Jeffrey Bell
My name is Jeffrey Bell, I am a Senior InfoSec Analyst and Threat Intelligence Lead at Norstella. I graduated from UNC-Charlotte with a B.S. in Computer Science specializing in Cybersecurity. When not working, I write for my blog catchingphish.com and enjoy skiing!
Session
It is overwhelming to navigate the vast amount of threat intelligence available to understand who is targeting an organization. If our intel team suspects that Akira is targeting the organization, it's vital to understand their Tactics, Techniques, and Procedures (TTPs). However, Akira has different aliases depending on which vendor published the findings, making rapid response challenging. We might be missing information from another vendor tracking Akira in a different format. One reason for the wide variety of threat actor (TA) naming is the commercialization of threat research programs (TRPs), which leads to the disparity of intelligence from different sources about the same TA. Developing a naming taxonomy for TAs is not easy, as a name that is too technical, like "APT643," is unlikely to be memorable or recognizable. On the other hand, a name like "WARLOCK DUST" invokes a sense of super-villain notoriety. Due to the evolving, combining, and re-emerging of TA groups, it takes combined intelligence to create tangible actions. To address this, I propose a single aggregate tracker where vendors, academia, and researchers can share and enrich information about tracked entities.