It’s time for another episode of:

“OMGee why do security companies all use different names for the same malware / adversaries / campaigns?”! (1/n)

Okay so imagine you have three security companies. Let’s call them Taco, Italian Beef, and Hoagie. They track bad guy shiz. They all work with a few different customers. The uze.

So Bad Guy 1 starts a big campaign against companies in your country. They are pretty resourced and have a few gigs running: let’s say ransomware $$$ against small biz, and targeted espionage against a few industry verticals. Their teams share some info and TTPs, but diverge.

There’s also Bad Guy 2 who is attacking some of the same verticals and some others, trying to gain some footholds for nation states that pay them money to do that kinda thing.

Now, remember that Taco, Hoagie, and Italian Beef Fyne Security Corps have different customers and therefore different visibility to what Bad Guys 1&2 are doing. Hoagie has kind of a niche DFIR industry vertical. Taco is all over the place but they mostly do network detection.

Each company sees a different snapshot of Bad Guy 1&2 behavior, targets, and TTPs. Hoagie only sees Bad Guy 1 stealing crap from their vertical. Taco sees their ransomware campaign all over. Italian beef sees web shells that look similar from Bad Guy 1 & 2 -they use similar code.

It’s like asking witnesses of a crime to describe the assailant. Some people notice eyes. Another person was only at an angle to see jackets. Someone else is fighting a bias about red haired people and thinks they had red hair. Each one describes a different criminal.

So Taco defines Bad Guy 1 and 2. Hoagie only identifies Bad Guy 1 in one vertical. Italian Beef thinks they’re the same adversary except for the team at Bad Guy 1 that does ransomware. They all have different metadata, even though a lot overlaps.

Team Taco reads Italian Beef’s report and they’re pretty sure they are talking about the same Bad Guy. They’re competitors though, so they don’t have complete trust in their findings or sharing. None of the security companies has actual operatives on the ground to be certain.

So instead of just like, assuming the mayhem I’ve just described is all the same thing for sure, Taco, Italian Beef, and Hoagie all release their own adversary names and descriptions. Over time, they may be more and more sure where the lines and connections are.

Of course, there’s certainly an element of wanting to define an adversary better than their competitors. Italian Beef is really sure they released a great profile. Team Taco reads the report and sees they’re missing some key info and background, and knows they can do it better.

Is capitalism annoying for analysts? Perhaps. Is it worse if they all made assumptions and the adversaries were defined and detected wrong? Likely. Will this always be a problem? Yes, as long as cybersecurity / AV companies see different slices with different eyes and expertise.

I’ve simplified the problem a bit, but suffice to say there are different models in use to define campaigns, malware families, and adversaries. Security companies are each good at different things, and not a one has overarching, omniscient knowledge or visibility. (~FIN~)