Cybersecurity professionals read about adversaries like Cozy Bear and Fancy Bear all the time, but many haven’t realized the importance of understanding the adversaries that are most likely to target your business.
Security teams are facing industry-wide skills and staffing shortages, a lack of automation to connect a complex mix of data and tools, a lack of threat visibility and the prevalence of a “silo mentality” within a security organization. As a result, security teams are looking for new methods outside the traditional toolkit to become more effective in fighting cybercrime. The most popular is understanding the adversaries that may target your industry or geography.
Adversary attribution enables security professionals to understand the “who, how and why” behind the cyberattacks targeting potentially their business.
There are five key use cases where an adversary-focused approach provides value.
1. Fill the forensics gaps to improve remediation
When an attack or critical event is detected, security operations center (SOC) analysts run forensics, gathering all artifacts during the attack (i.e. network traffic, sources, assets, files touched, commands run, etc.) so that incident response (IR) teams can eradicate all threat activity. Chances are low that forensics evidence will be complete because the amount of data — and volatility within the data — can be too overwhelming to analyze.
If indicators of compromise (IoCs) point to an actor (or multiple), SOC analysts and IR teams can use known actor behaviors as a guide to eradicating related threat activity. One of the best examples are the more complex and targeted attacks. If, for instance, a compromise of a low-priority asset points to a state-sponsored actor leveraging a software supply chain attack, SOC analysts and IR teams know where to look and can expand their mitigation efforts. Knowing all the actors’ tactics will help close out the incident and eradicate all related activities within an IT infrastructure, even assets or tools sourced from trusted parties.
2. Improve detection and hunting
Detection is an art and involves many moving parts. While standard security analytic tools like SIEM can execute simple “IF — THEN” rules (i.e., if traffic originates from location X create an alert) and even perform baselining or trending analysis, threat actors have learned how to bypass these standard detection rules by living off the land and hiding under legitimate activities. By knowing individual actor behaviors and attack techniques, security engineering teams can set up more targeted detection or better execute threat hunting practices.
3. Prioritize vulnerability remediation
Vulnerability lists are always too long, and standard risk scoring, like the Common Vulnerability Scoring System (CVSS), is usually too static. By shortlisting actors that apply to your environment and understanding which vulnerabilities are leveraged, risk teams can better prioritize where to focus and concentrate their efforts. Having the latest information on which actors use which exploits can save vulnerability remediation teams a lot of time and preemptively reduce threat risks.
4. Plan your security strategy
Attribution enables security teams to understand their true risk posture by defining who could come after them and how and preemptively adjust their security strategy. For instance, targeted attacks may be driven by cyber espionage, which indicates the threat will most likely be persistent and comprise multiple sophisticated attacks that can be expected to attempt to gain access to your sensitive company data.
Knowing this about the espionage-motivated adversary provides guidance on where to place defensive “shields-up” measures and how you can best prepare. This could include decisions on where to implement new controls, new training needs or prepare with more targeted red and blue team exercises.
5. Break down silos
Security organizations are often split into operational silos, with each silo focusing on specific detection or protective tools. This structure, with attention to “tools in use” and “small-team objectives,” is not always advantageous. Focusing instead at a higher level — knowing the adversaries that are trying to breach your defenses — changes the dynamic, which benefits the individual security professional as well as the entire security organization.
Once a known, sophisticated adversary has been spotted inside your organization’s infrastructure, alert levels can be raised, shields-up declared, and the available intel on the adversary can drive the threat hunting process to find and expel the adversary. Without this knowledge, SOC analysts waste time and resources, playing “whack a mole” in chasing every commodity attack or being blind to adversary activity that may be seen as normal activity without the context provided by threat intelligence.
While attribution provides the information that helps security teams prepare, there is additional intrinsic value in taking an adversary-focused approach to security. Attribution enables the entire security organization — proactive and reactive defenders alike — to orient their actions toward specific actors that target their business and begin to communicate across all teams with a common language, including the adversary’s name, attack steps and point of view. This approach helps security teams step away from tool- or process-heavy tactics and build strategies to increase the effectiveness of their security efforts.