In a significant move to enhance cybersecurity intelligence, Microsoft and CrowdStrike have announced a partnership aimed at standardizing the identification of cyber threat actors. This collaboration seeks to address the longstanding issue of inconsistent naming conventions across the cybersecurity industry, which has often led to confusion and inefficiencies in threat response.
The Challenge of Inconsistent Naming
Traditionally, different cybersecurity firms have assigned their own unique names to the same threat actors. For instance, a hacking group known as Midnight Blizzard by Microsoft is referred to as Cozy Bear, APT29, or UNC2452 by other vendors. This lack of uniformity necessitates additional time and effort from security professionals to cross-reference and correlate threat intelligence, potentially delaying critical responses to cyber incidents.
Adam Meyers, Head of Counter Adversary Operations at CrowdStrike, highlighted the issue: Adversaries hide behind both technology and the confusion created by inconsistent naming. As defenders, it’s our job to stay ahead and to give security teams clarity on who is targeting them and how to respond.
Introducing a Unified Mapping System
To combat this problem, Microsoft and CrowdStrike have developed a comprehensive mapping system, often referred to as a Rosetta Stone for cyber threat intelligence. This system links adversary identifiers across different vendor ecosystems without imposing a single naming standard. By doing so, it preserves each company’s analytical methodologies while providing essential translation capabilities for defenders.
Vasu Jakkal, Microsoft’s Corporate Vice President, emphasized the importance of this initiative: In the face of an increasingly complex and fast-evolving threat landscape, even seconds of delay can be critical, making it crucial that we rethink how we address security risks.
Early Successes and Industry Collaboration
The partnership has already yielded tangible results. Through direct analyst-led cooperation, Microsoft and CrowdStrike have reconciled over 80 threat actor identifiers. For example, they confirmed that Microsoft’s Volt Typhoon and CrowdStrike’s VANGUARD PANDA refer to the same Chinese state-sponsored group, while Secret Blizzard and VENOMOUS BEAR designate the same Russia-linked adversary.
This mapping initiative encompasses the industry’s standard five threat actor categories:
1. Nation-State Actors: Groups sponsored by governments to conduct espionage or cyber warfare.
2. Financially Motivated Actors: Cybercriminals seeking monetary gain through activities like ransomware or fraud.
3. Private Sector Offensive Actors: Commercial entities offering offensive cyber capabilities.
4. Influence Operations: Efforts aimed at manipulating public opinion or political outcomes.
5. Groups in Development: Emerging threat actors not yet fully operational.
The initiative has garnered support beyond the initial partnership. Google’s Mandiant and Palo Alto Networks’ Unit 42 have committed to contributing to the effort, with plans to invite additional cybersecurity firms to join the collaborative mapping resource.
A Collaborative Approach to Cybersecurity
This effort underscores the importance of collaboration in the cybersecurity community. By sharing information and standardizing threat actor identification, organizations can respond more swiftly and effectively to cyber threats. As Jakkal noted, Security is a team sport. When defenders can share and react to information faster, it makes a difference in how we protect the world.
The companies emphasize that this initiative is not about creating a universal naming standard but rather about providing translation capabilities that enable faster, more confident decision-making in threat response. As the cyber threat landscape continues to evolve, with Microsoft now tracking over 1,500 threat actors compared to 300 last year, such collaborative intelligence sharing becomes increasingly critical for global cybersecurity.
