“All the world’s a stage/ And all the men and women merely players”; Shakespeare’s famous line makes us consider each person an ‘actor’ in their own right, with their own individual role to play. And when looking across the cyber threat landscape, this rings especially true – each actor has their own motivations and distinct part to play.
When the proverbial hits the fan, it’s typical for the victim – a business or government entity – to focus on the indicators of compromise (IoC) rather than what led to the attack in the first place.
Looking at IoCs is an essential part of a cyber defence strategy and can help victims identify who is targeting them. But it’s a reactive approach, which doesn’t help once your organisation has been breached.
>See also: How common is insider misuse?
This rear-facing view is also reflected in the cyber sensationalist news narrative. The media tend to focus on the number of attacks – a vanity metric – but rarely on its complexity, length, or who was behind it, and what their motivations were for attacking the organisation in the first place.
IoCs tend to change very quickly, the actor behind does not, nor their objectives and tactics, techniques and procedures (TTPs). For example, US-CERT’s release of the Grizzly Steppe malicious Russian activity was complex in that many of the IoCs that were provided were false positives or TOR exit nodes, making it difficult for companies to make sense of them and ingest.
As such, it’s vital that organisations look to understand the actor – their motive, opportunity and means – and not merely read into the IoCs if they are to protect themselves from potential attack.
Threat intelligence highlights IoCs around an attack, such as that the actor was using cheap outsourced labour to perpetuate the attack, was using a particular hosting platform, or shared infrastructure.
IP addresses and domain names change very quickly, but the adversary’s motive does not. Knowing this is the first step towards changing an organisations’ security stance to mitigate the threat, identifying the indicators of attack (IoAs) rather than just the IoCs. Without intelligence, this would be impossible.
Whatever the intent, understanding the business model or motive of the actor can provide an organisation with enough insight to not only influence it, but stop it altogether and be ready for similar attacks in the future.
Intelligence plays a key in providing an effective defence here. By disrupting the business model, you disrupt the attacker, and their pyramid of pain is compromised.
Pinpointing the actor’s motivation
The type of malicious actor organisations must deal with will differ. Some may be state-sponsored, for example, carrying out cyber espionage on behalf of a nation. Others may be hacktivists, looking to incite political change, or cyber criminals looking to make a profit.
Understanding the bigger picture beyond the impact of the attack itself is critical if the good guys are going to triumph over the bad. Intelligence plays a key role in getting to the core of that bad apple.
STIX, the standardised language to represent structured information about cyber threats, helps to store and share information on actors and TTPs. It has become the de facto standard for information sharing in cyber threat intelligence as it facilitates automation and human assisted analysis.
Intelligence: part of a wider story
However, it’s worth remembering that intelligence is not a silver bullet. It’s a part of a wider puzzle that enterprises need to put together in order to give themselves the best chance of defence against cyber attack.
Security needs to be seen as an architecture, embedded in the foundation of an organisation. Hygiene factors such as ongoing patch management and end-user training also need to be considered.
>See also: Inside the mind of a state-sponsored hacker
The human element behind an attack is often forgotten. However, analysts can create a ‘big picture’ of the lifecycle and ecosystem of hackers by adding in the more specific details.
Chinese groups are well known for this, especially in the manufacturing or agricultural sectors, where analysts look at research such as social media interactions to find out about a company and its employees in order to paint a more accurate picture of the attack in question.
Enterprises and governments are under a constant barrage of cyber attacks. With the threat landscape evolving and attacks becoming ever-more sophisticated, having time to stop and think about the actor behind the malicious intent may seem like a luxury.
However, businesses need to start looking at cyberattacks from the adversary’s perspective to understand what is most attractive to an attacker. Without this understanding, the problem will persist and the next newspaper headline will feature their name.
Sourced by Joep Gommers, CEO, EclecticIQ