Know Thine Enemy
Threat Intelligence: Whodunit, or Who Cares?
A fellow cyber threat intelligence (CTI) colleague and I were sitting at a conference room table waiting for a meeting and discussing who was responsible for the latest rash of ransomware. Was it coming from a few wacky North Koreans, or was it some nefarious plot from the Russian cybercrime network? As we were debating the subtle differences, one of our cyber defense analysts walked into the room and took a seat. After listening to us throw around threat intelligence clichés that I’m a little embarrassed to acknowledge, such as “I don’t know, it just smells like Russia,” he looked up at us with idle curiosity and asked, “Who cares?”
And it got me thinking. Is attribution helpful to network defense? After discussing it with other threat intelligence analysts, incident handlers, senior leaders, Red Team operators, pen-testing friends, cyber faculty members, my boyfriend, the dentist, and a local bartender, the best answer I got was: Well, it depends.
From the incident responder standpoint? Someone like me, working to protect the network? Not to devalue my own work, but damn, maybe he was right. Who cares? If your primary responsibility is to protect the network, find the adversary on it, or be an incident responder, does the attacker’s identity matter?
Increasingly, organizations like mine are adopting the MITRE ATT&CK approach, which recognizes the limitations of a strategy that relies on anti-virus products and domain-blocking to guard against cyber threats. The MITRE ATT&CK framework focuses on catching adversaries once they have infiltrated a network, rather than trying to stop attackers from getting there in the first place. (If you haven’t already, I highly recommend checking out the MITRE ATT&CK knowledge base.) So how can threat intelligence use attribution data in this new security paradigm? (I used the word paradigm. Someone fire me.)
From a CTI perspective, attribution is a crucial part of the adversary analysis process. In order to better anticipate adversary actions, CTI analysts need attribution data to understand the motivations behind malicious operations. For example, a skilled CTI analyst can tell the difference between state-sponsored activity and cybercrimes. The usefulness of the distinction is that it enables analysts like me to determine the value of the assets we’re protecting to the particular type of adversary. I would argue that in terms of defense, knowing who’s targeting your network — and why — gives you an advantage.
With attribution data, CTI analysts can better identify high-value targets and programs based on malicious intent and data collection requirements. Identifying the adversary and sharing threat intelligence allows network defenders to proactively block threat infrastructure, while solid threat intelligence can drive Red Team activity based on known tactics, techniques and procedures (TTP).
The usefulness of threat intelligence and attribution data lies in how you choose to protect your network. Good network defense combines the two viewpoints: threat intelligence using attribution data to prepare and understand your threat environment and good incident response analysts who know how to use that knowledge to best defend it against its adversaries. In other words, good network defense needs to know what the adversary looks like and how to prioritize protection for the most sought-after data.
As the cybersecurity landscape gets more complex, and threat agents develop more sophisticated modes of attack, cyber hunt operators, Red Team members, incident handlers and intelligence analysts will need to work more closely together than ever to get the big picture of the threat environment. On its own, threat intelligence may not be of much use, but it can be leveraged to…
- Provide adversarial knowledge to enable a Red Team to better mimic an APT
- Identify likely targets in order for defenders to bolster protections
- Supply Cyber Hunt teams with the information they need to perform successful missions
In terms of threat assessment and response, Whodunit? isn’t just a matter of curiosity. Operationalizing CTI and putting attribution data to use can be key to developing more effective cyber security operations.