStrike.

Good idea with plenty of room for improvement

Our examples show that the name matching initiated by Microsoft and CrowdStrike is a worthwhile project in many respects. However, the public accessibility and searchability of the information can still be greatly improved –, especially because the taxonomy mappings are to be continuously maintained and expanded in the future.

It is also to be hoped that more companies will take part in the comparisons in the future, so that the informative value and content benefits continue to increase. And that those involved proceed carefully and conscientiously when exchanging information with each other. After all, as good as the idea of collaboration is, incorrect categorization could also have the potential to cause great damage.

A post by CrowdStrike reveals that preparations are underway for further collaborations: They want to start with a "small, focused group of contributors", led by Microsoft and CrowdStrike. However, the companies mentioned by Microsoft, Google/Mandiant and Palo Alto, have not yet commented themselves. Until then, the spreadsheet "APT Groups and Operations" maintained by security researcher Florian Roth, among others, offers a very comprehensive and popular reference in the security community for the assignment of names. (ju)