Which Witch is Which – Navigating the Complicated World of Threat Actor Taxonomy

Navigating the vast landscape of threat intelligence can be overwhelming, particularly when an organization is trying to determine who may be targeting them. If an intelligence team suspects the ransomware group Akira is behind suspicious activity, it’s crucial to understand their Tactics, Techniques, and Procedures (TTPs). However, Akira may be referenced under different aliases depending on the vendor, making it difficult to form a full picture of the threat actor. This inconsistency often stems in part from the commercialization of Threat Research Programs (TRPs), which led to fragmented naming and attribution across the industry. Establishing a “perfect” taxonomy for Threat Actors (TAs) is no easy task – technical aliases like “APT63” are precise but forgettable, while names like “WARLOCK DUST” are memorable but provide the TA with super-villain notoriety. Further complicating matters, threat actor groups frequently evolve, merge, rebrand, or reappear, making identification even more challenging. This presentation will unpack how these confusing naming conventions developed and share actionable ways to gather intelligence from multiple sources to better understand and respond to threat actors.