LAS VEGAS — In any pernicious act, people often reflexively want to know who did it and why. But that’s of little consequence for enterprises confronting cyberattacks.
When defenders place undue emphasis on the threat groups and criminals targeting organizations, they unintentionally undercut strategic priorities that could more effectively drive down risk.
The vast majority of organizations don’t have the time or resources to keep up with the chaos of tracking cybercriminal groups, Andy Piazza, senior director of threat intel at Palo Alto Networks Unit 42, said in an interview at Black Hat.
“You as a defender shouldn’t care about that,” Piazza said. Defenders can better serve their organizations by developing capabilities to detect and respond to malicious tactics, techniques and procedures, Piazza said.
It’s hard to ignore the drama when groups are given names like Scattered Spider, Midnight Blizzard and Fancy Bear, but mythologizing the criminals responsible for cyberattacks can diminish defenders' ability to detect and thwart malicious activity.
Many cybersecurity vendors and threat intelligence teams follow unique naming conventions for threat groups.
IBM Security X-Force and Mandiant use numbers in their naming schemes, but CrowdStrike, Microsoft and Unit 42 create names. Microsoft even has a naming taxonomy that dictates what weather system or color it assigns to threat groups.
The most memorable names are often the ones that stick in industrywide conversations but there is concern that flashy names can embellish capabilities.
“The villains are hooded strangers operating mysteriously in the shadows. They’re demons from hell, biblical beasts. We give them names that imply power and charisma,” Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency, said last week in Black Hat keynote.
“We don’t unfortunately call them scrawny nuisance or weak weasel or feeble ferret or, my personal favorite, doofus dingo. We talk about them almost in hushed tones and awe,” Easterly said. “They are advanced persistent threats. They use sophisticated exploits or the dreaded zero days.”
Threat groups constantly revamp structure
The makeup and links between threat groups are in constant flux. Unit 42 tracked 53 active ransomware groups in the first half of 2024, and six of those groups accounted for more than half of all alleged attacks.
The techniques and ransomware variants groups use to attack businesses are usually repetitive and rarely overhauled.
“While some do invest resources in developing novel exploits, most of the time they are using the same old vulnerabilities, and sometimes they just get lucky,” Easterly said. “These villains do not have superpowers. We should not treat them like they do, but you know, we do glamorize them.”
But it’s not uncommon for security companies to create myths of threat groups and the individuals carrying out cyberattacks. For the past couple years at major cybersecurity conferences, CrowdStrike has personified threat groups in super-sized statue form.
At last year’s RSA Conference, CrowdStrike exhibited a statue of a threat group it calls Wizard Spider.
At Black Hat last week, through the main doors and sitting in prime real estate at the entrance to the exhibition hall, CrowdStrike gave the same super-sized treatment to Scattered Spider, the group responsible for major attacks against MGM Resorts, Caesars Entertainment and Clorox.
For CrowdStrike, the depictions are symbolic.“They are a symbol of CrowdStrike's mission: to stop breaches by understanding and outmaneuvering the enemy,” a CrowdStrike spokesperson told Cybersecurity Dive via email. “They are not glamorizing the adversary but are designed to personify their mal-intent and elevate cybersecurity conversations to the mainstream.”
“The adversaries remind the cyber community that at the heart of every cyberattack there is a human behind the keyboard,” the spokesperson said.
Instead of going deep into the weeds of who is behind cyberattacks, experts say organizations and defenders should prioritize the most practical ways to reduce risk, including vulnerability and patch management, network perimeter and endpoint security and multifactor authentication.
Incident responders and the law enforcement community “should be worried about the who and the how, and defenders need to be worried about how to implement that how into their defenses,” Piazza said. “Let us worry about all the different groups.”
Disclosure: Black Hat and Cybersecurity Dive are both owned by Informa. Black Hat has no influence over Cybersecurity Dive’s coverage.