Prioritizing Threats with Real-Time Threat Intelligence
Editor’s Note: The following blog post is a partial summary of our customer webinar featuring Greg Reith, threat intelligence analyst at T-Mobile.
- The role of threat intelligence is to reduce operational, strategic, and tactical surprise.
- Threat actors can be divided into six tiers. At one end of the scale we find a high number of unsophisticated threats, and at the other we find a tiny number of highly sophisticated threats.
- With a deep knowledge of your physical and intellectual assets, you can map a known threat straight to its likely target(s), and identify the controls needed to defend against it.
- If you can develop a strategy based on threat targeting and categorization, you’ll identify gaps that might have been missed if you had simply extrapolated from historical data.
Not all threats are created equal. Some are concerning. Some are merely a nuisance. And some threaten your organization’s continued existence.
The most destructive threats share three vital components: speed of execution, intensity, and surprise.
Speed and intensity are technical advantages, for which technical solutions can be found. If you have optimal security controls in place, even the fastest, most aggressive attacks can be deflected. But no amount of security will help if an attack takes you completely by surprise.
Enter Greg Reith, threat intelligence analyst at T-Mobile, who recently hosted a webinar for Recorded Future. According to Reith, the element of surprise is the key ingredient that prevents organizations from effectively responding to incoming attacks. Threat intelligence helps us level the playing field. In his own words, “The role of threat intelligence is to reduce operational, strategic, and tactical surprise.”
Threat intelligence helps organizations understand where and why they are targeted, the capability of threat actors involved, and what it means to the organization over time.
Broadly speaking threat actors can be divided into six tiers, explains Reith. At one end of the scale we find a large number of unsophisticated threats, such as “script kiddies” and non-malicious actors. These lower-tier threat actors possess limited skill and very little funding, and can usually be classified as “nuisance” threats.
At the other end of the scale we find a comparatively tiny number of extremely sophisticated threats, such as state-sponsored APT (advanced persistent threat) groups. These threat actors are highly trained, well resourced, and have the time and motivation to attack with extreme intensity.
Understanding threat categorization is vital, Reith asserts, because it dictates what countermeasures are necessary to secure an organization. But, as Sun Tzu would point out, knowing your enemy is only half the battle.
Mapping Threats to Your Business
A deep understanding of your own organization and line of business is also essential, including a detailed knowledge of your physical and intellectual assets. If you have this information, you can map a known threat straight to its likely target(s), and identify the controls needed to defend against that threat.
Naturally, Reith points out, an understanding of threat actor targeting and motivation is necessary here. Tier five and six threat actors, for instance, are typically concerned with espionage, massive disruption, and geopolitical advantage. Tier three and four actors are mainly in it for financial gain, with the occasional hacktivist thrown in for good measure. Tier one and two actors have a wide range of motivations, sometimes financial but often simply denial of service or small-scale disruption.
If, for instance, your organization stores healthcare data, you’d map threat actors known to target this type of data directly to the relevant storage location. Healthcare data is highly valuable, but not usually politically sensitive, and as a result you’d be primarily concerned about attacks from tier three and four actors. Knowing this, and their favored attack vectors, you can prepare accordingly.
Threat Actor Targeting
For security planning, Reith’s message is simple. Threat drives everything, and targeting drives threat. Understanding threat actor targeting gives you a huge planning advantage, and it’s not as hard as you might think. Below are some of the components that can drive targeting at each tier of threat actors.
Tiers 1 – 2
- Customer Satisfaction: The less satisfied your customers are, the more low-level threats you’ll see.
- Employee Satisfaction: A dissatisfied workforce leads to an increase in insider threats.
- Economic Indicators: Poor economic conditions motivate lone wolves and unsophisticated criminals.
Tiers 3 – 4
- POS/Retail Footprint: A high footprint makes an attractive target for organized crime groups.
- Lines of Business: Certain lines of business attract cyber mercenaries and threats focused on R&D.
- Economic Indicators: Crime groups with legitimate fronts need to make up for losses in hard times.
- Public Views: Controversial political or environmental views can attract idealistic attacks.
Tiers 5 – 6
- Lines of Business: Global product lines and competitive global industries are attractive targets.
- Critical Infrastructure: Always targeted by nation-state attackers.
- Geopolitical Factors: Impacts nation-state focus and targeting.
- Access and Placement: Third parties with access to nation-state targets become targets.
Surveying the Future Threat Landscape
The categorization and target mapping process culminates in a forward-looking document that details where you expect your threat landscape to go in the coming years. In this, Reith stresses the importance of a methodology that doesn’t rely exclusively on historical data. He explains:
The document helps us develop and validate a strategy, identify gaps, prioritize deployments, and set budgets. We’re really aiming for a reduction of strategic surprise across the organization. If we can develop a strategy based on threat targeting and categorization, we’ll identify gaps that might have been missed if we had simply extrapolated from historical data.
To achieve this, an understanding of threat actor planning is essential. Where organized crime groups might plan a year or two ahead, and lesser actors not at all, nation states operate on the basis of five-year plans.
2016 marked the start of a new five-year plan for a number of nation states, including Russia, China, Iran, North Korea, and Israel. Reith points out that you can historically correlate each nation’s five-year plans with cyberattacks, strategies, and targeting known to have been carried out by state-sponsored groups.
China’s current plan, for example, has a much heavier focus on communications than the previous plan. This is borne out by intelligence gathered through Recorded Future, which found that a particular Chinese threat actor who had never worked on telecoms before had started to focus on reconnaissance in the telecommunications industry, and subsequently picked up some telecom-specific tools from a related threat actor group.
As you might imagine, the vital ingredient for this stage is data gathering. In this, Recorded Future excels. Reith explains:
We use Recorded Future queries and alerts to identify hard-to-find documents. Things like obscure think tank studies, national plans, research, crime statistics, idealistic manifestos, and so on. Recorded Future searches across approximately 800,000 sources, and allows us to do a temporal analysis of that data. We find things a lot faster than we would if the process was manual. Just in finding and analysis, Recorded Future cuts the workload by around 400–500 percent.
Timing It Right
Knowing which types of attack are likely to arise and what they’ll target is a game changer. But, Reith explains, it’s not the whole story.
Recall that surprise isn’t just about how an attack happens, it’s also about when the attack comes. Once again, this is where Recorded Future comes in.
Reith uses queries to identify past and present activity from each tier of threat actors in a specific industry space. He notes that, while it might initially look like a bunch of data, it’s actually a highly valuable resource.
The single biggest influx of activity he discovered in the tier one and two space is right around the end of the financial year. Every year at that time there’s a great deal of tier two activity, and it centers around stealing tax returns.
Life in the tier three and four space is a bit more interesting, but it’s spread out across the year. There is a lot of activity around holiday seasons, when lots of people are using credit cards. This is when you’ll see many instances of POS compromise, and other attacks on retail outfits.
Tier six activity tends to focus around the beginning and middle of the year. That’s consistent with the Chinese operational cycle, and many other nation states work in a similar way.
The value of this information is clear. You already know which actors will target your organization, what their motivations are, and how they’ll attack. With this additional context, you can start to identify the most likely periods during which you’ll be attacked.
@Credits: Recorded Future