SANSFIRE is right around the corner June 13-20 - Live Online, Register today!


To attend this webcast, login to your SANS Account or create your Account.

This webcast has been archived. To view the webcast login into your SANS Portal Account or create an account by clicking the "Get Registered" button on the right. Sorry, the slides for this webcast are not available for download.

Threat Intelligence Naming Conventions: Threat Actors, Activity Groups, and Other Ways of Tracking Threats

  • Tuesday, June 26, 2018 at 3:30 PM EDT (2018-06-26 19:30:00 UTC)
  • Robert M. Lee

You can now attend the webcast using your mobile device!



Cyber Threat Intelligence (CTI) analysts must have ways of clustering adversary intrusions to find patterns and make meaningful recommendations to defenders. Incident responders and security personnel must be able to simply interpret those recommendations for actionable results. And yet the ways the community clusters activity and assigns names to it can be extremely confusing and seems inconsistent. Is APT A the same group as FANCY SQUIRREL? If not why not? And does it matter? What is a Threat Group? And how is that different than an Activity Group? Or a Campaign?

This webcast presents concepts to consider when clustering intrusions and making assessments on adversary activity. It will also highlight some unanswered questions in CTI for future exploration and some potentially problematic areas for analysts.

Speaker Bio

Robert M. Lee

Rob is a recognized pioneer in the industrial security incident response and threat intelligence community. He started in security as a U.S. Air Force Cyber Warfare Operations Officer tasked to the National Security Agency where he built a first-of-its-kind mission identifying and analyzing national threats to industrial infrastructure. He went on to build the industrial community’s first dedicated monitoring and incident response class at the SANS Institute (ICS515) and the industry recognized cyber threat intelligence course (FOR578).

Forbes named Robert to its 30 under 30 (2016) list as one of the “brightest entrepreneurs, breakout talents, and change agents” in Enterprise Technology. He is a business leader but also technical practitioner. Robert helped lead the investigation into the 2015 cyber attack on Ukraine’s power grid, he and his team at Dragos helped identify and analyze the CRASHOVERRIDE malware that attacked Ukraine’s grid in 2016 and the TRISIS malware deployed against an industrial safety system in the Middle East in 2017.

Need Help? Visit our FAQ page or email

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.