Join Paul Ducklin and SolCyber CTO David Emerson as they talk about the human element in cybersecurity in our podcast TALES FROM THE SOC.
In this episode: Why dramatic threat names and cybersecurity FUD serve marketing but not society, and what we can do about it.
Co-hosts Duck and David offer their usual thoughtful mix of humor and sound advice to help you navigate the self-serving wordiness that blights the cybersecurity industry.
If the media player above doesn’t work in your browser,
try clicking here to listen in a new browser tab.
Find TALES FROM THE SOC on Apple Podcasts, Audible, Spotify, Podbean, or via our RSS feed if you use your own audio app.
Or download this episode as an MP3 file and listen offline in any audio or video player.
[FX: PHONE DIALS]
[FX: PHONE RINGS, PICKS UP]
ETHEREAL VOICE. Hello, caller.
Get ready for “Tales from the SOC.”
[FX: DRAMATIC CHORD]
DUCK. Hello everybody.
Welcome back to “Tales from the SOC.”
I am Paul Ducklin, joined as usual by David Emerson, CTO and Head of Operations at SolCyber.
David, hello!
DAVID. Hey there.
Happy… what is this, Tuesday?
Happy Tuesday.
DUCK. Happy *Patch* Tuesday.
DAVID. Patch Tuesday?
Oh, boy. [LAUGHS]
DUCK. Four zero-days from Microsoft patched this month.
Better than six, I suppose.
And better patched than ignored.
David, I’d like to use the SolCyber blog as the vehicle for picking a topic.
Subtitled A rose by any other name would smell as sweet, the article series is What’s in a name? How attacks and attackers get their tags.
In there, I tried to discuss how things like threats (say, individual malware samples), how scamming types, how bug classes, and even how threat actor groups get their names, and why they often end up with so many different names that are very confusing.
When it comes to threat naming as an industry, how well do you think we do it, and how could we do it differently if we’re not doing it well?
DAVID. Probably the thing that we could do differently is to admit that we are sub-dividing a frontier in a way that is counterproductive to its ultimate settlement.
I think every novel context in which humans operate, whether it’s for work, or whether it’s for profit, or whether it’s just for life in general, has to be named something.
So the naming of things is important because it allows us to ultimately translate the immediate objects or trends that we see into higher-order thought and analysis.
So it’s natural to have a confusion of names.
I think what is unnatural about the cybersecurity landscape is that so much of it is a “landscape of frontier” which is claimed under intellectual property, under marketing, under various ventures…
And for various purposes that really are not aligned with the constructive, orderly analysis of the trends and themes and objects that are in that landscape.
And so I think the thing we could do better is to admit that.
And maybe begin naming things in a slightly more consistent manner that doesn’t necessarily have an eye toward gerrymandering them for the purposes of intellectual property.
DUCK. Yes, if it’s not intellectual property, it’s marketing supremacy, isn’t it?
DAVID. Yes.
DUCK. A classic example, going back many years now…
The Conficker virus, which was a real serious problem in early 2008.
It was spreading like crazy, and it was a bot, or zombie.
It was ready to download something, and no one knew what it was going to be, on April the First.
Apparently it got its name because that’s just a rude way of referring to it that some frustrated German analysts came up with, but in English it doesn’t sound rude, so the name stuck.
But there were other products that insisted on calling it Downadup.
So, if people were using different products at different parts of their network, did they have one dangerous virus that went by two names?
Or they have two *different*, fully dangerous threats?
And it seems that that was more of a marketing or a PR decision than anything.
And that’s a bit of a pity, isn’t it?
DAVID. It is.
Actually, when we were talking at a high level about what we were even going to discuss today, one of the things that came to mind was, “Good reasons to change a name.”
And among the good reasons to change a name…
If anyone has read Finnegan’s Wake, it’s James Joyce’s largely inscrutable text.
It’s wonderful; it is a wonderful book.
One of the interesting things about it is it did get translated into a few other languages, and I am not sure…
If you ever read the book, you’ll understand why I’m not certain how you would translate this book.
It’s already written in a bit of a mashup of languages.
