The new collaboration aims to streamline the response to threats by aligning the taxonomies of actors known as APT29, Cozy Bear, or Midnight Blizzard.
In a digital landscape where cyberattacks are multiplying and every second counts, confusion in the naming of attacking groups can make the difference between stopping an attack in time or becoming a victim of ransomware. To address this issue, Microsoft and CrowdStrike have announced a strategic collaboration to align their threat actor naming taxonomies, thereby facilitating rapid identification and response by cybersecurity teams.
One attacker, multiple names
One of the biggest challenges faced by security professionals is that the same attacking group can be known by multiple names depending on the provider. For example, Microsoft refers to “Midnight Blizzard” for an actor also identified as Cozy Bear, APT29, or UNC2452 by other firms. This disparity complicates analysis, reduces trust, and slows down critical decision-making.
“Names help us make sense of the threat landscape and organize knowledge around known or likely attacker behaviors,” explains Vasu Jakkal, corporate vice president of security at Microsoft.
A collaborative reference guide
As a first step in this initiative, both companies have published a joint reference guide that maps common actors tracked by Microsoft and CrowdStrike along with their equivalent names. This tool does not aim to establish a single standard but rather to translate between different naming systems, providing network defenders a quicker and clearer way to correlate information.
The goals are threefold:
- Increase confidence in identifying threat actors.
- Streamline information correlation across platforms.
- Accelerate response capabilities to active cyberattacks.
The initial guide is already available and serves as a starting point for improving interoperability among different security environments that combine intelligence from multiple providers.
Not a standard, but practical cooperation
Microsoft has made it clear that this effort does not seek to impose a universal nomenclature, but rather to enable security professionals to operate more effectively in complex, multi-layered environments.
“It’s about improving intelligence alignment so that our customers and the community can respond faster and with more clarity,” Jakkal asserts.
This practical approach aligns with recommendations from the U.S. National Institute of Standards and Technology (NIST), which emphasizes in its SP 800-150 document on threat sharing the importance of consistent descriptions to improve coordination and security posture.
Next steps: industry joins in
While the initial alliance is between Microsoft and CrowdStrike, other companies are already joining in. Google/Mandiant and Palo Alto Networks (Unit 42) have announced their intention to participate in this collaboration on threat actor mapping, which could solidify a broader industry effort for the benefit of the global cybersecurity ecosystem.
This initiative represents a further step toward a coordinated and transparent cyber defense, where various sector players work together to reduce friction, avoid attribution errors, and shorten response times.
via: Microsoft