top of page
Search

The Same Answer

  • Writer: RG
    RG
  • Sep 3
  • 5 min read

Updated: 2 days ago

42 and Douglas Adams – Numberphile, via YouTube
42 and Douglas Adams – Numberphile, via YouTube

I suppose it’s not surprising that I’ve mentioned The Hitchhiker’s Guide to the Galaxy before. I’ve even commented on the answer to the ultimate question of life, the universe, and everything.


The answer, of course, is 42. But, even though Douglas Adams used it because he thought it sounded funny, it has other interesting properties.


For example, if you were to take a piece of paper, and were able to fold it 42 times (you can’t, but never mind that), the folded paper would stretch from the Earth past the moon’s orbit. (Assuming a piece of paper is 0.1mm, this would come to ~439,804km, while the distance from the Earth to the moon ranges between ~369,000km and ~406,000km).


It’s also a pronic number -


Like, shrimp?


Not “prawnic”, “pronic”. It means that 42 is the product of two successive integers, 6 and 7.


Ok, so...


Also, the number 42 is represented in binary as 101010.


And?


Also, it’s a primary pseudoperfect number, which means that if you add the inverses of the prime factors to the inverse of the number itself, you get 1. So, 1/2 + 1/3 + 1/7 + 1/42 = 1.


And that means?


Absolutely nothing. Meaningless coincidences, but they can be fun, if you like that sort of thing.


But that brings me to cyber threat actor attribution.


I have discussed cyber threat naming and attribution before, and the degree to which actual attribution is useful. To summarize, it’s extremely useful to identify threat groups and their methods, but actually associating those threat groups with specific nation-states or criminal organizations is of limited value to most organizations (mostly because it will have no meaningful impact on the defence strategy they follow).


Still, it’s important to some, and of great interest to most, which is why I found the recent introduction of Unit 42’s Attribution Framework so interesting.


Unit 42 is the threat intelligence and security consulting team at Palo Alto Networks, which is probably best known for their firewall technology. And yes, the “42” is a direct reference to The Hitchhiker’s Guide to the Galaxy. As their own about page says:


Unit 42 - About Page
Unit 42 - About Page

I think the release of the framework is a great contribution to the industry, as it provides a rigorous approach that fits well with other tools and frameworks, to provide not only insight into Unit 42’s own research, but also a framework which can be used by others in the industry.


The Attribution Framework is based on the Diamond Model of Intrusion Analysis, which is provided by the US Defence Technical Information Center and is used widely as a means of applying scientific principles and formal processes to intrusion analysis. They also use the Admiralty System, to assess the reliability of their sources and the level of confidence in the validity of the information.


As I read through the announcement regarding the Attribution Framework, the term that came to mind was “Bayesian”. The Framework follows a rigorous and scientific process for gathering, categorizing, and assessing the data in a way which evolves as does the level of data, confidence, and number of sources.


Though they don’t explicitly call it out, isolated events and their associated data could effectively be called “Level 0”, as the requirements for defining an “Activity Cluster” (Level 1) usually include two or more “related” events.


So, if you consider the “Level 0” to be made up of the data gathered from many events, an activity cluster would be defined where links can be made between such events. In this context, links could consist of shared IoC (Indicators of Compromise), similar TTP (Tactics, Techniques, and Procedures), or similar targeting or timing. Another element of this analysis is an assessment of the motivation of the actors – again, something which can be refined over time. The categorizations used include “UNK” (Unknown), “STA” (State-sponsored), “CRI” (Crime-motivated), and “MIX” (Mix of state-sponsored and crime-motivated).


Once a potential activity cluster is identified, further work is done to clearly articulate the rationale and justification for the grouping, and describe the evidence used to support the assessment. The requirements for defining a new activity cluster do NOT include high-confidence attribution, or a complete understanding of the attack life-cycle, so it’s easy to see both the benefits and the limitations of this category of information.


Next comes the “Temporary Threat Group” (Level 2). As more information becomes available over time (generally at least six months), the reliability of that information can be assessed, and the information can be formally mapped using the Diamond Model. This requires time and effort, but allows a more nuanced understanding of the activity from one or more activity clusters, and can lead to insights which allow other data to be added to the overall assessment.


And then, finally, the part that is most useful to a small percentage, and of limited use to the people who seem to be most interested in it... I refer, of course, to the “Named Threat Actor/Country” (Level 3). This is only done after a great deal of work, and includes evidence from multiple reliable sources, trusted partners, and OSINT (Open-source intelligence). Among the various reasons for the high level of rigour here is the fact that threat actors might launch retaliatory attacks in response to an attribution – either because it is false, or because it is true.


There’s a lot more to all of this, of course, but this is an excellent step towards increasing understanding and promoting more discipline in threat group analysis.


And then there’s naming. I’ve discussed this before, but note that naming is actually a very difficult challenge, due mainly to the varying degrees of visibility and access to data from different threat researchers. Unit 42’s strategy for naming threat groups uses a generic descriptor, plus a constellation to distinguish between non-state threat groups:

  • Libra = general cybercrime

  • Orion = BEC (Business Email Compromise)

  • Scorpius = Ransomware

  • Virgo = Hacktivism


... and Nation-state groups:

  • Draco = Pakistan

  • Lynx = Belarus

  • Pisces = North Korea

  • Serpens = Iran

  • Taurus = China

  • Ursa = Russia


The list of named threat groups Unit 42 follows is impressive, and some of the names are familiar to those who follow cybersecurity news. As an example, “Muddled Libra” overlaps with “Octo Tempest” (Microsoft) and “Scattered Spider” (CrowdStrike), as a very active, financially-motivated threat group that has been in the news frequently.


But where does this leave us?


Well, aside from questions like “what is the answer to the ultimate question of life, the universe, and everything?”, or “how many roads must a man walk down”, we have a new question to which the answer (or at least part of it) appears to be “42”: “What’s the next big step in formalizing cyberthreat assessment and tracking?”


It doesn’t exactly roll of the tongue, but we can work on that...


Cheers!

Comments

Want to learn more?

Thanks for subscribing!

What do you think?

Thanks for submitting!

© 2025 by RG

88x31.png

TIL Technology by RG is licensed under a Creative Commons Attribution 4.0 International License, except where otherwise specified. 

Please feel free to share, but provide attribution.

bottom of page