DUCK. [LAUGHS]
DAVID. But one of the translations is famous, because Joyce was involved – he was still alive, and he was also sufficiently familiar with the language, which was Italian.
And in the Italian translation he insisted on changing the names of the rivers.
Throughout Finnegan’s Wake, you know, the River Liffey is a character, and there are a number of other rivers nobody’s ever heard of.
The Cheb, and the Futt, and the Bann, and the Duck, and whatever else.
So he renamed them.
He renamed them the Po, and the Serchio, and the Piave, and things that an Italian crowd could look up on their own maps.
That’s a good reason to change a name, because it’s relatable to the individual, because it’s relatable to the context in which they’ll consume something.
You know what is a really bad reason?
Because you’re looking for SEO.
Because you want to corner the market in using some term that nobody else has ever heard of and can’t relate to.
So I actually think the naming of Conficker…
I didn’t know that story, but that meant something to someone; it was an inside joke; now it’s a thing.
There’s no profit in that.
It’s just what we call that thing now; it’s fine; it’s harmless.
It is not harmless to then subsequently name it something else, because you don’t like the fact that someone else uttered “Conficker” first.
That’s silly.
DUCK. Another fascinating example, of course, is Code Red.
I always assumed, when it came out… 2001, it was the first fileless network worm that really went totally global.
And I assumed someone was being dramatic, and it was “red alert.”
Apparently, it’s a very high-caffeine, high-sugar flavor of Mountain Dew, which they drank while they were analysing it. [LAUGHS]
DAVID. You know, we had this problem with animals too.
This is another book reference, but if you ever have read The Infinity of Lists, it’s an excellent book.
It’s an excellent, poetic, artistic exploration of human listing and ordering.
DUCK. Is that a Borges book?
DAVID. No, no.
This one is Umberto Eco.
DUCK. Ah, right.
DAVID. It’s really good.
Prior to having any kind of taxonomies of animals, you know, people were trying to name a fish.
And this fish is two species, and yet neither of those species.
It’s not yet a salmon and neither is it a trout.
And it’s no longer a cod, and whatever.
I mean, at some point, you just need to settle down and build a taxonomy, and we did that as humans.
And that’s actually fairly universal.
We now have, at least in the western world, and I think now, because of the diffusion of the scientific method, broader than that… we have a pretty decent way of naming a new creature.
We’re still honoring, perhaps, the person that discovered it, or whatever they wanted to name it.
I could see something like that evolving eventually, if you’re really talking about the malware itself.
But I see the problem as wider spread than that.
I see the problem as even down to methodology.
You know, “What is an advanced persistent threat?”
“Does your tool stop advanced persistent threats?”
“What is persistence?”
It’s ridiculous, perhaps, that we can’t agree on these things, but I think a lot of the reasons we can, the extent that we can… it’s for marketing reasons.
DUCK. Absolutely.
Because my definition of Advanced Persistent Threat [APT] is that “advanced” simply means, “Well, it got past our defenses.”
“Persistent” loosely means, “We tried rebooting… damn thing was still there.”
And “Threat” means “threat.”
So an APT is actually… might as well just call it a Threat.
DAVID. Yes.
DUCK. But it sounds dramatic, and I guess if you’re doing a bug report,. or if you’re doing a breach disclosure, then the terminology can be used deliberately to be a little bit misleading.
DAVID. Frameworks can go some ways to solving this, but at the end of the day, the incentive is just not there to co-operate.
Because, if you can market your product as satisfying all of these various checklists that don’t actually cross reference each other, then how is someone to analyze the purchase of your product?
That helps you, because you can then enter this realm of, “Nothing actually has meaning. Let me tell you something with pretty words.”
DUCK. So, what about threat classifications or identifications – taxonomies, if you like, or as you say, frameworks – that are quite useful when you’re learning about all the different ways that a particular class of threat might emerge?
Like MITRE’s ATT&CK framework.
The problem I do have with ATT&CK is that it’s absolutely massive.
If you’re trying to build your own SOC because you’ve decided you want to do it yourself, don’t you think you end up getting lost in the details?
