Today, the Secureworks® Counter Threat Unit™ (CTU) research team began publishing Threat Group profiles on the Secureworks website. The profiles include a summary of the groups, their objectives, other aliases by which the groups are known, and the malware they use. Both criminal and government-sponsored Threat Groups are included.
Why publish these records, given that they are not full actor profiles and there are no infrastructure indicators? You might be asking yourself if this is just a marketing exercise. I assure you that it isn’t. Yes, we want to make the names available to those who care. But the decision was driven by a desire to help establish a shared language for discussing these groups. We often receive requests for a unified “Rosetta Stone” that relates our Threat Groups to others. Others in the industry have done great work in that area, but we wanted to complement their work and also provide a dynamic feed of our mappings. As aficionados of “master data management” know, documents are problematic. Documents from a single data source are stale as soon as they are created. To address this issue, the website will continuously synchronise with our Threat Intelligence Management System to convey the most current information.
A word about attribution. In Secureworks parlance, Threat Groups are “intrusion sets” or “clusters of observed activity”; they exist in cyberspace; and we see them attempting to cause harm to our customers or see reports of them causing harm to others. In contrast, Threat Actors are real-world people and organisations, with real-world locations. Clearly, Threat Groups map to Threat Actors, but the mapping is not necessarily one to one. A sub-contractor might acquire a new contract, groups might share infrastructure, or a foreign intelligence service might operate multiple teams that have the same objective but look and feel very different in terms of their targeting, techniques, and infrastructure.
Understanding Threat Groups helps us determine which customers might be at risk from which Threat Actors and identify applicable playbooks. The information can also help a target or victim understand the ‘who,’ which could lead to the ‘how’ and the ‘why.’ Those insights can drive security investment, training, and controls. If the worst happens, they can also drive the focus, speed, and scale of the response.
Understanding Threat Actors is also important because it might allow for a better assessment of the ‘why’ beyond what can be inferred from observed activity. However, this analysis can cost significant time and effort. It can also be difficult unless the Threat Actors make gross operational security errors or there is credible verifiable reporting from government agencies or law enforcement. Clustering activity based on common characteristics (i.e., Threat Groups) is significantly more tractable. It is still fraught with overlaps and error but is definitely achievable – many organisations do it.
In effect, we are publishing “a” Rosetta Stone but not “the” Rosetta Stone. Most cybersecurity organisations have their own view of how activities cluster into different Threat Groups. An organisation’s “aperture”, market focus, intelligence collection, sources, and telemetry can influence how it characterizes activity. Views from different organisations rarely entirely overlap and sometimes fundamentally disagree. That is perfectly fine and understandable, indeed expected. The nature of the aperture does not make the effort to understand threat activity any less valid. The cybersecurity industry is dominated by professionals who are “driven to do the right thing,” and few, if any, knowingly publish incorrect information.
The Secureworks aperture is significant but nuanced. We monitor the networks of over 4,000 customers operating in many market sectors, including numerous non-governmental organisations (NGOs) and financial services, energy, and manufacturing companies. Our incident response teams conducted over 1,000 reactive incident response engagements in 2019. The CTU™ research team centralizes all of this data and fuses it with original research and other data feeds to build and maintain an understanding of the threat landscape. It’s a broad view for sure, but not perfect or without bias.
Members of the security community may disagree with some of our characterizations. An area where our approach differs from others may be the clustering of cybercrime threats. One example is the group that Proofpoint and other researchers track as TA505. CTU researchers view TA505 as an umbrella group comprising multiple Threat Groups with their own toolsets and operations. We recognize the shared genealogy of those groups and are open to the idea that they might all roll up to the same group. But we found it more useful to break them out as discrete Threat Groups based on our observations of their operations.
We expect and welcome differences of opinion and constructive debate. Diversity in this regard is a strength. If you feel we have made errors or omissions, or that we have misunderstood or misrepresented data generated by you or your organisation, please contact us at [email protected]