It makes me cringe when I hear operators or security practitioners say, “I don’t care who the attacker is, I just want them to stop.” I would like to believe that we have matured past this idea as a security community, but I still find this line of thinking prevalent across many organizations—regardless of their cyber threat operation’s maturity level.

Attribution is important, and we as Cyber Threat Intelligence (CTI) professionals, need to do a better job explaining across all lines of business and security operations how the pursuit of attribution, manifesting itself in adversary analysis, can be employed to improve an organization’s resource allocation and security posture.

Performing adversary analysis can benefit organizations in the following ways:

• Prioritize incidents effectively based on adversary impact
• Identify internal high-value targets and programs based on adversary intent and collection requirements
• Proactively block threat infrastructure
• Monitor threat communications to provide advance warning
• Drive intelligence-driven red teaming based on threat tactics
• Support internal business cases for IT security resource allocation based on what adversaries are targeting within your business

It is true that definitive attribution is very difficult to achieve, but most threat action leaves behind tangible elements; after all, cyber-attacks ultimately stem from a person or persons. They have motivations, develop code, abide by operational procedures or styles, have egos, attend university, have jobs, receive tasking, maintain blogs, administer forums, leverage social media, conduct security research, register infrastructure, and use tools.

A few basic examples of questions I’ve found useful in the past in conducting this type of analysis are:

• Have the actors authored any publications, conducted vulnerability research, or developed tools, exploits or other code development notes?
• What email address, blogs, URLs, handles, IP addresses or domains are associated with the actor?
• Do any group affiliations exist (what is the actor’s role, group’s name, stated mission, other individuals in the group, etc.)?
• What is the educational background of the actor (dates, curriculum, contact information, other classmates, etc.)?
• What Web 2.0 technologies are leveraged by the actor (i.e., what is the nature of communication? Is it discussion focused)?

CTI professionals should work to create internally developed questions (read Six Approaches to Creating an Enterprise Cyber Intelligence Program) to drive research, collection and analysis across all of the aforementioned facets in order to provide a holistic view of the threat at the tactical, operational and strategic levels. The ultimate goal of adversary analysis should be to provide our stakeholders with intelligence that supports a security control, maps threat intent to organizational high-value programs/targets, changes an organization’s behavior, creates a course of action and supports the case for proper security resource allocation. These are just a few reasons to care.

To learn more about cyber intelligence, visit iDefense Security Intelligence Services.