In the ever-evolving landscape of cyber security, the imperative to understand adversaries is more crucial now than anytime in history. Threat actors, driven by a myriad of motivations such as espionage, disruption, financial gain, and activism, pose significant risks to organizations worldwide. By comprehending what drives these attackers, organizations can better understand their motivations, predict potential targets, and attack scenarios.

Furthermore, awareness of the technical acumen, skills, and resources of these adversaries enables organizations to gauge the level of threat they pose, thus allowing for the implementation of appropriate controls to mitigate risks effectively. Leveraging existing frameworks like the Lockheed Martin Kill Chain, MITRE ATT&CK, and just standard comprehension of attacker tradecraft allows deploying new and updated security controls far more pragmatic.

Motivations Behind Threat Actors

One of the first areas to begin with when learning about adversaries is to thoroughly understand their motivations. This makes it far easier to proactively implement mitigating controls, and have better visibility on areas of the network where there are traditional blind spots.

We largely break down threat actor types into three major categories:

• Nation State. These are groups who are operating either directly for a government, or on behalf one in the capacity as a contractor and other official relationship vehicles. The actual personnel could be uniformed military officers and enlisted, government civil servants, or contractors. Nation State adversaries primarily engage in espionage, generally stealing political documentation, but also are well known for pilfering intellectual property.
• eCrime. What makes it into the news on what feels like an almost daily basis are the threat actors conducting ransomware and/or extortion campaigns. eCrime adversaries are the cyber equivalent of criminals, primarily interested in financial gain through their illicit activities. Interestingly, many of the eCrime groups operating today are highly complex, almost operating as if they are legitimate businesses. There are a myriad of criminal offerings for eCrime threat actors - an area we call the eCrime Ecosystem, which we will dive deep into at some point. Tools like banking trojans, commodity information stealers, and various other pre and post-exploitation tools are developed and sold by criminals to other criminals in this dark economy.
• Hacktivism. Just like their real-world activist counterparts, hacktivists entire goal in life is to spread some form of an ideological or political message. Hacktivism generally manifests in either web page defacements, or distributed denial of service (DDoS) attacks. The Russia-Ukraine war, and Israeli-Hamas conflicts have seen a major uptick in hacktivist activist focusing on disruption, the spreading of propaganda. Hacktivists are generally loose-knit groups of people with the same ideologies, and are rarely overly sophisticated in their capabilities.

Now that we have covered the basic three threat actor types, we can move on to dive a bit deeper into adversary motivations. Understanding the motivations is fundamental to predicting behavior and potential targets.

• Espionage. Nation state adversaries engage in cyber espionage to gain strategic advantages, whether politically or industrially. These actors target government agencies, defense contractors, critical infrastructure, and organizations with high-value intellectual property to steal sensitive information, disrupt operations, or gain geopolitical leverage. Their attacks are generally more sophisticated than any other threat actor type, persistent, and meticulously planned, making them one of the most formidable adversaries. In some cases, nation state adversaries have lived undetected inside government or enterprise networks for years, regularly stealing data without anyone knowing the wiser.
• Disruption. Certain adversaries, including hacktivists and some nation-states, aim to disrupt services or cause chaos. Their targets often include public services, financial institutions, and critical infrastructure such as the electrical grid. Disruption attacks can range from distributed denial-of-service (DDoS) attacks to more sophisticated methods like cutting off power to entire cities. The famous attacks against the Ukrainian Power Grid two years in a row, perpetrated by Russian nation state adversaries, is a prime example of the effect disruption can have on critical infrastructure. Alternatively, targeted disruption like Stuxnet can have major lasting setbacks for the victims, potentially dropping them decades behind the progress they had achieved.
• Financial Gain. Cyber criminals driven by financial incentives are ubiquitous. These actors employ tactics such as phishing, ransomware, and online fraud to extort money from individuals and organizations, with far more focus on the latter and what is generally referred to as Big Game Hunting. Their targets can vary widely, including financial institutions, healthcare, telecommunications, retail companies, and even small businesses, exploiting any vulnerability promising a potential monetary reward.
• Activism: Hacktivists, motivated by ideological beliefs, seek to promote their cause by compromising organizations they view as adversaries to their mission. Their attacks are often publicized to garner attention and support for their cause. These actors target organizations whose actions or policies they oppose, employing defacement, data leaks, and DDoS attacks as their primary methods.

There is a lot to consider in the beginning stages of understanding threat actors. Recognizing these basic ideas is key to understanding technical capabilities and resources the threat actor groups may be capable of leveraging.

Technical Acumen, Skills, and Resources

Assessing the technical capabilities and resources of threat actors is crucial in determining the level of threat they pose. This understanding informs the development of stout cyber defense strategies tailored to counter specific adversary profiles identified as the most likely to target the organization.

