Hesperus is Phosphorus: Mapping Threat Actor Naming Taxonomies at Scale

TL;DR

This paper introduces HiP, a methodology for normalizing and clustering Threat Actor names across multiple sources, revealing insights into naming inconsistencies, evolution, and challenges in standardization within cyber threat intelligence.

Contribution

The paper presents HiP, a novel scalable approach for mapping and analyzing threat actor naming conventions across diverse CTI sources, addressing a key challenge in cybersecurity research.

Findings

Aliases are concentrated on a small subset of TAs

Threat actor names evolve significantly over time

Mapping errors and methodological pitfalls affect clustering accuracy

Abstract

This paper studies the problem of Threat Actor (TA) naming convention inconsistency across leading Cyber Threat Intelligence (CTI) vendors. The current decentralized and proprietary nomenclature creates confusion and significant obstacles for researchers, including difficulties in integrating and correlating disparate CTI reports and TA profiles. This paper introduces HiP (Hesperus is Phosphorus, a reference to the classic question about the Morning and the Evening Star), a methodology for normalizing, integrating, and clustering TA names presumably corresponding to the same entity. Using HiP, we analyze a large dataset collected from 15 sources and spanning 13,371 CTI reports, 17 vendor taxonomies, 3,287 TA names, and 8 mappings between them. Our analysis of the resulting name graph provides insights on key features of the problem, such as the concentration of aliases on a relatively small subset of TAs, the evolution of this phenomenon over the years, and the factors that could explain TA name proliferation. We also report errors in the mappings and methodological pitfalls that contribute to make certain TA name clusters larger than they should be, including the use of temporary names for activity clusters, the existence of common tools and infrastructure, and overlapping operations. We conclude with a discussion on the inherent difficulties to adopt a TA naming standard, a quest fundamentally hampered by the need to share highly-sensitive telemetry that is private to each CTI vendor.