Managed Intelligence: Four Factors for Building Adversarial Context

by | May 26, 2020 | Adversary Research, Blog

With limited time and resources for a SOC to prioritize threats for additional research, Mars CISO Andrew Stanley gives several important factors when considering adversarial context with regard to the “who, how, and why” of attribution.

Chasing After Ransomware is a Waste

For large retailers who are constant targets of e-criminals, chasing after ransomware actors is often a fool’s errand unless it’s a totally new strand. Take these steps instead:

  • Log instances of discovery
  • Take corrective actions to prevent it over time
  • Prioritize remediations with security engineers through hypotheses derived from penetration testing and incident response
  • Share with threat intelligence partners
  • Move on to tackle larger burning issues

When volume and TTPs change, or a possibility of insider threat is apparent, then a SOC should take greater interest in looking outside the firewall.

Determining Intent is Important

When attributing attacks, it’s resource intensive and expensive; determining an operational result out of an investigation is not always going to be worth the time and effort. When an attack occurs, identifying intent is critical when determining how many resources should be dedicated to next steps.

The “Why” is far more important than the “Who.”

Intentions of state actors, criminals, and social activists are important factors to consider through threat intelligence. For example, determining why a certain system was accessed or targeted for data exfiltration that could implicate a larger geo-political concern would potentially be worth further research and attribution.

Answers to the following questions give further context:

  • What is the breadth of the actor or the behavior?
  • Has this actor or malicious code been seen by peers?
  • Is this targeting certain select industries or competitors?
  • Has this been seen by threat intelligence partners?

Technical Evolution Adds Additional Context

The next pivot should be to determine what information is available about similar attacks. For example, in the manufacturing space, if an actor appeared to be targeting a certain type of voltage switch, it’s worthwhile to learn about other incidents that have occurred against those same switches. If a new technical TTP is discovered, this could provide critical context when paired with the type of information that was targeted or stolen. Many manufacturing environments still run outdated software and operating systems. If an attack exploited the latest version of Windows patches but then looked to revert to old techniques targeting previous OS configurations, there is likely a reason for this, potentially including the type of geopolitically-inspired nation-state activity that could have broader business implications.

Business Implications are the Ultimate Priority

Ultimately, it’s important to focus on what needs to be protected in the enterprise, not necessarily who is conducting the attack. After determining what needs to be protected, companies can focus on prioritizing specific vulnerabilities that are likely to be exploited because the threats may never go away. After understanding what needs to be protected and the vulnerabilities associated with a defensive strategy based on the class of attacker (state sponsor, criminals, social activists) targeting the business, then the security team can categorize the appropriate metrics and hypotheses that show remediation being ranked and prioritized according to business criticality. With this baseline established, a security team can go further and research more technically nuanced threats, starting the cycle over and deepening the context with which its business can make security-relevant decisions.

Adversary Research
Discovering the methods, motives and identity of threat actors to disrupt attacks 
Reputation Defense
Technical guidance for countering disinformation and slanderous attacks 
Trust & Safety
Intelligence to secure business operations and defend against fraud, abuse and e-crime 
TPRM Exposure
Adversary-centric intelligence to address supplier, M&A and investment risks 
Outside Intel
Research for defending outside the firewall that leverages tier 3 intelligence programs 
Executive Shield
Assessment of threats to key personnel with attribution and PII takedown  
Adversary Insights℠ Retainer
Annual retainers for client-driven inquiries and rapid-response research 
Intelligence Team as a Service
Collaborative engagement providing robust intelligence and tier 3 cyber analysts  
Event-Driven Intel Investigations
Multidimensional security fact-finding that delivers insights into adversary behavior 
On Demand Threat Research
Proactive and preventative investigations that reveal threat actor context and risk correlations 
Investment Zero Touch Diligence℠
Project-based discovery to assess risk for investments, IPO, Mergers and Acquisitions 
TPRM Zero Touch Diligence℠
Subscription assessment of external network hygiene, key personnel, and non-traditional business risks