Knowing When to Quit: A Framework for Managing the Deprecation of Threat Actor Aliases

Most of us are familiar with the seemingly endless variety of threat actor naming conventions used by vendors to describe distinct clusters of adversary activity. Serious discussion is merited regarding several aspects of this industrywide practice, including the methods different researchers use to cluster activity, the inferences that should be drawn from observed indicator overlap, and the degree to which greater taxonomical harmonization is possible given data transparency constraints; nevertheless, there is broad consensus across the CTI community that clustering helps analysts more effectively catalog, describe, and correlate observed activity and thus mitigate uncertainty when faced with an incomplete picture of existing threats.

Where this process faces challenges is the dimension of time. For a variety of reasons, naming conventions used to describe historical threat activity may lose relevance as years pass. This often occurs when the availability of new information calls into question earlier judgements, but it may also stem from other factors such as assessed changes in the composition of threat clusters themselves (i.e. operator retirement, reassignment, or arrest) or industry evolutions such as companies' deprioritization of their CTI research functions, paywalling of future publications, or liquidation of existing teams.

Referencing case studies of threat activity groups that demonstrate varying degrees of assessed continuity (APT28, APT17), this presentation seeks to highlight the analytic pitfalls of engaging in weakly substantiated attribution and proposes a set of best practices for evaluating the relevance of historical threat intelligence research. In doing so, this talk seeks to build on the prior work of earlier SANS CTI Summit speakers concerning the challenges we as a community continue to face when seeking to attribute adversary activity.