Cybersecurity Threat Naming: A Complicated Landscape
Understanding Labels: A Deep Dive into the Nicknames Assigned to Assailants and Assaults (Continuation from Part 1)
The naming of cybersecurity threats, particularly malware, is a complex process that combines automated detection, analytical insights, and industry conventions. Security vendors, researchers, and organizations often assign a name to a new threat based on its method, payload, detection signatures, attribution, or file naming conventions [1].
In the early days, when new viruses were still rare, the names for malware were somewhat informative, providing at least some indication about the threat. However, as cyber attacks have grown more frequent and sophisticated, threat names have become increasingly unrelated to the actual threat [1].
For instance, the notorious Code Red worm of 2001, which infected millions of computers, was named after the Mountain Dew soft drink due to a quirky anecdote involving its discovery [1]. Similarly, the Conficker virus appears to be named after a German-speaking analyst's frustration during analysis [1].
These uninformative names can cause confusion among users, as was the case with Conficker, which was also known as Downadup, leading to misunderstandings about the presence of multiple malware infections [1].
Nowadays, with hundreds of thousands of new threat samples appearing daily, it is impractical to provide a meaningful name for each one [1]. Many mainstream threat detection products do not even bother to find a relevant name, instead relying on uninformative identifiers such as 'Sample #' [1].
It's not just malware that's being given generic names. Modern malware often acts as a conduit to fetch further malware, making it difficult to predict or name the ultimate outcome [1].
However, in an attempt to simplify the complex world of cyber threats, the "Big Five" terms have emerged. These terms encapsulate the types of attacks that a particular security hole is likely to lead to [1]. The Big Five are:
- Remote Code Execution (RCE): Refers to an attack that tricks a remote computer into running a program, bypassing any warnings that would alert the user [1].
- Elevation of Privilege (EoP): An attack trick that starts as a less-privileged user and escalates to a more privileged level, often by bypassing passwords or multi-factor authentication [1].
- Security Bypass: A general term for attacks that sidestep the need for more complex exploits, such as backdoor passwords or obscure URLs [1].
- Information Disclosure: Occurs when applications or operating system components unintentionally reveal sensitive information [1].
- Denial of Service (DoS): An attack that crashes or disrupts a server or service, often causing costly outages [1].
These terms help to identify the type of attack that individual bugs or configuration errors could potentially enable [1]. They also aid in predicting the symptoms of an attack and choosing the most appropriate proactive cybersecurity precautions.
There are, of course, more categories and techniques than the Big Five. The US non-profit MITRE's ATT&CK framework maintains a comprehensive taxonomy for classifying cyber threats, attacks, and attack groups [1]. For those getting started in cybersecurity, this framework can help in understanding the terminology used in technical reports [1].
Despite the vast array of technical terms, building a human-centric cybersecurity culture does not require mastering the jargon [1]. Choosing a human-focused security partner that communicates in plain English can make managing cybersecurity challenges easier [1]. Precise identification of threats is often not possible, and getting the basics right is more crucial for effective protection [1].
References:[1] MITRE, ATT&CK, https://attack.mitre.org/ [2] Microsoft, Hacking APTs: An Evolution in Focus, https://www.microsoft.com/security/blog/2015/05/26/hacking-apt-evolution-focus/ [3] Fortinet, Threat Intelligence Report, https://www.fortinet.com/content/dam/fortinet/global/Documents/FortiGuard-Labs/KnowledgeBase/Threat-Intelligence-Report-Q3-2020.pdf
In the intricate realm of cybersecurity, terms such as 'Remote Code Execution (RCE)', 'Elevation of Privilege (EoP)', 'Security Bypass', 'Information Disclosure', and 'Denial of Service (DoS)' are collectively known as the "Big Five". These terms help to simplify complex cyber threats, enabling prediction of potential attacks, identifying symptoms, and choosing effective proactive cybersecurity measures based on the type of attack a bug or error may invite [1]. However, for individuals new to cybersecurity, understanding the technical terminology can be challenging. To overcome this, engaging a human-focused security partner who communicates in clear, straightforward language can facilitate managing cybersecurity challenges more easily [1]. Moreover, amid the abundance of technical terms, a comprehensible approach to cybersecurity is essential, prioritizing the fundamentals over intricate language for effective protection [1].
){kind=link}