COMMENTARY: Walk into any cybersecurity conference today, and we'll hear ransomware group names everywhere. But here's the truth — the cybersecurity industry's preoccupation with naming ransomware groups distracts from its ability to defend against them.Make no mistake, attribution has its place and value. It gives us a common taxonomy to understand who we’re talking about. But somewhere along the way, we let the allure of branding groups take the lead.It’s time to refocus on what truly keeps an organization safe. As a CISO, knowing whether an attack came from "DragonForce" or "BianLian," won’t make my environment more secure.[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]The group names are a distraction. Instead of focusing on the latest attack group, I focus on the most common tactics, techniques, and procedures (TTPs) used in the attacks — initial access, lateral movement, and how they deploy the ransomware payload. These became inputs into finding my gaps and formed the core of my risk mitigation strategies. We need to shift our focus from sensationalized group names to actionable intelligence about attack methodologies. This change in perspective helps us better prepare our defenses, implement targeted countermeasures, and focus our resources where they'll have the greatest impact.We can't completely move away from using names for threat actors — we need some way to talk about them. But I recommend we change the conversation so we go deeper. We must stop idolizing ransomware groups with catchy names and start focusing on the actionable intelligence that protects our organizations.Jason Rebholz, Advisory CISO, ExpelSC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
How group behavior, not branding, informs defense
There's no real way to stop ransomware evolution. The landscape has transformed from independent groups to a Ransomware-as-a-Service (RaaS) model where central groups sell specialized services to affiliates.These affiliates are "free agents" who work with any group. This affiliate model means we’re no longer defending against a single, identifiable group: we’re defending against a wider population of bad actors with ranging variances in their tools and techniques. The attention needs to be on these affiliates and their methods, not on the product or the ransomware “brand name.” Let’s take Scattered Spider. One of the most widely-talked about groups right now, given the broad scope of attacks they’ve claimed, from MGM Resorts in 2023 to Marks and Spencer. History has shown that these types of groups target different industries, and then hit multiple companies in a batched approach. Knowing just that is not enough to build an effective defense.When leadership asks: “Are we protected against Scattered Spider?” we must know the group's TTPs to confidently answer. Digging into their TTPs reveals expertise in social engineering, particularly targeting help desks to reset credentials and assign MFA to devices they operate. That's actionable intelligence we can immediately use to bolster our defenses.A call to action for cybersecurity leaders
Ultimately, effective cybersecurity isn't about tracking criminal brands. It's about understanding and disrupting the underlying techniques that make any attack successful, regardless of who is behind it.So, what should we focus on instead? Here are some approaches I advise:- Prioritize actionable intelligence: Shift threat intelligence consumption from high-level "state-of-the-ransomware" reports toward detailed, technical TTP breakdowns. What are common initial access vectors? How do they perform privilege escalation? What command-and-control infrastructure do they use? These questions help build more resilient security programs.
- Understand existing attacker TTPs: Look broadly to understand the current and emerging TTPs that threat actors use. Map those techniques to the organization’s infrastructure and identify where the team is well-positioned to defend against them and where they are not.
- Prioritize the most likely gaps: When we identify our gaps, categorize them based on risk. Some gaps may stay as accepted risks while others, which are more critical and likely to be exploited, and the team needs to prioritize. This includes foundational security measures like multi-factor authentication (MFA), robust endpoint detection and response (EDR), and network segmentation. These are the tools that will stop the “how” of the attack, not just the “who.”
- Enhance visibility: To defend against these evolving threats, we must have complete visibility across the network, cloud, and endpoints. The affiliates are skilled at bypassing security tooling, especially EDRs, so a comprehensive view is essential to spot their varied techniques.
- Focus on mitigation and response: Because these "free agents" are constantly changing their TTPs and collaborating with different groups, the team must prepare to mitigate and respond to a variety of attack patterns. This means having well-defined incident response playbooks and the ability to execute them quickly. Build the response capabilities around TTPs, not threat actor names.
