Byline: Know Your Enemy: Understanding Threat Actors

This is Part II of a series. Read Part I here.

Sun Tzu wrote in his famous book, The Art of War, “If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.”

In my previous article, “Are you Aware of Your Cyber Situation,” I discussed how important it is for you to understand your business as it relates to your digital environment. This includes knowing what data you produce, how and where it is used, and where it is stored, and what devices are on your network. Understanding your internal processes, location and vulnerabilities of your essential digital resources is half the battle.

The other half is to know your enemy. Preparing to defend your organization against a known antagonist is significantly easier and more effective than trying to defend yourself against the unknown. 

Threat Actors

 It is important to know who means you harm, what they want, and how they plan to get it. While there are many threat actors out there today, most of them fit into the following categories.

Government Sponsored: These groups are well funded and often build sophisticated, targeted attacks. They are typically motivated by political, economic, technical, or military agendas. They are often looking for competitive information, resources or users that can be exploited for espionage purposes.

Organized Crime: Most often, these cybercriminals engage in targeted attacks driven by profits. They are typically either looking for the personally identifiable information (PII) of your customers or employees, such as social security numbers, health records, credit cards, and banking information, or to hijack and ransom critical digital resources.

Hacktivists: These attackers have a political agenda. Their goal is to either create high-profile attacks that help them distribute propaganda, or to cause damage to organizations they are opposed to. The ultimate goal is to find a way to benefit their cause or gain awareness for their issue.

Insider Threat: Attackers operating inside your organization are typically disgruntled employees or ex-employees either looking for revenge or some type of financial gain. They sometimes collaborate with other threat actors, such as organized crime or government sponsored hackers, out of a sense of loyalty, or in exchange for money or prestige.

Opportunistic: These attackers are usually amateur criminals, often referred to as script kiddies, who are driven by the desire for notoriety. Sometimes, however, they can legitimate security researchers trying to help organizations find and close security vulnerabilities, or even professional hackers (sometimes known as gray hat hackers) looking to profit from finding and exposing flaws and exploits in network systems and devices.

Internal User Error: Users making mistakes with configurations are actually the largest threat organizations face. These threat actors exist largely due to failing to design flaws out of the network, or by providing privileges to individuals who should not have them. Internal user errors have been known to bring down critical resources such as firewalls, routers, and servers, causing widespread or departmental company outages.

Of course, listing all possible threat actors isn’t enough. You need to evaluate your organization so you can determine which of these threat actors you are most likely to encounter so you can prioritize your defense and response preparations.

Types of Threat Intelligence

Once you know your potential threat actors, you need to ensure that your network is able to provide you with the intelligence you need to identify when you are under surveillance or attack by them.

Threat Intelligence (TI) is any external information about a threat that an organization can consume and integrate into its defensive decision-making process that results in something actionable, such as a new policy, configuration, or design, or leads to the selection and deployment of a new device. This intelligence can be Strategic, Tactical, or Operational.

Here is more information about each type of TI.

Strategic: This type of TI is usually provided in the form of printed or online reports that focus on threat actors, their intentions, motivations, capabilities, and their plans – now and in the future.

This information is usually used by CISOs and IT management to determine what types of additional administrative, physical, or technology controls may need to be budgeted for.

Tactical: This type of TI focuses on understanding the Tactics, Techniques, and Procedures of threat actors. It asks the question, “How are they accomplishing their cyber mission?”

Security and Network Operations teams use this intelligence to understand and prioritize vulnerabilities, establish alert escalations, and inform design considerations and configuration changes in order to design flaws and vulnerabilities out of the network itself.

Operational: This type of TI is usually consumed by a SIEM or Threat intelligence platform where it is cross-referenced with network logs and other collected data to determine if a threat actor is planning to engage your organization, or has already breached your defenses.

This sort of intelligence often includes Indicators of Compromise (IOC) that can help an organization know if they are under attack, or if they have particular vulnerabilities that they need to address. This information is usually used by an Incident Response team or forensics analysts to determine the scope of a breach, as well as for “hunting” for threat actors. 

Where Do You Start?

The security resources at companies are simply not mature enough to fully leverage all types of threat intelligence. So as a first step, we recommend that companies focus on Tactical TI. This will provide some insight as to how the threat actors are accomplishing their goals, which will in turn help you focus when selecting security controls.

To further take advantage of this type of TI, organizations can use it to map the anatomy of an attack – more commonly known as the “Kill Chain,” a term coined by Lockheed Martin a few years back.

While there are many variations of these attack steps, nearly all attacks use most or all of them. Knowing how a threat actor operates, and the specific tactics they use to achieve their goals, will help your organization more effectively plan and deploy countermeasures.

This was orginally posted on CSO here.