DAVID. I think that might be a consistency-of-use issue, an exposure issue.
And I think that we see that because the industry is so churny, and there’s so much marketing noise.
We don’t feel that way about taxonomies that we have for naming animals and plants because we’ve actually settled on it.
Absent something like that, a neutral incentive system, right?
One that people participate in because it is good for the industry and because it is good for their practice, rather than because it is good for their profit.
Without that, you’re going to have an attack framework that is adopted by people who use it for six months and dispose of it, or use it in their product but not in a competitor’s product. and therefore it’s intractable for someone who has to buy both of those products as a practitioner.
DUCK. Are you saying that because you think marketing people will want to go off in a different direction once everyone starts to agree and call things the same?
“How are you going to differentiate,” that sort of problem?
DAVID. Yes.
Innovation, whether it’s false innovation that is marketing, or…
DUCK. [LOUD LAUGHTER]
DAVID. Well…
DUCK. [MORE LAUGHTER]
DAVID. [LAUGHS] So, there will be an innovation which will disrupt it for reasons that are not its unsuitability.
To the extent that it is unsuitable, if it is unsuitable, *that* won’t be the reason where the framework fails.
It’ll be because something else comes along that someone has enough money to promote, that we then are compelled to acknowledge for the period that it’s flashing in the pan.
I just think this is really a very churny place.
And it isn’t churny for reasons that are optimizing the practice of cybersecurity.
It’s churny for reasons that are optimizing the profits of the participants.
DUCK. So, what about something which is comparatively new, compared to, say, naming individual malware samples, or naming the style of a scam, like an investment scam or a phishing scam…
And that is the naming of so-called threat groups, because that seems to be going off in all sorts of directions.
I mean, MITRE and ATT&CK – they have a list of group names.
When you go through there, there are absolutely loads of them, but there are names that I would expect to see there, contemporary ransomware gangs, for example, that have done some pretty big and devious attacks, that aren’t in the list.
And there are malware operators who haven’t really been active for 10 years who are still on the list (as I suppose they should be), as though they’re still important.
And then Microsoft have come along and said, “Oh no, we’ve got a whole new way of naming this, based on weather patterns.”
So it’s Typhoon if you’re from China, and if you’re a new threat group they don’t know about, then you’re just Storm.
So that’s like a family name.
Then you get Flax Typhoon, Salt Typhoon, Vault Typhoon, and they don’t give a description of how they choose the given name.
That seems to be pseudo-random, and in some cases, kind of implies that there’s some common motivation, or common operational style, when threat groups have the same family name, yet they’re all doing completely different things, and it’s just quite arbitrary.
So where do you think that will lead us?
And is it helpful, again, having all these names?
Or is it all just for marketing excitement, so you can make it sound as though you know a bit more about who’s really doing this than you probably do?
DAVID. I think that naming convention probably isn’t so bad.
It isn’t a lot different than making a pronounceable hash.
A new way of naming something that is extensible is actually useful to us, and so to that extent it doesn’t serve me in a way that structures my thoughts.
It does serve me in a way that allows me to communicate, so it could be helpful.
But I don’t think it necessarily structures thoughts, and that’s unfortunately one of the functions of naming things.
DUCK. Or that at least that the name provides some inkling of what you’re actually dealing with.
DAVID. Right.
DUCK. What’s the difference with Vault Typhoon, Salt Typhoon, and Flax Typhoon?
The names don’t convey that.
It doesn’t tell me, “Well, one lot of them are focusing on *this* kind of attack against *that* kind of stuff.”
So, David, what about the names – the high-level names that could be quite useful, but sometimes end up being confusing – for classes of scam, or classes of attack?
Another example that we wrote about recently on solcyber.com/blog is the scam known as pig butchering.
That’s just a name that apparently comes from how the scammers think of their victims: they’re going to take them as hard as they can, for as much money as they can.
And Interpol recently said, “Oh, we don’t like that name, it’s victim blaming,” and I understand that.