• Technical Acumen. Technical expertise of threat actors varies significantly. Nation state adversaries typically possess advanced technical skills, utilizing zero-day vulnerabilities, custom malware, and sophisticated tactics. While the more sophisticated eCrime adversaries operating in modern times have access to a lot of the same capabilities, they rarely have the same advanced skills witnessed by nation states. In contrast, lower-level cyber criminals often rely on readily available tools and known vulnerabilities. Organizations must recognize the spectrum of technical capability to deploy defenses proportionate to the threat.
• Skills. The skillsets of attackers range from novice to highly skilled professionals. Novice attackers often use automated tools and scripts - generally referred to as script kiddies - making their attacks substantively less sophisticated but potentially numerous. Alternatively, skilled professionals develop custom exploits, engage in complex social engineering, and are capable of evading even the best cyber defense detection technologies in use today. Understanding these differences helps in crafting layered security approaches addressing the opposite ends of this skill spectrum.
• Resources. The resources available to threat actors, including financial backing, infrastructure, and personnel, significantly influences their capabilities. Nation state actors and well-funded eCrime groups can afford to purchase zero-day exploits, employ teams of skilled hackers, and sustain prolonged campaigns lasting weeks, months, or even years. Conversely, hacktivist groups and individual hackers operate with limited resources, relying on freely available tools and volunteer support. By evaluating the resources at an adversary’s disposal, organizations can better anticipate the scale and persistence of potential attacks.

Predicting Potential Targets and Attack Scenarios

One of the important aspects of cyber threat intelligence is leveraging adversary behavior to accurately predict potential targets, and better understand real-world attack scenarios. What targets and scenarios threat actors employ hinges entirely on a deep understanding of their motivations and capabilities.

• Target Selection. Motivations drive target selection. For instance, nation stat adversaries intent on intellectual property theft will prioritize targets holding valuable data to help advance their regimes interests. Financially motivated criminals target entities with low hanging fruit from an exploitation perspective, access to vast sums of money to facilitate large ransom demands, or a mission critical availability requirement such as in healthcare. By mapping these motivations to their own assets, organizations can identify and prioritize the protection of high-risk targets.
• Attack Scenarios. Understanding the typical tradecraft - the tactics, techniques, and procedures (TTPs) of adversaries allows for the anticipation of a limited number of highly likely attack scenarios. For example, ransomware groups commonly purchase harvested credentials from the criminal underground or phishing as an initial access vector, followed by lateral movement using living off the land techniques within the network to maximize impact. Knowing these patterns enables organizations to implement specific defenses such as employee awareness education, email and web filtering, dark web monitoring, identity threat protection, and much more to decrease the effectiveness of these attacks.

Employing the Right Controls

A nuanced understanding of adversaries through cyber threat intelligence and adversary profiling is instrumental in identifying security control gaps and determining necessary technological investments to prevent breaches. By leveraging these insights, organizations can refine their security strategies to be more proactive and resilient against the aforementioned sophisticated cyber threats.

The first key to this equation is identifying the security control gaps adversaries love to use live in between.

Cyber threat intelligence provides detailed information on the TTPs employed by various adversaries. By mapping these TTPs against existing security controls, organizations can conduct a thorough gap analysis. There are any ways to conduct a gap analysis, and which method chosen is really a byproduct of how the organization is operating today.

One way, and my favorite way in particular, is to identify all the threat actors likely to target the organization, put together an aggregated heat identifying the MITRE ATT&CK techniques the adversaries use in the course of their attacks, and focus on the "reddest of the red" from the output.

This process highlights areas where current defenses are likely insufficient, such as a particular endpoint security control, inadequate email filtering to counter phishing attacks, or insufficient visibility of the entire network.

Another potential area is to leverage the same list of adversaries to identify the vulnerabilities they leverage when conducting their offensive cyber operations. By using this list in conjunction with strong communication with the Vulnerability Management Team, organizations can easily prioritize which vulnerabilities need to be patched before others. Not all CVEs hold the same criticality, and even then, just because an exploit has a higher CVSS score does not automatically make it more important than other vulnerabilities.

Employing cyber threat intelligence to inform senior leadership, and the Vulnerability Management Team about which vulnerabilities need patching before others is a vital step in decreasing risk.

Technological Investments

The same insights from cyber threat intelligence may indicate the need for additional advanced detection technologies. For example, intelligence over the last few years suggests a major rise in sophisticated malware usage. If the organization is still using legacy security technologies, the intelligence has just now informed a crucial need to consider investing in next-generation antivirus (NGAV) solutions and endpoint detection and response (EDR) tools.

