You named it.

Persian last names

Persians didn’t have last names until the 20th century, when in 1925 Reza Shah mandated it. My full last name, Mashhadi Ghadiri, falls into two of the 7 categories of Persian last names. The first part, Mashhadi, refers to someone who has made the pilgrimage to Mashhad, one of the holiest cities in Iran in the Islamic faith, and nods to both power and pilgrimage — Ghadiri comes from ‘Qadir,’ meaning capable. It’s a name about choosing the path with intention.

Naming cybersecurity incidents

Cybersecurity incidents are typically named using one of several conventions to aid tracking, communication, and analysis. Common methods include using the date of occurrence (e.g., “Incident-20250425”), the affected entity (e.g., “M365-Incident”), or the threat actor or campaign involved (e.g., “APT29-LateralMove”). Other approaches focus on the attack technique (e.g., “RDP-BruteForce”), the targeted asset (e.g., “ProdAPI-SQLInjection”), the malware or tool used (e.g., “Emotet-Infection”), or a combination of severity and category (e.g., “Critical-DataExfil”). These naming structures help standardize incident reporting and streamline response across teams, but often can make sharing information or understanding similar attacks across entities or organizations.

So what?

Both systems are designed to convey identity, origin, and context in a compact, recognizable form. Both systems reflect a deep cultural or operational need: to encode meaning, history, and relationship into something short enough to be remembered—but rich enough to be understood.

The version you choose to name a cybersecurity incident—just like choosing a surname—shapes how it’s perceived, tracked, and responded to. Here’s why it matters:

1. Clarity and Communication

  • A well-chosen name instantly signals what happened and to whom.
    • “TokenTheft-SessionHijack” is more actionable than “Incident-0425”.
    • Similarly, Shirazi gives cultural/geographic context in a way Reza alone does not.

2. Attribution and Analysis

  • Names tied to threat actors (APT29), techniques (RDP-BruteForce), or tools (CobaltStrike) allow teams to connect dots across incidents.
    • Just like Mashhadi tells you someone made pilgrimage to Mashhad, Mimikatz-Use implies credential dumping.

3. Triage and Prioritization

  • Including severity or asset class in a name helps with prioritization.
    • Critical-DataExfil is clearly urgent.
    • In Persian names, Qadir (capable) implies rank or responsibility, signaling social weight.

4. Long-Term Tracking and Reporting

  • Incident names become part of historical data and intelligence feeds.
    • Consistent naming enables automation, dashboards, and trend analysis.
    • Attacks follow histories and societal changes across ‘generations’ just the same.

5. Cultural and Strategic Implications

  • Names reflect what the organization values or fears—whether it’s data loss, nation-state actors, or internal misuse.
    • Just as Persian surnames once signaled social class or religious devotion, incident names can shape an org’s security posture narrative with this incident and future incidents.

In short: Choosing the right naming convention isn’t just administrative—it’s strategic. It defines how people talk about the threat, understand its origin, and decide what to do next.

Leave a comment