Any adversary conducts reconnaissance on a potential target with one question in mind: is the time and resources for research, development, and exploitation, going to be worth the gain? Below are four insights on threat intelligence from the eyes of adversaries.
Attacker Supply Chain Disruption
According to Tyler Robinson of Nisos, “If I am going to build resilient infrastructure, put research and development into initial access, code, customized malware, and exploits, then properly use additional infrastructure to exfiltrate and store that data for those operations, I risk losing all that investment if an organization is going beyond the fundamentals and has a strong team doing investigations and peeling back that information.”
This level of defense-in-depth and preventative measures puts a tremendous drain on attackers’ time, money, and resources. Even the best cyber criminals make mistakes maintaining their infrastructure and deploying tools, which give valuable context to disrupt an attacker’s supply chain, increase the cost of an attack, and influence them to move on to a new target.
“Proper internal defense-in-depth controls can detect or prevent quick offensive actions, reduce their time to detection and remediation, and investigate all the other Indicators-of-Compromise (IoC’s) such as command and control infrastructure, that’s costing adversaries money as well. Categorized domains, C2 frameworks, custom code, infrastructure and set-up time, all cost money and time, and to constantly set up and burndown is resource-intensive to do it right," says Robinson.
Threat Intelligence as an Attacker’s Advantage
With the plethora of information on the internet from cyber security companies on the various threat actor groups, it’s not difficult for attackers to conduct the research and use available tooling to misattribute an attack and mimic a certain actor while building and deploying their customized tooling that won’t get caught by antivirus or endpoint detection and response (EDR) programs.
According to Robinson, “Adversaries purchase tools and information feeds to have visibility to what security controls companies and governments use and signaturing a kit that is used by another criminal group for misattribution while their kit cannot be signatured by the defenses. While frameworks such as MITRE ATT&CK are useful for overall knowledge bases for developing coverage maps to identify visibility gaps, they aren’t going to matter if the engineering or IT department did not patch a critical external service and reused weak passwords inside the environment. An adversary will blend into the noise too easily.”
Time Deficits in Threat Intelligence
Threat Intelligence is a snapshot in time and depending on the access of the feed/platform, may only be relevant to an organization a fraction of the time. Usually, by the time an attack technique, malware, malicious code, or vulnerability gets disseminated and is recognized by other organizations, a threat analyst is already days and weeks behind the times to action meaning they are either already compromised and have to investigate or go through an arduous change management policy to get something remediated.
According to Robinson, “multiply this at scale with numerous attacks coming at an organization on a day to day basis. This becomes challenging to effectively defend. It’s important to have a baseline security stack that covers fundamentals including effective policies around fluid ticketing, assignment, change management, and remediation so threat intelligence around appropriate behaviors can be used in an actionable and timely manner.”
The Future State of Threat Intelligence
With COVID-19 and work from home policies now in place, Robinson predicts more persistent attacks on consumer devices such as IoT and routers. These attacks are able to pivot to corporate endpoints thus making a security team’s ability to integrate threat intelligence quickly into their battle rhythm very important, especially as personnel start coming back to offices. Coupled with mergers and acquisitions, it’s going to be even more critical for companies to leverage threat intelligence and compromise assessments to ensure intellectual property is safe and not previously compromised.