|
It makes me cringe when I hear operators or security practitioners say, “I don’t care who the attacker is, I just want them to stop.” I would like to believe that we have matured past this idea as a security community, but I still find this line of thinking prevalent across many organizations—regardless of their cyber threat operation’s maturity level.
Attribution is important, and we as Cyber Threat Intelligence (CTI) professionals, need to do a better job explaining across all lines of business and security operations how the pursuit of attribution, manifesting itself in adversary analysis, can be employed to improve an organization’s resource allocation and security posture.
Performing adversary analysis can benefit organizations in the following ways:
It is true that definitive attribution is very difficult to achieve, but most threat action leaves behind tangible elements; after all, cyber-attacks ultimately stem from a person or persons. They have motivations, develop code, abide by operational procedures or styles, have egos, attend university, have jobs, receive tasking, maintain blogs, administer forums, leverage social media, conduct security research, register infrastructure, and use tools.
A few basic examples of questions I’ve found useful in the past in conducting this type of analysis are:
CTI professionals should work to create internally developed questions (read Six Approaches to Creating an Enterprise Cyber Intelligence Program) to drive research, collection and analysis across all of the aforementioned facets in order to provide a holistic view of the threat at the tactical, operational and strategic levels. The ultimate goal of adversary analysis should be to provide our stakeholders with intelligence that supports a security control, maps threat intent to organizational high-value programs/targets, changes an organization’s behavior, creates a course of action and supports the case for proper security resource allocation. These are just a few reasons to care.
To learn more about cyber intelligence, visit iDefense Security Intelligence Services.
Sponsored byDNIB.com
Sponsored byVerisign
Sponsored byIPv4.Global
Sponsored byWhoisXML API
Sponsored byCSC
Sponsored byVerisign
Sponsored byRadix