Cyber Threat Intelligence: Comparing the incident-centric and actor-centric approaches

By Mark Arena, CEO of Intel 471.

When it comes to cyber threat intelligence, the security industry mostly appears to take the view that indicators of compromise (IOCs) are the best approach to initiate/drive the intelligence process. If we take a step back and look at traditional intelligence concepts, we will find the following definition of intelligence:

“Simply defined, intelligence is information that has been analyzed and refined so that it is useful to policymakers in making decisions — specifically, decisions about potential threats to our national security.”

Consumers of indicators of compromise within an enterprise are typically on the ground network defenders yet the definition above shows intelligence defined as being useful to policymakers or executives. Based on this definition, we will make the case that an actor-centric approach to cyber threat intelligence enables predictive analysis and hence is useful to executives within your organization. I’ll preface this blog post by saying that while Intel 471 provides actor-centric cyber threat intelligence collection and information, we are not favoring one approach over the other. Additionally, we are not implying these are the only approaches to building a threat intelligence program. Rather, we believe that any threat intelligence program should include both an incident-centric and actor-centric approach.

Brian Krebs recently wrote an article that illustrated the fact there is real value in adversary or actor-centric intelligence collection when assessing cyber threats and the risk posed by them. The article also highlighted there are efficiency gains to be had through understanding threat actor and groups. Brian sums it up nicely with the following quote from ThreatConnect:

“Now if we consider for a moment the man hours and ad hoc reprioritization for many security teams globally who were queried or tasked to determine if their organization was at risk to Rombertik — had the organizations also had adversary intelligence of Ogundokun’s rudimentary technical and operational sophistication, they would have seen a clearer comparison of the functional capabilities of the Rombertik/Carbon Grabber contrasted against the operator’s (Ogundokun) intent, and could have more effectively determined the level of risk.”

An incident-centric approach

The incident-centric (or IOC-centric) approach typically begins with the detection of an event such as reconnaissance, or compromise. Really we’re operating in an incident-centric approach anytime the intelligence process is initiated and/or driven from IOCs (Indicators of Compromise). For example, a response effort might identify the following that kicks off the intelligence process:

• Files (filenames, hashes, etc) that are dropped onto the system;
• Registry keys added/changed;
• Command and control (C2) server information (domains, URI paths, IP addresses, etc).

Using these IOCs we want to build out an understanding of the tactics, techniques and procedures (TTPs) and the higher-level campaign associated with this event. We are effectively trying to understand:

• How did the malicious files end up on the compromised computer?

An exploit kit from an innocent user browsing websites?

A targeted spear-phish that was sent to the compromised user?

What exploits/exploit method was used to compromise the system?

• What malware family was dropped on to the compromised system and what was its functionality?
• What would the malware and associated access have allowed the threat actor to do on the system or network?

Pros of the incident-centric approach:

• Direct relevance is established, as the intelligence effort dovetails from an incident response that has already impacted your organization;
• Potentially allows identification of the threat actors and groups that are targeting your organization;
• Provides IOCs that can be used to aid in the identification of compromise from the same threat actor, campaign and incidents across an organization.

Cons of the incident-centric approach:

• Reactive approach initiated after your organization has already been impacted to some degree;
• Focuses primarily on the attack surface and doesn’t reflect the process that the threat actor needs to go through to impact your organization. For example it doesn’t cover a threat actor seeking:

Exploits to purchase;

Malware to purchase;

Hosting.

• Difficult to be predictive.

An actor-centric approach

There is continuous debate in the information security community about the usefulness of attribution of threat actors and groups, but we believe that attribution to various levels (person, group, nation-state, etc.) provides valuable insights that support decision-making at all levels.

The actor-centric approach starts with threat actors or groups, which is the reverse of the incident-centric approach. It should be noted that by solely focusing on threat actors that have mentioned your organization, you will lose the ability to be proactive. Brand monitoring can serve a valuable purpose, but we do not believe that it’s effective approach in isolation to collect proactively against threat actors. There are a number of threat actors that are attempting to impact your organization, but you may not observe them mentioning your organization by name. Therefore we believe it is best to focus on all actors, to include enabling actors, that might impact your sector/vertical.

Starting with the threat actors themselves, we want to understand:

• Who are they?
• What are their associations with enabling actors and partners?
• What are their motivations?
• What are their technical skills and abilities?
• What are their TTPs?

Once we understand this actor-centric information, we want to fuse this information through analysis and correlation with other intelligence information. Ideally we could then tie their TTPs and campaigns to specific IOCs as well.

Pros of the actor-centric approach:

• Enables your organization to be proactive and predictive;
• Provides context around an actor’s motivations and their abilities before an incident occurs;
• Focused on adversary’s business process rather than just the elements that (could) impact an organization’s attack surface.

Cons of the actor-centric approach:

• Relevance to your organization might not be readily apparent;
• It is challenging to gain and maintain accesses where threat actors and groups operate;
• Requires analytical effort to fuse with your other sources of information;
• Requires regularly updated prioritization of threat actors to focus on;
• May be missing IOCs to look for within your organization.

Conclusion

The incident-centric approach is a required aspect of any mature threat intelligence program. On its own, it’s effectively the equivalent of the United States government monitoring Russia’s missile program solely by watching Russian soldiers firing missiles at and inside Ukraine, which they almost certainly are. In that example, you can be sure that the US government monitors Russian defense contractors, enablers and developers of Russian’s missile program at the direct person and organizational level.

With regards to the actor-centric approach, one could argue whether it is actionable or not. On its own and in isolation it probably isn’t, but when fused, stored and correlated with your own organization’s data/information and other sources of information it can be both predictive and actionable. Feeds of IOCs are frequently incorrectly referred to as actionable cyber threat intelligence within the security industry when this is simply raw data and another source of information.

If your organization simply takes external feeds of IOCs and automatically blocks them, you do not have an intelligence program. If you analyze (with a person) multiple sources of information in order to produce an output that is timely, relevant to your organization, and based on predetermined requirements, then you have an intelligence program.