Threat Actors
Last updated
Last updated
Security Researchers give 'code names' to clustered cyber activity they are tracking. If they see multiple events with the same tradecraft (the call that Tools, Techniques and Procedures, or TTPs), they cluster those events together and start thinking of that as a threat cluster, an intrusion set, or a threat actor. This doesn't necessarily mean those threat actors are groups, or even people (although they could be, and often are) - it is simply similar cyber activity clustered together for the purpose of analysis and defense.
Security Organizations all have their own 'naming conventions' for Threat Actors. Mandiant uses APT (for advanced persistent threat) or FIN (for financial) or UNC (for Uncategorized) followed by a number. CrowdStrike uses animals, like 'Fancy Bear' and 'Voodoo Panda', while Microsoft calls things after weather types, like 'Volt Typhoon' and 'Mango Sandstorm'.
Clustering activity into Threat Actor Groups is useful because it helps us focus on Threats that matter. A threat actor will have a certain motivation and capability, making it more or less relevant for us to track as a potential target organization.
There are a few really easy ways to create (and with that, track) Threat Actors in Liberty91.
Go to the in the sidebar (go there now with this link)
Scroll down to 'Threat Actors'
Type in the name of the Threat Actor you want to create, click on 'create'
Wait a minute or two: Liberty91 is looking for relevant reporting and generating a custom description for your new Threat Actor
Don't forget to tune its
The top-left card is green, and shows a plus-sign. Type in the name of your new threat actor and click 'create'.
Wait a minute or two: Liberty91 is looking for relevant reporting and generating a custom description for your new Threat Actor
Sometimes, Liberty91 will suggest new Threat Actors, Malware of Vulnerabilities for in your Threat Library. These are based on events in your dashboards. When you see one that you'd like to keep tracking, just click on it and Liberty91 will collect the relevant reporting and generate a relevant and accurate description for you.
Find the 'Suggested Threat Actors' in an Event Card. They are on the side, under the Analysis and the Threat Library Links that already exist.
Click on the Threat Actor you want to create a card for and track
Wait a minute or two: Liberty91 is looking for relevant reporting and generating a custom description for your new Threat Actor
Because every security company uses a different naming convention, they often use different names for the same Threat Actor. For example: 'Sandworm' is the same team as 'APT44'. You don't want to create separate Threat Actor cards for the same group, so this is where 'aliases' come in handy. If you have a group called 'Sandworm', you can easily add 'APT44' as an alias, and Liberty91 will capture all mentions under the same Threat Card in your Library.
The origin of the Threat Actor (this is provided by yourself when you edit the card)
The 'Update Description' button. This is an extremely useful feature. Liberty91 will read all the recent reports and events associated with your Threat Actor and provide an up-to-date, relevant-to-your-organization description of this Threat Actor. In the example above, the description is fairly limited and not tailored to our organization at all. The below screenshot shows a new description, after clicking the Update Description Button:
The Edit Button. This lets you edit the description and Library Links manually. You will hardly ever need this feature.
The Aliases of this Threat Actor. You can add more by typing on the '+ add alias' line, or remove them by clicking on the 'x' next to their name.
Threat Library Links. Here you can see, add and remove links to other entities in your Threat Library.
Go to 'Threat Actors' under your Threat Library in the . You may have to scroll down a bit.
Don't forget to tune its
Don't forget to tune its
The of the Threat Actor. This helps you set how much you 'care' about this particular threat. This helps Liberty91 during analysis-time, it will make sure the right events are displayed on your . Set it high enough, and you will receive as well as soon as new events occur.
The Top Threat lets you select a Threat as a Top Threat. This will make it show up on the and receive additional analysis.