APT Rosetta Stone or A Plea To The Industry For Shared Names
Last night one of my CTI sharing groups was discussing a report from FireEye regarding APT29 and domain fronting (https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html) when we all realized we had no clue who APT29 is in our own internal systems.
One member finally shared this mess:
Nobody can agree on names. Even to the untrained eye it's obvious that there's a communication issue present here. The most amazing thing is how simple it would be to fix all of this, but none of these vendors have because #branding #sorrynotsorry #aptlolwut. The excuse "but we'd have to rename everything" is silly, because if you want to present the image of being a quality threat intelligence organization, then you should have a quality intelligence management system where this should be no more difficult than updating a single entry in a database somewhere.
So please, CTI vendors, stop giving things ridiculous names. And CloudStrike, please stop using your regional prefixes? If you haven't already made a attribution mistake, then one day you surely will, and then you're going to be in trouble.