And they said, “No, what we want to call the scam is romance baiting,” because traditionally they used dating sites as a way to meet people that they weren’t interested in having a relationship with, but just wanted to start talking to so they could lure them into the scam.
Why don’t we just call them investment scams?
When talk turns to money online, and someone’s asking you to give them money, you need to stop and think!
It doesn’t matter whether it was romance-related, or whether they think that they’re butchering you, or any of that stuff.
What matters is the background to the scam and why you should be suspicious.
DAVID. Well, to my earlier point, we don’t get stuck with the name forever because in 10 minutes we’ll be calling “pig butchering” something else.
DUCK. [LAUGHS]
DAVID. And that’s part of the problem.
Pretty soon, words will adopt meaning that transcends contemporaneous concern.
I just don’t think we’re ever going to get there, because I think it will be disrupted by some other incentive in the market.
DUCK. So, to finish up, David…
As you pointed out, naming things, whether you’re doing it for a taxonomy, or you’re doing it just to have some way of talking about things, or just to be human-friendly, is difficult.
Do we need to worry about this?
Do you think it’s distracting for people who need cybersecurity in their business and think they have to learn all this stuff before they can do the basics?
DAVID. I think that if we could get to the level where those basics don’t roll up into something that can be influenced by marketing, then those basics will be of a fundamentally earnest nature.
People will have named things *in order to track them to use in their practice*, not in order to have cornered a market on words.
DUCK. Would it help if those of us who are doing threat research made sure we stuck to the jargon only when we’re talking to other threat researchers, and that we all make a strong effort just to talk in plain English when we’re trying to bring people along?
Or do you think that’s unavoidable because people want fancy names?
Like, they want a virus they can call [DRAMATIC VOICE] Friday the Thirteenth because it sounds more exciting than 1813.
DAVID. The problem is, again, that the tooling is owned and manipulated by people who don’t have incentives aligned with actually using that tooling effectively.
And so there’s no need for product A to share product B’s naming taxonomy.
DUCK. At the end of the day, do you think what we should really worry about is just how well a product or a service provider meshes with our culture and our attitude and our business, and not worry about whether *they* got 97.2% on this test and *that lot* got 97.1%?
DAVID. Yes!
I think it comes to defining what’s what’s important to you to stop.
And, from a professional services perspective, if you’re hiring a vendor, or someone like SolCyber…
One of the benefits of hiring a normalized, functioning cybersecurity team of experts is that they have this problem, but they don’t want anything to do with this problem.
We at SolCyber don’t buy tools because they have fancy naming conventions.
We buy tools to augment our existing capabilities, and we integrate them.
So, to the extent that those systems disagree or have different ways of solving a problem, and then to the extent that those different ways of solving a problem are not actually differentials for the purposes of effectiveness, but differentials for the purposes of cornering markets?
We can overcome that.
We, as SolCyber, can smooth that over.
Because our incentive is to provide a service to our customers not to corner the market with intellectual property and dubious naming distinctions.
And if you can make that happen in-house, that’s fine.
Some companies absolutely can.
The reason we exist is a lot of companies look at the bills for doing something like that, culturally and logistically, and decide that they can’t afford it.
DUCK. Maybe, if we just get back to basics, then all this will become irrelevant?
DAVID. I think so.
I think, to the extent that practitioners can demand that, and customers can demand results rather than literature that focuses on minutiae, invented minutiae, at that…
…I think the industry will become more satisfied with the results.
DUCK. David, I’m conscious of time.
So, thank you so much for your thoughtfulness today.
[LAUGHS] I know you’re a Joyce fan, so I was expecting that.
I wasn’t expecting Umberto Eco to come into things!
If you would like to know more about What’s in a name?; if you’d like to know about pig butchering and what it really means; and what investment scams are and how you can get on top of them, please head to solcyber.com/blog.
Cybersecurity in plain English.
Thanks for listening, and until next time, stay secure.
Catch up now, or subscribe to find out about new episodes as soon as they come out. Find us on Apple Podcasts, Audible, Spotify, Podbean, or via our RSS feed if you use your own audio app.
By subscribing you agree to our Privacy Policy and provide consent to receive updates from our company.
