Microsoft and CrowdStrike are significantly teaming up to align their distinct threat actor taxonomies by publishing a new joint mapping guide. This important initiative primarily aims to provide security professionals with the crucial ability to connect diverse insights much faster and act decisively. The ongoing collaboration also seeks to untangle the confusing variety of nicknames that private cybersecurity vendors often assign to various global hacking groups. For instance, Microsoft’s notorious Midnight Blizzard, formerly Nobelium, is also widely known by many other names like APT29 and Cozy Bear. Similarly, the group Forest Blizzard, previously Strontium, is identified by numerous other monikers such as Fancy Bear and the Sednit hacking group.
The core idea behind aligning these diverse naming systems across different vendors is to make tracking overlapping threat actor activity much easier. This concerted cooperative effort will also help avoid unwanted confusion regarding complex threat actor attribution, which can often reduce defender confidence. It is very important to note that this particular collaboration does not aim to create a single, universal naming standard for all actors. Google, its Mandiant subsidiary, and Palo Alto Networks Unit 42 are also expected to contribute their valuable information to this effort soon. Microsoft has already updated its comprehensive threat actor reference guide with a detailed list of common hacking groups mapped across both systems.
CrowdStrike announced this new alignment has already led to successfully deconflicting more than eighty distinct adversary groups through their collaborative work.
This ongoing important alliance specifically aims to better correlate various threat actor aliases without strictly adhering to just one single naming scheme. CrowdStrike has notably called this new shared glossary a “Rosetta Stone” for the field of cybersecurity threat intelligence and its practical application. Adam Meyers from CrowdStrike stated that where telemetry data from different sources complements each other, there is a clear opportunity to extend attribution. This beneficial collaboration will help to build a richer, more accurate view of adversary campaigns, ultimately benefiting the entire global security community.
This naming taxonomy mapping effort currently represents the crucial initial step towards simplifying the complex tracking of overlapping threat actor activity.
As more prominent security firms eventually join this important alliance and begin actively sharing their extensive telemetry data, the initiative will bring greater clarity. It will make it significantly simpler for all network defenders worldwide to accurately translate various complex naming systems much more effectively. This greatly enhanced clarity will allow them to build a far more accurate and comprehensive operational view of sophisticated ongoing malicious campaigns. CrowdStrike and Microsoft are very proud to take this important first step but emphasize it must be a community-led initiative.
Reference:
