Counterintelligence for Cyber Defence

Intelligence analysis enables better defences against threat actors

Counter intelligence analysis provides a framework both for understanding threat actors and also for conceptualising cyber defence. The fundamentals of counterintelligence threat analysis are familiar from law enforcement themed media (cop shows):

Means, motive, and opportunity

In intelligence parlance the terms used are:

  • Capability
  • Intent
  • Opportunity

These are the foundational characteristics of a threat actor that a counterintelligence analyst considers when developing a defence. They’re valid for cyber security threats of course, but where things get interesting is using the framework to model defence techniques. That is, how does a given defence technique impact the threat actor’s fundamentals? For example, hardening systems (such as ASLR) are essentially a “capability” defence, and those rapidly devolve into an arms race. An “air gap” is an “opportunity” based defence, which can be extremely robust due to the offence costs imposed on the threat actor.

Cybersecurity – same thing

These fundamental aspects of threat actors provide paradigms through which cyber defence techniques can be assessed.

  • What element of a threat actor does this defence address?
  • How will they respond?
  • Does it provide a good ratio of defender investment to reduced threat actor capacity?

Conducting this type of intelligence analysis can reveal attacker weaknesses that defenders can, and should, exploit.

There are three potential vectors on which to battle an adversary in cyberspace:

  • Opportunity reduce attack surface, segment and air gap networks
  • Capability build secure systems, engage in an arms race
  • Intent reduce the value of compromising the target for an attacker

Countering the reason for the attack — the motivation driving the threat actor — is a powerful defence with a better chance of success than engaging in an expensive arms races against attackers’ capabilities.

The intent of the threat actor is the primary factor which generates intrinsic vulnerabilities. Attackers are all attempting to achieve mission success (exfiltrating data, monetizing access, defacing a website etc.) without getting caught, and as quickly and quietly as possible. Mission success occurs as soon as the the threat actor achieves their intent. Defeat their intent and they are denied the ability to achieve mission success.

Threat Actors are Motivated and Constrained

Considering cybersecurity it is worth remembering a couple important points: a) adversaries have resource constraints, and b) they have motives.

Cyberattacks, more accurately — Cyber Operations

Cyber operations are conducted by threat actors. They are limited by their resources (e.g. nation state vs individual). They conduct operations which are enabled, and restricted, by their technical sophistication. The operation may be part of a wider campaign, or an isolated incident. Operations can have purpose or be aimless and opportunistic. Consequently, victims can be targeted or unlucky (opportunistic).

Operations all have an operational cycle (made up of a series of phases). Since cyberattacks are operations, they obviously have a sequence of stages the threat actor operators progress through. Here’s one division of operational stages for a cyberattack:

  1. Planning
  2. Preparation
  3. Execution (pun very much intended)
  4. Evasion
  5. Exploitation

The threat actor selects a target and prepares their attack. This may be inverted (“I have a capability for SoftwareProduct v1.0 — v1.24, who’s vulnerable?”). The planning and preparation are entirely dependent on the type of threat actor. If the execution of their attack was successful they will typically attempt to cleanup traces and hide their activities. And they will attempt to exploit their success in some way, possibly exfiltrating data or monetising their access. This final stage, the post-exploitation exploitation, is where the attacker’s intent is most relevant.

Post Exploitation Exploitation reveals intent

It can be most beneficial to understand cyber operators in terms of the final stage of the operational cycle — exploitation. How the threat actor (or their superiors) expect to benefit from the operation reveals their intent…the goal of the operation is to effect that exploitation, which means the best defence strategies will mitigate against that exploitability.

  • Hacktivists want to draw attention to their agenda
  • Criminals seek a reliable (and hopefully swift) means of making money
  • Penetration testers seek a reliable repeatable means of making money
  • Spooks want data

Properly implementing cybersecurity defences requires threat models that factor in opportunity, understand capabilities, but which minimise, neutralise, or counter attack the threat actor’s intent. Battling threat actors capabilities is an arms race. Defences based on reducing opportunity (“air gapped systems”) require discipline to maintain and have limited utility. But remove the point of even compromising the system at all, that is winning before the battle begins.

Denial and Deception

Once threats have been modelled based on there capability, intent, and opportunity the counterintelligence approach to developing a defence plan is to apply strategies of denial and deception. This also maps over really well into the cyber domain.


The majority of cybersecurity products on the market are focused on attacker capabilities (“stops 0days and malware!”). This is an arms race and it is one where the attacker has a distinct advantage because they have a reliable feedback loop — they know when something works: #!

This is a market for lemons and silver bullets. Vendors have an idea of the capability of their systems, but their customers don’t. Defenders are trapped in a battle between vendors where they’re unable to tell a good product from bad. Attackers know when an attack works, they have only to “get lucky” once, while defenders are stuck in a market for lemons. Worse, they are battling attackers on the “capability” vector, which reduces to an arms race where the offence has the advantage (a working, instantaneous, unmistakable, accurate feedback loop).

Fundamentally for defenders, the truly effective techniques, the ones that work, are the same ones that have always worked (and still are so seldom implemented): network segmentation, patching, asset management, credential management, minimising trust relationships, least privilege, vigilant monitoring of long tail rare events, etc. etc.

The important things are always simple; the simple things are always hard .
The easy way is always mined. — Murphy’s Laws of War

Capability centric cybersecurity defences rapidly become arms races, and those are expensive. Worse for defenders, attackers have natural advantages (such as more rapid and accurate feedback loops). While the fundamentals are certainly necessary to raise attacker costs, capability centric cybersecurity approaches are heavily tilted in the attacker’s favour.


There is some security gained by engaging in a contest to limit a threat actor’s opportunity to attack — such as air gapped networks — however, that is not as reliable a solution as many hope.

If you make it impossible for the enemy to get in then you can’t get out. — Murphy’s Laws of War

Not only are perfect air gapped networks generally of limited utility, but they are also extremely expensive and hard to maintain over long periods of time. It gets worse when the size of the network and number of users is large, because then the security is not insurmountable, rather just a higher cost to adversary resources — primarily time. Creating an air gapped networks is easy. Maintaining one, and preserving the integrity of the gap, that is difficult.

Regardless, for most businesses it simply isn’t a viable option. Without Internet connectivity they don’t have a competitive business. Granted, this is not true for all part of a company — for example industrial control systems should not be on the Internet — however it is true for the functioning of many day to day business needs.

Although I include reducing attack surface in this category (i.e. an attacker can’t compromise a system, or service, that doesn’t exist) that methodology is also hard to implement. Finding unnecessary systems and removing them is hard and thankless, and not especially a great career move – not many people get promoted for decommissioning systems. There isn’t a lot of management recognition for successfully not deploying a system. “Great job not growing your teams’ assets, roles, and responsibilities! Here’s more budget and a raise.”

The high cost of maintaining systems which effectively limit attacker opportunity mean that few businesses even bother to try. Vendors are not about jump into the space and make it easier for companies either, since much of what preserves an air gap is process, not technology. Threat actors have the opportunity to attack everything on the Internet, and they do.


The role of motivation and intent in driving threat actor actions is not a hot topic of analysis — not compared to the sexiness that is 😱day. As a defence it can be very simple to implement. For example, to reduce the attractiveness of a database for attack, simply don’t store PII data. This risk reduction approach can be extremely effective in dissuading an attacker from even investing resources in the attack as they're guaranteed to be wasted. Remove the ROI, and the attack is no longer worth the hassle.

Attackers that are motivated by financial gain, or information, can be disincentivized by not storing the data which attracts their interest. But pure denial based techniques aren’t the only approach for this cyber defence vector. There are even more interesting options, particularly around deception operations.

Threat actors that operate on a network are in constant danger of discovery, so by laying traps and tripwires it is possible to deceive them into committing mistakes. An example of this is the old joke of leaving a Bitcoin wallet.dat on servers and then watching for the movement of those BTC. More sophisticated examples are the use of products such as a canary which creates a honey pot to lure attacks into revealing themselves. The trick with this approach is the targeting of intent behind attacker actions.

The key insight then, is that we shouldn’t deploy boxes that look vulnerable on the network, we should deploy boxes that look valuable instead! — Haroon Meer

By understanding the intent of the threat actor, knowing their motivation, it becomes possible to manipulate their actions in ways that increase their vulnerability to defenders. And make no mistake, attackers are very vulnerable, its just that they’re mostly operating in environments where their vulnerabilities are never exploited.

A popular truism is “defenders have to find and mitigate every security problem, but attackers only need to find one.” This is only half true, because as soon as the attacker has breached the target, the tables turn. From then on, “attackers must never leave a trace of their activities, but defenders only need to find one.”

Before the breach, any security flaw could be the entry point. After the breach, any action could be the one that alerts defenders. The more accurate aphorism is one that’s applicable to both sides:

Anything you do can get you killed, including doing nothing. — Murphy’s Laws of War

Support more content like this.