# Threat Actors

* [**go to my threat actors**](https://platform.liberty91.com/disco/threatactors)

## What is a threat actor?

Security Researchers give 'code names' to clustered cyber activity they are tracking. If they see multiple events with the same tradecraft (the call that Tools, Techniques and Procedures, or TTPs), they cluster those events together and start thinking of that as a threat cluster, an intrusion set, or a **threat actor**. This doesn't necessarily mean those threat actors are groups, or even people (although they could be, and often are) - it is simply similar cyber activity clustered together for the purpose of analysis and defense. 

Security Organizations all have their own 'naming conventions' for Threat Actors. Mandiant uses APT (for advanced persistent threat) or FIN (for financial) or UNC (for Uncategorized) followed by a number. CrowdStrike uses animals, like 'Fancy Bear' and 'Voodoo Panda', while Microsoft calls things after weather types, like 'Volt Typhoon' and 'Mango Sandstorm'. 

Clustering activity into Threat Actor Groups is useful because it helps us focus on Threats that matter. A threat actor will have a certain motivation and capability, making it more or less relevant for us to track as a potential target organization. 

## How to create a threat actor

There are a few really easy ways to create (and with that, track) Threat Actors in Liberty91. 

#### Creating Threat Actors in the sidebar

1. Go to the [Workbench](broken://spaces/56f9evYVURi6SAGI5JIC/pages/ZV5tojeCmpzTyFnhTt3n#the-workbench) in the sidebar ([go there now with this link](https://platform.liberty91.com/disco/workbench)) 
2. Scroll down to 'Threat Actors'
3. Type in the name of the Threat Actor you want to create, click on 'create'
4. Wait a minute or two: Liberty91 is looking for relevant reporting and generating a custom description for your new Threat Actor
5. Don't forget to tune its [criticality](/what-is-liberty91/key-concepts.md#criticality)

<figure><img src="/files/FJsBDxb2u1zlIcFR0fNn" alt="" width="375"><figcaption><p>Creating Threat Actors in the Workbench is easy</p></figcaption></figure>

#### Creating a Threat Actor in the Threat Actor Overview

1. Go to 'Threat Actors' under your Threat Library in the [sidebar](broken://spaces/56f9evYVURi6SAGI5JIC/pages/ZV5tojeCmpzTyFnhTt3n#the-sidebar). You may have to scroll down a bit.
2. The top-left card is green, and shows a plus-sign. Type in the name of your new threat actor and click 'create'.
3. Wait a minute or two: Liberty91 is looking for relevant reporting and generating a custom description for your new Threat Actor
4. Don't forget to tune its [criticality](/what-is-liberty91/key-concepts.md#criticality)

<figure><img src="/files/gHp6WEXBoM9KrQsRuxPu" alt="" width="563"><figcaption><p>create a new threat actor in the green card in the top-let</p></figcaption></figure>

#### Creating a Threat Actor based on a Suggestion

Sometimes, Liberty91 will suggest new Threat Actors, Malware of Vulnerabilities for in your Threat Library. These are based on events in your dashboards. When you see one that you'd like to keep tracking, just click on it and Liberty91 will collect the relevant reporting and generate a relevant and accurate description for you.

1. Find the 'Suggested Threat Actors' in an Event Card. They are on the side, under the Analysis and the Threat Library Links that already exist.
2. Click on the Threat Actor you want to create a card for and track
3. Wait a minute or two: Liberty91 is looking for relevant reporting and generating a custom description for your new Threat Actor
4. Don't forget to tune its [criticality](/what-is-liberty91/key-concepts.md#criticality)

<figure><img src="/files/iEbsaUDO8qAqWonE2q8h" alt="" width="323"><figcaption><p>Clicking on 'Unfading Sea Haze' (for example) would create a new Threat Actor Card in your Threat Library</p></figcaption></figure>

## Aliases

Because every security company uses a [different naming convention](https://www.infosecurityeurope.com/en-gb/blog/threat-vectors/understanding-threat-actor-naming-conventions.html), they often use different names for the same Threat Actor. For example: 'Sandworm' is the same team as 'APT44'. You don't want to create separate Threat Actor cards for the same group, so this is where 'aliases' come in handy. If you have a group called 'Sandworm', you can easily add 'APT44' as an alias, and Liberty91 will capture all mentions under the same Threat Card in your Library.

<figure><img src="/files/rjo6YvoUg8a9Zeh14fta" alt=""><figcaption><p>Cozy Bear has a lot of aliases</p></figcaption></figure>

## What is on a threat actor card?

<figure><img src="/files/DuQGKhHqdZavDcoRYxBZ" alt=""><figcaption><p>A Threat Actor Card for Cozy Bear</p></figcaption></figure>

1. The **origin** of the Threat Actor (this is provided by yourself when you edit the card)
2. The **'Update Description'** button. This is **an extremely useful feature**. Liberty91 will read all the recent reports and events associated with your Threat Actor and provide an up-to-date, relevant-to-your-organization description of this Threat Actor. In the example above, the description is fairly limited and not tailored to our organization at all. The below screenshot shows a new description, after clicking the Update Description Button:&#x20;

   <figure><img src="/files/sGheTqUdbIDPaDlkP5B1" alt="" width="375"><figcaption><p>Updating the Description provides a much richer, customized and up-to-date description of the threat</p></figcaption></figure>
3. The [**Criticality**](/what-is-liberty91/key-concepts.md#criticality) of the Threat Actor. This helps you set how much you 'care' about this particular threat. This helps Liberty91 during analysis-time, it will make sure the right events are displayed on your [Critical Threats Dashboard](/dashboards/critical-threats-dashboard.md). Set it high enough, and you will receive [Instant Alerts](/what-is-liberty91/key-concepts.md#alerts) as well as soon as new events occur.
4. The **Top Threat** lets you select a Threat as a Top Threat. This will make it show up on the [Top Threat Dashboard](/dashboards/top-threats-dashboard.md) and receive additional analysis.&#x20;
5. The **Edit** Button. This lets you edit the description and Library Links manually. You will hardly ever need this feature.
6. The [**Aliases**](#aliases) of this Threat Actor. You can add more by typing on the '+ add alias' line, or remove them by clicking on the 'x' next to their name.
7. **Threat Library Links**. Here you can see, add and remove links to other entities in your [Threat Library](/the-threat-library/getting-started-with-the-threat-library.md).


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.liberty91.com/the-threat-library/threat-actors.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.