What is Strategic Threat Intelligence?

What is Strategic Threat Intelligence?

January 4, 2018 | Steve Miller

This is the second blog in a series called, “What is Threat Intelligence?”  The first blog in the series can be found here.  Stay tuned for future installments in this series.

Maintaining a strong security posture requires developing and answering many questions specific to the organization. Many of these questions must be answered continually as situations and environments evolve. Will bringing in additional security solutions really provide that much more additional protection? Is it worth the cost to update each and every legacy system? Who are my adversaries and how might they attack me? Many organizations choose to tackle these questions and make more informed decisions with context from threat intelligence. This curated information is generally divided into three subsets:

  • Strategic intelligence - who/why
  • Operational intelligence - how/where
  • Tactical intelligence - what

Strategic intelligence (who/why) is the 100,000 foot view, providing a big picture look at how threat and attacks are changing over time. Strategic intel may be able to identify historical trends, motivations, or attributions as to who is behind an attack. Who is attacking you and why? Who might attack organizations in your sector? Why are you within scope for an attack? What are the major trends happening? What kind of things do you need to do to reduce your risk profile? Knowing the who and why of your adversaries also provides clues to their future operations and tactics. This makes strategic intelligence a solid starting point for deciding which defensive measures will be most effective.

Strategic intelligence might include information on the following topic areas:

  • Attribution for intrusions and data breaches
  • Actor group trends
  • Targeting trends for industry sectors and geographies
  • Mapping cyber attacks to geopolitical conflicts and events (South China Sea, Arab Spring, Russia-Ukraine)
  • Global statistics on breaches, malware and information theft
  • Major attacker TTP changes over time

If you are in the education sector, you may wonder what nation states and what groups you should be concerned about. Where do you need to focus your resources to reduce risk of an intrusion and theft of intellectual property? Or perhaps if you know you’re in an industry or region that is frequently targeted by the actor APT29.

Strategic Intelligence for the Education Sector

  • Educational IT infrastructure has a diverse user base and is thus typically comprised of a myriad of operating systems, computer types, software, and tons of servers and websites that are publicly accessible from the internet. This makes universities and academic research facilities prime targets for attackers as both places from which to steal valuable data and also as hop points for further intrusion operations.
  • The education industry will continue to see cyber espionage activity in the foreseeable future. We expect threat actors from China, Russia, Iran and other countries to conduct espionage operations for data theft, trade information, economic intelligence and for monitoring of diaspora.
  • Several groups have been observed conducting intrusion operations that have affected academic institutions including universities and research centers:
    • APT10 aka “MenuPass Group”
    • APT22 aka “Barista Team”
    • APT29 aka “The Dukes”

Strategic Intelligence for APT29

  • APT29 is a Russia-based actor that typically engages in cyber espionage with the purpose of data theft.
  • APT29 victims include many global organizations in government, education, high-technology, finance, non-profit, pharma, and the Defense Industrial Base.
  • APT29 is an adaptable, sophisticated group with the ability to develop custom attack tools, convoluted command-and-control infrastructure, and unlike historical behaviors of Russian state-sponsored actors, this group has the audacity to continue to operate long after they have been detected.
  • APT29 has been historically tasked to pursue operations surrounding foreign government policy issues, especially those involving the Russia-Ukraine conflict. Furthermore, the group has targeted several Western national government agencies, defense and government contractors, and academic institutions.

Using Strategic Threat Intelligence

Strategic threat intelligence is built upon a huge body of knowledge and includes expert opinions and insights that are based on aggregating both operational and tactical intelligence from known cyber attacks.

There are many uses for strategic intel including, but not limited to, the following:

  • Inform your executive leadership about high risk threat actors, relevant risk scenarios, and threat exposure in the public-facing technology sphere and criminal underground.
  • Perform a thorough risk analysis and review of entire technology supply chain.
  • Learn which commercial ventures, vendors, partner companies, and technology products are most likely to increase or decrease risk to your enterprise environment.

Next up - What is Operational Threat Intelligence?

Steve Miller
About the Author

Steve Miller

Steve Miller is an incident response professional and a threat intelligence analyst. Steve has ten years of experience in the broader security and IT industries in areas such as computer forensics, communications signals analysis and intelligence program management. Steve has built security operations centers around the world, conducted hundreds of intrusion investigations and, of course, chased down a lot of evil – work that directly led to the discovery of tons of new zero-days, APT malware families, and targeted attack campaigns.

Get the latest threat intelligence news in your email.