CrowdStrike, Microsoft aim to eliminate confusion in threat group attribution

CrowdStrike and Microsoft announced an agreement Monday to formally connect the different names each company uses for the same threat groups in their attribution analysis. The companies said the effort will clarify inconsistencies across the industry’s naming taxonomies and acknowledge when both companies identify the same threat groups. 

The alliance between the longstanding competitors doesn’t call for a universal naming standard or change the frameworks CrowdStrike and Microsoft use to name threat groups. It does, however, remove confusion about overlap in groups that have been assigned multiple names by different companies.

Threat group naming conventions stir up vigorous debates among threat intelligence professionals. Cybersecurity vendors that practice attribution want to put their stamp of ownership on the groups they track, yet this routinely creates confusion and makes it harder for defenders to cross-reference information. 

“We understand there’s a challenge. We understand that our isolation in this area has created a bigger challenge for those customers trying to stop these threats,” Adam Meyers, senior vice president of counter adversary operations at CrowdStrike, told CyberScoop.

“We’re going to put all that to the side, and we’re going to spend some of our analytic resources from both companies to try to demystify this and clarify this for the customers so that this is an easier thing for them to understand,” he said.

Open invite for CTI collaboration

The effort to formally recognize known threat group attribution links across vendors kicked off with coordinated announcements from both CrowdStrike and Microsoft, but the companies envision other competitors participating as time passes.

Meyers hopes this alliance will create an independent resource that CrowdStrike, Microsoft and other companies can feed analysis into to create a consistently updated, authoritative guide on threat groups. While CrowdStrike and Microsoft have also discussed offering this information through an  API, he said, it will be available in their blog posts and in products for now.

“We’re going to work with other big vendors out there that are also involved in attribution in order to pull this together so that we can all work off the same sheet of music,” Meyers said.

Google’s Mandiant and Palo Alto Networks’ Unit 42 told CyberScoop they’re already working with CrowdStrike and Microsoft on the initiative.

“Aligning on naming conventions isn’t just a nice-to-have, but a game-changer for defenders trying to act fast. A shared baseline for threat actor names means faster attribution, improved cyberattack response, and fewer blind spots,” Michael Sikorski, CTO and head of threat intelligence at Unit 42, said in an email.

“Inconsistent naming can create confusion and potentially disrupt coordinated response efforts across the cybersecurity community,” he said. “With shared threat intelligence and increased collaboration, we can disrupt their advantage before they strike.”

In practice, this means CrowdStrike, Mandiant, Microsoft and Unit 42 formally recognize that Midnight Blizzard, Cozy Bear, APT29 and UNC2452 are all the same group. Links like this aren’t a surprise to threat intelligence professionals, but it’s not always clear in publicly available threat reports.

In private discussions, threat analysts working across different companies come to pretty good agreements on what they’re seeing and basing attributions on, but those points of overlap often drop by the wayside and are masked or filtered out in published research reports, said Joe Slowik, director of cybersecurity alerting strategy at Dataminr.

Current naming conventions “add friction that doesn’t need to be there,” Slowik said. “In an ecosystem where I think that we already have a lot to do, it adds up one more layer of things, and so it’s reducing efficiency and effectiveness, I think, more than anything else.”

Onset of impacts

CrowdStrike and Microsoft published a list of more than 80 threat groups they’ve aligned with corresponding names attributed by other security vendors. The reference guide aims to improve confidence in threat group identification, simplifies correlation across platforms and reports, and quickens defender action, Vasu Jakkal, corporate vice president at Microsoft Security, said in a blog post. 

Delays as short as seconds can prevent organizations from stopping a cyberattack, Jakkal said in the blog post. “One major cause of delayed response is understanding threat actor attribution, which is often slowed by inaccurate or incomplete data as well as inconsistencies in naming across platforms.”

CrowdStrike and Microsoft are creating primary source credibility by jointly mapping threat groups and their various vendor-provided aliases together in a more formalized manner, according to Slowik.

“That’s not useless, but it’s not revolutionary either,” he said. 

“This is movement in a direction toward potential solutions. It is not a solution,” Slowik added. “If nothing else, it just highlights more of what the problem actually is, that we have to have these sort of one-off agreements between different companies to say, ‘OK, we’ll work through our lists and figure out where things are equal to each other.’”

Myriad factors narrow scope

The CrowdStrike- and Microsoft-led initiative doesn’t remove silos in threat intelligence; rather it narrowly focuses on finding common ground when vendors can publicly agree that they see obvious overlap in threat group attribution. 

The joint mapping exercise marks a step forward in taking the onus off practitioners having to do this leg work themselves, Meyers said.

Business interests, marketing opportunities and different data sources will continue to create conflicts and some level of doubt in threat intelligence.

“While it would be nice for industry to all come together mutually and agree on a way to do this, I don’t think it’s ever going to work,” Slowik said. “Organizations will continue to maintain their own naming and classification schema for the foreseeable future. I do not see that going away, irrespective of this effort and collaboration.”

Factors preventing a threat group naming standard, notwithstanding, the most important goal is to ensure defenders understand when threat intelligence firms are talking about the same group with defined boundaries, Meyers said.

Naming conventions are distinct across vendors, in part because threat researchers need systems that allow for flexibility, he said.

“This thing is not perfect. We understand that this is as much art as science when it comes to doing attribution, and so we’re not going to get it right 100% of the time,” Meyers added. 

“This allows everybody to not be forced to adopt the other organization’s analytic judgment,” he said. “We can make our own analytic judgments and support them and defend them.”