Threat Actors

What is a threat actor?

Security Researchers give 'code names' to clustered cyber activity they are tracking. If they see multiple events with the same tradecraft (the call that Tools, Techniques and Procedures, or TTPs), they cluster those events together and start thinking of that as a threat cluster, an intrusion set, or a threat actor. This doesn't necessarily mean those threat actors are groups, or even people (although they could be, and often are) - it is simply similar cyber activity clustered together for the purpose of analysis and defense.

Security Organizations all have their own 'naming conventions' for Threat Actors. Mandiant uses APT (for advanced persistent threat) or FIN (for financial) or UNC (for Uncategorized) followed by a number. CrowdStrike uses animals, like 'Fancy Bear' and 'Voodoo Panda', while Microsoft calls things after weather types, like 'Volt Typhoon' and 'Mango Sandstorm'.

Clustering activity into Threat Actor Groups is useful because it helps us focus on Threats that matter. A threat actor will have a certain motivation and capability, making it more or less relevant for us to track as a potential target organization.

How to create a threat actor

There are a few really easy ways to create (and with that, track) Threat Actors in Liberty91.

Creating Threat Actors in the sidebar

  1. Go to the Workbench in the sidebar (go there now with this link)

  2. Scroll down to 'Threat Actors'

  3. Type in the name of the Threat Actor you want to create, click on 'create'

  4. Wait a minute or two: Liberty91 is looking for relevant reporting and generating a custom description for your new Threat Actor

  5. Don't forget to tune its criticality

Creating Threat Actors in the Workbench is easy

Creating a Threat Actor in the Threat Actor Overview

  1. Go to 'Threat Actors' under your Threat Library in the sidebar. You may have to scroll down a bit.

  2. The top-left card is green, and shows a plus-sign. Type in the name of your new threat actor and click 'create'.

  3. Wait a minute or two: Liberty91 is looking for relevant reporting and generating a custom description for your new Threat Actor

  4. Don't forget to tune its criticality

create a new threat actor in the green card in the top-let

Creating a Threat Actor based on a Suggestion

Sometimes, Liberty91 will suggest new Threat Actors, Malware of Vulnerabilities for in your Threat Library. These are based on events in your dashboards. When you see one that you'd like to keep tracking, just click on it and Liberty91 will collect the relevant reporting and generate a relevant and accurate description for you.

  1. Find the 'Suggested Threat Actors' in an Event Card. They are on the side, under the Analysis and the Threat Library Links that already exist.

  2. Click on the Threat Actor you want to create a card for and track

  3. Wait a minute or two: Liberty91 is looking for relevant reporting and generating a custom description for your new Threat Actor

  4. Don't forget to tune its criticality

Clicking on 'Unfading Sea Haze' (for example) would create a new Threat Actor Card in your Threat Library

Aliases

Because every security company uses a different naming convention, they often use different names for the same Threat Actor. For example: 'Sandworm' is the same team as 'APT44'. You don't want to create separate Threat Actor cards for the same group, so this is where 'aliases' come in handy. If you have a group called 'Sandworm', you can easily add 'APT44' as an alias, and Liberty91 will capture all mentions under the same Threat Card in your Library.

Cozy Bear has a lot of aliases

What is on a threat actor card?

A Threat Actor Card for Cozy Bear
  1. The origin of the Threat Actor (this is provided by yourself when you edit the card)

  2. The 'Update Description' button. This is an extremely useful feature. Liberty91 will read all the recent reports and events associated with your Threat Actor and provide an up-to-date, relevant-to-your-organization description of this Threat Actor. In the example above, the description is fairly limited and not tailored to our organization at all. The below screenshot shows a new description, after clicking the Update Description Button:

    Updating the Description provides a much richer, customized and up-to-date description of the threat
  3. The Criticality of the Threat Actor. This helps you set how much you 'care' about this particular threat. This helps Liberty91 during analysis-time, it will make sure the right events are displayed on your Critical Threats Dashboard. Set it high enough, and you will receive Instant Alerts as well as soon as new events occur.

  4. The Top Threat lets you select a Threat as a Top Threat. This will make it show up on the Top Threat Dashboard and receive additional analysis.

  5. The Edit Button. This lets you edit the description and Library Links manually. You will hardly ever need this feature.

  6. The Aliases of this Threat Actor. You can add more by typing on the '+ add alias' line, or remove them by clicking on the 'x' next to their name.

  7. Threat Library Links. Here you can see, add and remove links to other entities in your Threat Library.

Last updated