Hurricanes get names (Harvey, Irma, Jose, Maria…) assigned alphabetically by the National Oceanic and Atmospheric Service (NOAA). Biologists name new species in peer-reviewed journals. Astronomers suggest names for stars and moons, but the International Astronomical Union (IAU) must approve them.
The information security profession is less mature, although vulnerabilities in software and hardware products do get numeric identifiers. For example, a vulnerability announced this week in Intel processors was designated CVE-2017-5708. These Common Vulnerabilities and Exposures (CVE) identifiers are assigned by a trusted community and fed into the US National Vulnerability Database (NVD).
Numeric identifiers aren’t very useful to humans. Using them in ordinary conversation would be akin to calling our outermost former planet “134340” instead of “Pluto”. No one (including astronomers) does that. Scientists give common names to things in addition to numeric identifiers.
Even worse, CVE identifiers apply only to vulnerabilities. Security professionals need to talk to each other (and the general public) about other things too, including threats and incidents.
Like planets, security threats are generally named by those who discover them. A recent example is the Key Reinstallation Attack (KRACK) to decrypt certain wi-fi transmissions. The KRACK name was chosen by a Belgian post-doctoral student who devised it. Another recent example is the Don't Use Hard Coded Keys Attack (DUHK), also named by academicians. KRACK and DUHK have dedicated web sites and cute logos.
In other cases, a threat is named by its perpetrator, not its discoverer. The recent Bad Rabbit ransomware attacks, for example, were named by the attackers themselves. It has no web site or cute logo, but the “Bad Rabbit” brand name does appear on infected computers.
Perhaps the most memorable “bug branding” was Heartbleed. Its press release came with a slick web site and logo, designed by the security firm that discovered the OpenSSL bug. The site provides useful information to researchers and public, but it also links visitors to the firm’s commercial site and products. Some researchers wondered if the Heartbleed announcement was delayed to create a marketing campaign, even while active exploits were underway.
Threat actors are usually named by security firms too. Unfortunately, they seldom use the same names. For example, a Russia-linked hacking group behind the 2016 DNC hack is called Fancy Bear, APT28, Pawn Storm, Sofacy Group, Sednit, or Strontium, depending on which security researcher is talking about it.
All this confuses the general public and press, at a time when we need them to understand cyber threats more than ever before.
The Solution
We need a trusted authority to name and catalog newly discovered threats, vulnerabilities, incidents, and actors. A respected global cybersecurity association, such as (ISC)2 or ISSA, should step in and end the chaos.
We also need ethics rules for researchers who propose names, requiring them to share their methods and data fully for free, without product promotion or other conflicts of interest.
We can follow the model that astronomers have used successfully for a century:
Establish naming conventions
Researchers propose names
Members vote
Publish results
We can also rate incidents on a simple scale, similar to the way NOAA rates hurricanes from category 1 to 5. Hurricanes are rated based on wind speed. Cyber incidents can be rated based on dollars and data lost. This would give the public and press a way to compare events and understand severity.
Cyber storms blow through the world nowadays more frequently than hurricanes. Let’s name and rate them in a consistent, understandable way so we can talk about them with each other and the public.
Michael McCormick is an information security consultant, researcher, and founder of Taproot Security.