It’s time to stop thinking of threat groups as supervillains, experts say
Blackwired is committed to the study of threat actors and their tools: it’s a necessary part of the operation to protect users from cyberattacks. However, it can be easy for the uninitiated, and even the experts, to be daunted by threat actors, especially the ones working on the largest scales. Analysts give these groups flashy names, such as Scattered Spider, Fancy Bear, or Midnight Blizzard. At last year’s RSA conference, CrowdStrike put up a statue dedicated to one such threat actor, tracked as Wizard Spider, and this year at Black Hat in Las Vegas, CrowdStrike gave the same treatment to Scattered Spider. This certainly has its benefits, since it helps end users be more aware of the threats facing them, but multiple experts now consider that this kind of behavior might be counterproductive.
According to Andy Piazza, senior director of threat intel at Palo Alto Networks Unit 42, some defenders spend too much time tracking the activity of threat groups. He believes their time would be better spend focusing on developing internal capabilities to respond to malicious tactics, techniques and procedures, regardless of who specifically employs them. Jen Easterly, director of CISA, sounded a similar note during her keynote speech at Black Hat, suggesting that too many resources are spent tracking threat actors when most of them are just making use of the same old vulnerabilities and the same old tactics.
Here at Blackwired, we try to strike a middle ground between admiration and contempt. While the vast majority of threat actors make use of common tools and common vulnerabilities, they do so because they work. Fresh changes to the same old tools can spoil detection, which is why we provide up-to-the-minute intelligence and training data. And even if most threat actors are simple script jockeys, it’s the rare few that go beyond this that can cause the most damage. We should not romanticize them, true, but being cautious is still essential.