By Mark Arena, CEO of Intel 471.
Following my previous blog post that compared the incident-centric and actor-centric approaches to cyber threat intelligence, this post will detail a number of ways we can potentially observe our adversary. I’ll preface this post by saying that prioritizing and identifying who the adversary is, their motivations, their intentions and goals will drive where you seek to observe them. This could be different depending on the vertical in which your organization sits.
The #1 place to observe your adversary is your own attack surface
The top and hopefully most well known place to observe your adversary is your attack surface. If you’re a financial institution or managed security service provider (MSSP), we could include things touching your customer’s attack surface as being another top place to observe your adversary. Analysis of logs sourced from your security devices is a great way to identify the type of cyber threat activity that is impacting you directly. Although Intel 471 is an intelligence vendor, we still believe that an organization’s #1 source of relevant threat data is their own attack surface. One of the first steps into developing a threat intelligence program should be the identification, consumption, and analysis of all relevant internal sources of information to include attack surface data.
Referencing the incident-centric approach detailed in our previous blog post, our goal is to build off our incident information to identify the TTPs (Tactics, Techniques and Procedures) and associated campaigns then ultimately the actor piece to include the who, motivations, goals and intent.
In most cases the attack surface provides technical information such as:
In addition to identifying potential incidents, analysis of technical data can lead to the identification of TTPs and campaigns:
Was it a targeted spear-phish sent to a specific target?
Was it the result of a user visiting a compromised website that was tied to a specific exploit pack thus not targeted in nature?
What exploit/exploit method was used?
When answering the question of who the actor is, the usefulness of attribution to a specific person often depends on the motivation of the threat actor. For example, knowing the personal identity of a threat actor involved with state sponsored cyber espionage is only truly useful to a very small number of organizations.
However, when it comes to cybercrime and hacktivism knowing the actual person behind the keyboard provides additional options for a victim organization, such as submitting a complaint to law enforcement. There is continuous debate in the information security community about the usefulness of attribution of threat actors and groups, but we believe that attribution to various levels (person, group, nation-state, etc.) provides valuable insights that support decision-making at all levels.
The most value of actor-centric information lies with identifying motivations, goals and intent. This enables analysts to produce predictive intelligence that can drive proactive decision making and action at numerous levels of an organization.
Collaboration with similar organizations and your competitors
Collaboration with similar organizations, even your competitors, is another great way to observe your adversary. We’ve previously written why organizations shouldn’t have tunnel vision by focussing on threats that only mention or impact your organization directly. It’s a given that the same threat actors impacting your competitors or other organizations in the same vertical or sector as you are or will eventually turn their focus to you. The panacea of a threat intelligence program is to be proactive, predictive and ahead of the adversary. Examining this activity will often allow you to proactively block or detect this activity through policy or security control changes among other things however, don’t forget to share back as it’s a two-street. If you don’t, you’ll quickly become the organization that nobody wants to share with. It’s in the business interests of all parties, competitor or not, to establish some type of sharing and collaboration. An Information Sharing and Analysis Center or (ISAC) may also be available for your specific sector which may share information on threat actors impacting or seeking to impact your sector.
The government
Traditionally governments have not been good at sharing and collaborating with the private sector, but with the massive impact of cyber threats impacting the private sector and the private sector effectively running the internet, they’ve been forced to both share and collaborate. They still might not be the fastest to share nor the best at doing it efficiently, but there are certainly elements within various government departments that are fighting the good fight to be able to share threat data with the private sector in a timely and efficient manner. This can be a very valuable resource for your threat intelligence program.
Technical collection
Technical collection can be described in general as legal infrastructure and toolset monitoring. Infrastructure monitoring can involve targeting threat actor’s re-use of things such as:
Toolset monitoring can involve things like:
Places where threat actors plan and collaborate
A final place to observe the adversary is where they communicate, plan, and collaborate. I personally dislike the term deep/dark web but rather like to segment these sources into two types:
Advantages of monitoring open and closed sources where threat actors communicate, plan and collaborate:
Disadvantages of monitoring open and closed sources where threat actors communicate, plan and collaborate:
The Lumma infostealer malware collects highly sensitive data including logins and session tokens. Here's how to conduct a threat hunt leveraging up-to-date tactics, techniques and procedures used by Lumma.
Pro-Russian hacktivism campaigns continued to be directed at countries and entities supporting Ukraine. Here's a briefing about new hacktivist groups and the risks the groups pose.
The leader of the Black Basta ransomware group employed a trusted, experienced cybercrime actor nicknamed Tinker who he relied on for phishing content, call center management and negotiation skills.
Stay informed with our weekly executive update, sending you the latest news and timely data on the threats, risks, and regulations affecting your organization.