With limited time and resources for a SOC to prioritize threats for additional research, Mars CISO Andrew Stanley gives several important factors when considering adversarial context with regard to the “who, how, and why” of attribution.
Chasing After Ransomware is a Waste
For large retailers who are constant targets of e-criminals, chasing after ransomware actors is often a fool's errand unless it’s a totally new strand. Take these steps instead:
- Log instances of discovery,
- Take corrective actions to prevent it over time
- Prioritize remediations with security engineers through hypotheses derived from penetration testing and incident response
- Share with threat intelligence partners
- Move on to tackle larger burning issues.
When volume and TTPs change, or a possibility of insider threat is apparent, then a SOC should take greater interest in looking outside the firewall.
Determining Intent is Important
When attributing attacks, it’s resource intensive and expensive; determining an operational result out of an investigation is not always going to be worth the time and effort. When an attack occurs, identifying intent is critical when determining how many resources should be dedicated to next steps
The “Why” is far more important than the “Who.”
Intentions of state actors, criminals, and social activists are important factors to consider through threat intelligence. For example, determining why a certain system was accessed or targeted for data exfiltration that could implicate a larger geo-political concern would potentially be worth further research and attribution.
Answers to the following questions give further context:
- What is the breadth of the actor or the behavior?
- Has this actor or malicious code been seen by peers?
- Is this targeting certain select industries or competitors?
- Has this been seen by threat intelligence partners?
Technical Evolution Adds Additional Context
The next pivot should be to determine what information is available about similar attacks. For example, in the manufacturing space, if an actor appeared to be targeting a certain type of voltage switch, it’s worthwhile to learn about other incidents that have occurred against those same switches. If a new technical TTP is discovered, this could provide critical context when paired with the type of information that was targeted or stolen. Many manufacturing environments still run outdated software and operating systems. If an attack exploited the latest version of Windows patches but then looked to revert to old techniques targeting previous OS configurations, there is likely a reason for this, potentially including the type of geopolitically-inspired nation-state activity that could have broader business implications.
Business Implications are the Ultimate Priority
Ultimately, it’s important to focus on what needs to be protected in the enterprise, not necessarily who is conducting the attack. After determining what needs to be protected, companies can focus on prioritizing specific vulnerabilities that are likely to be exploited because the threats may never go away. After understanding what needs to be protected and the vulnerabilities associated with a defensive strategy based on the class of attacker (state sponsor, criminals, social activists) targeting the business, then the security team can categorize the appropriate metrics and hypotheses that show remediation being ranked and prioritized according to business criticality. With this baseline established, a security team can go further and research more technically nuanced threats, starting the cycle over and deepening the context with which its business can make security-relevant decisions.