In last month’s article, “Advanced Cyber Threat Intelligence: A First Principles Approach to Risk Mitigation,” I outlined a method of enhancing cyberthreat intelligence efforts by leveraging foundational security practices. To help protect your department, agency, and/or organization and those it services, we encourage you to map known tactics, techniques, and procedures (TTPs) to frameworks such as the MITRE ATT&CK framework, to discern likely next moves by a suspected or identified attacker.
We also need to protect against the unknown attacker, or one for which we have few, if any, TTPs to go by. In this scenario, rather than starting with the TTPs and known indicators of compromise (IOCs) and relating them to the corporate tech stack, we work backwards, starting with the undesired events that would disrupt the vital business processes. Then, we relate the possible disrupting events to how an adversary could create or facilitate those events within the tech stack. In doing so, we also strengthen the linkage to specific organizational risk and cyber security goals.
At its core, this approach is built on traditional principles of risk management and analysis. We associate negative events with their impact on business processes, then link to the tech stack. Not only does this work to identify risks to business processes, but it helps the analyst develop insight into which known adversary or malicious actors would be interested in those assets. In other words, a cyber threat intelligence (CTI) analyst should also look organizationally inward beyond the tech stack, allowing the team to link the undesired events to a cyber nexus.
As noted by a friend and cyber-colleague following my last article, by identifying the valuable assets and business processes, this method also helps inform the CTI analyst so that he or she can identify which actors are known to be interested in specific assets, and which ones are probably not. Keep in mind that the purpose of a cyber attack could involve an ultimate goal beyond the information technology domain. For example, an adversary may use hacked credentials to gain physical access to a facility, or to provide knowledge to an insider actor on how to disrupt a physical process.
Indeed, it is important to recognize that what is deemed valuable to the organization could be entirely different than what the cyber adversary views as valuable. An organization might consider critical financial or marketing data as most important, whereas an attacker might be seeking to ruin reputation by facilitating physical damage or harm to the public.
Also, consider Company A that has design data/information for a critical infrastructure at Customer B. The attacker might have no intentions of directly harming Company A, but will leverage the intrusion to harm company B (which could in turn have a blowback effect on the reputation of company A). Simply put, our strategy should consider what processes are critical for corporate success, and what failures could lead to corporate harm.
Armed with insights from such risk-based assessments, CTI analyses can be further refined to focus on the highest priorities for countermeasure gaps.
By following Maximus | Attain Enhanced CTI Process, you can help mitigate such scenarios.
In a practical sense, we are expanding the pool of sources and stakeholders within the intelligence cycle. The CTI analyst should start by learning how the organization operates and identify the vital components. Begin with reviewing high-level corporate mission statements, non-cybersecurity business goals, and business strategies. Examine the organizational structure and staffing to identify likely stakeholders and get to know them. Schedule interviews and meetings to start building a picture of the unwanted events. It is important for your security team to know what matters most to your customer in specific terms. Find out what keeps them up at night and ask informed questions to understand what they do and how they do it. This is where some of that background research helps. It will be readily apparent if you’ve taken the time to learn something about their roles before the conversation.
As the discussion leads into actual work processes (which may involve expanding the stakeholder pool of meetings), the critical points of failure will emerge. From here, unwanted events can be defined in non-cyber terms, similar to defining a problem set. Importantly, avoid presupposing a solution for each problem, as that could lead to eliminating potentially useful alternative solutions from consideration.
It could be argued that the above approach should be the domain of risk assessors, not CTI analysts. There is some validity to that view, and if lucky, existing risk assessments that a CTI analyst can draw upon may be available. However, risk assessments are often done by outside entities and may not be current or specific enough to associate with specific IT assets. Working with a risk assessment team is a terrific way to enhance their cyber vocabulary, and to ensure that assessments are responsive to CTI needs. It is at this point, once unwanted events are identified, that the cyber nexus is determined. Ask how an actor could leverage the IT ecosystem to facilitate or directly bring about the unwanted event. Then, draw up plans and TTPs (from an adversarial viewpoint) to carry out a successful attack. Armed with notional plans and TTPs, more traditional CTI processes are invoked, such as countermeasure gap analysis surrounding the critical assets, identifying malwares needed, mapping TTPs to MITRE ATT&CK framework, and comparing with actors known to employ those TTPs.
The benefits of this approach, while mentioned in my previous article, are worth repeating: direct linkage to corporate/organizational risk, a deeper and thus more informed knowledge of stakeholder needs, illumination of unknown third-party relationships, and better insight for leveraging geopolitical threat reporting (an emerging trend in CTI products). It may turn out that your normal CTI reporting is spot on, but after following these recommendations, it will be validated both forwards (starting with actor activity threat) and backwards (starting with business process targets). The personal relationships you cultivate when researching business processes will also incubate cyber security proponents. Your stakeholders will view you as having their best interest at heart, and thus improve your credibility and reputation, leading to greater cooperation and trust in threat/incident information sharing.