Adversary profiling often reveals patterns of behavior detected through behavioral analytics. By investing in user and entity behavior analytics (UEBA) solutions, organizations can identify deviations from normal behavior possibly indicating an insider threat or an ongoing attack. This proactive approach helps in early detection and mitigation of potential breaches.

Here are some additional technologies to consider:

• Identity Protection. Adversary profiling frequently underscores the need for a zero-trust approach to security, where no entity, inside or outside the network, is inherently trusted. Investments in technologies that support zero trust, such as identity and access management (IAM) solutions, network micro-segmentation, and continuous authentication mechanisms, can significantly enhance security posture.
• Cloud Security Solutions: Thanks to digital transformation and the increasing shift to cloud-based environments, adversaries have quite obviously been focusing on developing advanced strategies for attacking cloud-based infrastructures. Organizations may need to invest in cloud-native security solutions, such as cloud security posture management (CSPM), and cloud workload protection platforms (CWPPs). These technologies help secure cloud assets and provide much needed visibility in a huge blind spot in most networks.
• Automation and Orchestration: Given the speed and sophistication of modern cyber attacks, manual response efforts are often inadequate. Cyber threat intelligence has repeatedly highlighted the necessity for automated response systems, such as Security Orchestration, Automation, and Response (SOAR) platforms. These systems streamline and automate incident response processes, reducing the time to contain and remediate threats.
• Threat Intelligence Platforms: To aggregate and analyze threat data efficiently, investing in a threat intelligence platform (TIP) is essential. These platforms enable organizations to centralize threat intelligence feeds, correlate data from multiple sources, and gain actionable insights. This facilitates much easier informed decision-making on security control enhancements and investment priorities.

Enhancing Strategic Defense

Everything discussed thus far likely paints a highly bleak outlook. However, nothing could be further from the truth. It is relatively easy to substantively decrease the risk of a successful cyber attack by paying close attention to cyber threat intelligence. There are some additional points to consider outside of just intelligence, which if employed, will dramatically change the picture.

• Threat Hunting Programs. Cyber threat intelligence and adversary profiling reveals sophisticated attack patterns where certain adversaries are highly capable at evading traditional defenses. Layering 24/7/365 human-based threat hunting on top of the technology is an imperative. Establishing a proactive threat hunting program allows organizations to actively search for patters technology currently has difficulty identifying. This continuous vigilance helps in early detection and neutralization of threats.
• Security Training and Awareness. Never underestimate the power of training, and cultivating a culture of cyber security hygiene. Human error remains a significant vulnerability, often referred to as the weakest link in the chain. Understanding adversaries' social engineering tactics emphasizes the need for robust security training and awareness programs. Investing in regular, comprehensive training sessions helps employees recognize and respond appropriately to phishing attempts and other social engineering attacks.
• Incident Response Readiness. Knowing the potential severity and methods of attacks informs the development of robust incident response plans. Organizations should invest in regular incident response drills and simulations based on realistic attack scenarios derived from threat intelligence. This preparation ensures that the team is well-equipped to handle actual incidents efficiently. One vital item to remember here: the absolute worst time to practice your incident response capabilities is in the face of an attack. It cannot be said with enough emphasis: preparation is key, and regular drilling is vital to building that necessary muscle memory.
• Collaboration and Information Sharing: Cyber threat intelligence often highlights the benefits of collaboration and information sharing among organizations. Participating in industry-specific threat intelligence sharing communities and collaborating with industry partners like Praeryx will help provide early warnings about emerging threats and collective defense strategies.

By incorporating cyber threat intelligence and adversary profiling into security strategies, organizations can identify existing control gaps and make informed decisions about new technological investments. This approach not only enhances the ability to prevent breaches, but also ensures a stout, dynamic, and adaptive defense posture in the face of these evolving cyber threats.

Conclusion

In conclusion, understanding adversaries is a critical component of any modern cyber security strategy. By recognizing the diverse motivations driving threat actors, assessing their technical capabilities, and predicting potential targets and attack scenarios, organizations can develop robust defense mechanisms tailored to the specific threats they face.

Employing the right controls, both preventive and responsive, ensures a comprehensive security posture capable of mitigating risks posed by a wide array of adversaries. In an era where cyber threats are increasingly sophisticated and pervasive, the necessity of understanding adversaries cannot be overstated. It is a fundamental practice empowering organizations to stay ahead of potential threats and effectively safeguard mission critical assets.

Sign Up for the Praeryx Newsletter

Are you interested in receiving the latest Praeryx blog posts directly to your inbox? Sign up for the Praeryx Newsletter today to stay informed about the latest cyber threats and adversary behavior, learn how to leverage cyber threat intelligence to protect your organization, and stay ahead of the ever-evolving cyber threat landscape!

Subscribe

Email sent! Check your inbox to complete your signup.

We do not spam you! Unsubscribe anytime.