How Mandiant Graduates Threat Actors

Following the introduction of Mandiant Advantage, which gives every security professional insight into the world of Mandiant consultants, behaviours of uncategorized (UNC) actors is getting more attention. Faster exposure to these details can lead not just to a deeper understanding of threat actors but also help reduce the impact of newly discovered malicious UNC activities.


The Latest Threat Actor Webinars >

Behind every attack is an actor, and understanding their detailed activities start with fragments of evidence that are gradually pieced together over time to form a clear identity, complete with commonly used tactics, techniques and procedures (TTPs) which help defenders minimize a security breach. These initial fragments of evidence are also classified in activity characteristics and when they are consistently identified over a number of incidents, they form an activity cluster.

As more information around the activity cluster is gathered and analyzed, a defined set of characteristics are assigned. This “graduation” process continues until sufficient intelligence on the activity cluster is amassed to classify it as an uncategorized actor entity (UNC). In the early stages of investigation, the relationship between activity and intention may be unclear, but as further evidence is reported and analyzed, Mandiant is better able to associate specific traits and personality to each UNC actor.

Looking at a screen

Mandiant has identified over 2,000 UNC actors and many still exist today. Others have been merged and combined over time based on emerging evidence. Now, for the first time, the threat intelligence Mandiant experts rely on is also available to any user of the new Mandiant Advantage platform. Mandiant Advantage users can now track threats before they graduate into fully defined threat groups and are publicly announced APT or FIN groups.

UNC diagram

It takes time and a lot of evidence before an UNC actor becomes an APT or FIN group. When one or more potentially related UNC actors reach a level of significance, the resulting entity is classified as a TEMP group. As these TEMP groups become more analytically complete with a sufficiently high level of confidence in the TTPs attributed to them, they may graduate to an APT or FIN group and be announced publicly.

UNC actors may change significantly over time as new evidence is revealed. Their name (UNC or unclassified) is their nature, reflecting the raw, maturing stages of the attribution process. It can take years of detailed research for an UNC to graduate to an APT or FIN group. Given the uncertainty around the details of an UNC actor, you would be forgiven for questioning their origin or intentions. However even in their early stages, UNC actor details can equip teams with powerful intelligence and value.

Table 1: Intelligence value of attribution at various stages

Table 1: Intelligence value of attribution at various stages

Mandiant recently reported on a widespread campaign tracked as UNC2452, purported to be the actors behind the SUNBURST backdoor. UNC2452 is highly sophisticated and has gained access to a number of global private and public organizations via trojanized updates to SolarWind’s Orion IT monitoring and management software. By releasing known intelligence on UNC2452 through Mandiant Advantage, security defenders are equipped with source materials and raw analysis to shore up defenses in their own environments before an APT or FIN group is announced.

Releasing free UNC actor information on Mandiant Advantage may seem counter intuitive as a commercial proposition, but Mandiant is committed to supporting security teams in the fight to protect their organizations. While technologies continue to evolve and attackers become more aggressive, quicker access to latest discovered intelligence has clear benefits: defenders can become increasingly empowered and reduce the risk of breaches.