It’s 5am on a Saturday morning, you’re soundly sleeping after a hectic week as CISO of a large organization. Suddenly, the phone rings and wakes you up. The voice on the phone says one of the most dreaded phrases, “You need to get to the office right away—we’ve suffered a breach.” As you drive to the office you run through multiple scenarios in your mind of how this has happened. In at least one of those scenarios, an Advanced Persistent Threat (APT) actor is responsible. You begin to think it must be a sophisticated APT, because your security controls are robust and you’ve taken every precaution. The board will want to know which APT is behind this. You get on the phone with your head of TI (Threat Intelligence) and instruct, “You need to find out who is behind this. Right now it’s the only thing that matters.”
When a cyber incident strikes, we often romanticize the cause of the situation, even while we hate that it’s happening. We can’t help but love the idea that it was some APT (insert number here) or Fancy/Angry (insert animal here), or another famous threat actor with nation-state abilities. But something that we hate even more than being targeted is the realization that our adversaries are not the ones we hear about in the news but rather someone we could have identified by doing our own internal research.
In most cases, the actors that are targeting and eventually breach us are not the well-researched APTs that we read about in security vendor reports and blog posts. The amount of research that goes into those publications is truly incredible and done by some of the most skilled cyber threat analysts. We leverage the work done by these exceptional cybersecurity minds to have a view into the general threat landscape, usually by the industry, vertical, or geographic location we find ourselves in. But we need to apply these same techniques when we do an analysis of our internal detections.
Our controls are constantly gathering signals for us, small pieces in the bigger puzzle we need to understand. Things like historical WHOIS records, SSL certificates, and more. These pieces of evidence are left behind by threat actors who are just as human and error-prone as we are. Every detection by our security controls tells a story, from the noisy big bad internet type of activity like perimeter scans and brute force attempts, all the way down to malware on endpoints beaconing out of our networks. As an intelligence analyst, these are the needles, in the stack of needles, we use to track our adversaries.
With a full-fledged threat intelligence program, the CISO’s post-breach conversation with the security team might go something like this:
Actor profiling and attribution are not always an exact science. Each security team can make this art more of a science by collecting IOCs, those, little pieces of the overall puzzle. Cyber threat intelligence programs are critical for gathering and analyzing this evidence to determine who our real adversaries are. By practicing adversary profiling on internal detections we sharpen our skills as analysts, increase the level of known bad actors, and help prevent those frantic 5am phone calls.
Find out how cyber threat intelligence is evolving, get the SANS 2019 Cyber Threat Intelligence (CTI) Survey Results.
Andrew de Lange is a solutions consultant for Anomali. Andrew has over 15 years experience in cyber security, with the bulk of that time spent in Financial Services and Banking, he is an evangelist for Cyber Threat Intelligence collaboration initiatives and community driven defence.