APT Rosetta Stone or A Plea To The Industry For Shared Names

Last night one of my CTI sharing groups was discussing a report from FireEye regarding APT29 and domain fronting (https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html) when we all realized we had no clue who APT29 is in our own internal systems. 

One member finally shared this mess:

Nobody can agree on names. Even to the untrained eye it's obvious that there's a communication issue present here. The most amazing thing is how simple it would be to fix all of this, but none of these vendors have because #branding #sorrynotsorry #aptlolwut. The excuse "but we'd have to rename everything" is silly, because if you want to present the image of being a quality threat intelligence organization, then you should have a quality intelligence management system where this should be no more difficult than updating a single entry in a database somewhere.

So please, CTI vendors, stop giving things ridiculous names. And CloudStrike, please stop using your regional prefixes? If you haven't already made a attribution mistake, then one day you surely will, and then you're going to be in trouble.


Popular posts from this blog

Yara and Rich Headers are full of win

Operation Cloud Hopper

"WannaCry Is North Korea!" or "Rich Headers Win Again!"