Defining Your Cyber Battlespace With Threat Intelligence
October 4, 2018 • Daniel Kropp
A Conceptual Framework for Threat Intelligence
An intelligence preparation of the battlefield (IPB) is a method for defining and understanding a specific operating environment in all battlespaces — a conceptual framework to better understand how to apply your threat intelligence. It has a been a staple tool to help military leadership make decisions, and when the same methodology is applied to the cyber realm, the benefits can be tremendous. By providing a broad overview for cybersecurity decision makers to aid in strategy development, it helps answer the basic question, “What is my current state of security?”
It can also provide a tactical understanding that helps decision makers implement more effective mitigating controls. Everyone in cybersecurity constantly seeks “actionable” threat intelligence, but it’s critical to realize that what is considered actionable depends on the role of the person asking the question. A well developed IPB provides a level of understanding that benefits everyone from the C-suite to the Tier 1 SOC analyst.
In its simplest form, an IPB can be broken down into three steps:
- What does my operating environment look like?
- What does my enemy look like?
- What are my actions on objective? In other words, what are the likely courses of action where those two parts intersect?
We’ll take a closer look at how these three steps are developed to see why following the IPB method is an advantageous undertaking for any security organization, helping determine exactly what the objectives should be for any cycle of threat intelligence development, what steps to take when improving your security posture, and what future investment decisions to make.
What Does My Operating Environment Look Like?
The first step in developing the IPB is understanding your organization’s own operating environment, which encompasses not only IT relationships but other critical relationships as well. Oftentimes cybersecurity organizations can be siloed in their approach, remaining laser focused on just the technology aspects of their business and ignoring other critical relationships in a way that introduces opportunities for adversaries to take advantage of.
Having a clear picture of your IT security posture is still an essential aspect of defining your operating environment, but it’s just one step in the process. Basic threat intelligence programs often begin with gaining a better operational awareness of their own environments — running internal network data through SIEMs, subscribing to a few open source threat feeds, and so on — but actionable threat intelligence encompasses far more than just a few feeds and alerts.
Taking a close look at all the relationships in your operating environment allows you to uncover potentially unknown connections that raise concerns, and it also allows for changes in the environment to happen without disrupting the overview being developed.
From an IT perspective, for example, this means stepping back from a network map and focusing on the workflow. Given a particular user, you can ask the following questions to develop a clearer sense of their place within your organization:
- What applications do they use?
- What data do those applications process, and how is that data marked?
- What infrastructure supports those applications, and where is that data being stored?
Defining these relationships agnostic of the specific technologies in play creates an abstract conceptual framework that allows you to substitute different particulars without a loss of understanding.
Specific details around the individual entities can then be added to provide more granular context, such as:
- Vulnerability scan history of the applications and infrastructure
- Data tags of data being processed and stored
- Shared infrastructure between applications, business units, data types, and so on
The accuracy and comprehensiveness of the data sources being used to build out this view are the major limiting factors to how informative these details can be. This can be the difference between knowing there may be around 2,000 machines within your environment vulnerable to a newly reported exploit in the wild, and being able to state there are exactly X number of machines across four business lines, 10 percent of which are business critical and need to be patched immediately.
From a business perspective, we can also start from the user and work our way out. Given a user, what lines of business or products do they support? Looking at a product, who are the suppliers? Where are those suppliers located, and who are the parent organizations? Is that owner a country or organization that would benefit from my intellectual property?
If the answer is “yes,” now there is a lead to start an investigation into the specifics around those relationships, like contract language, access and authentication methods, network segmentation, and so on.
The larger the organization, the more beneficial this becomes, making prioritization key to successfully reducing risk — the threat landscape simply becomes far too large to protect all attack vectors, from all threats, at all times. Because relationships with suppliers, vendors, and partners are a necessary part of running any business, taking time to evaluate the risks associated with those connections can pay big dividends in reducing the threat from downstream attack vectors.
This may sound like a daunting task, but there is one starting point that all organizations can do to kick-start the process: Taking the time to define the aspects of the organization that are most critical to success and focusing on them first. While intellectual property sounds like a logical starting point since no one wants to lose the crown jewel, forgetting to include business continuity and disaster recovery can leave big gaps in risk management plans.
What Threat Actors Are Targeting Me?
The first step to understanding your enemy is defining who they are. Is this a persistent nation-state attacker? Is your organization a target of opportunity? Is bad press emboldening hacktivists to react to recent events? Threats from these groups are not mutually exclusive, but the distinction is an important aspect of how risk is calculated.
Once you identify your attacker, you can align the risks they represent more closely with the vulnerabilities you previously identified in your operating environment during the first step of developing an IPB. Here are three specific examples of risk:
- Financial risk — through the theft of resources via illegal money transfers or the use of computing power from cryptomining
- Operational risk — by the disruption of manufacturing using ransomware that halts production
- Strategic risk — through the theft of your organization’s market differentiators or intellectual property
The motivations of an adversary can also be used to determine their objectives. Placing yourself in the mindset of an attacker helps develop a more full picture of what you need to defend. Listing out your adversary’s most likely targets and aligning them with your critical business assets, for example, helps make the intersection of adversary intention and business impact clearer.
Understanding the motivations and objectives of your adversaries should be done not only at a strategic level, but at a tactical one. Document the actual tactics, techniques, and procedures (TTPs) being used by known adversaries to develop a complete profile. This is a framework suitable to understanding adversaries of any size, from nation-state threat actors down to individual hackers.
Documenting tactics also serves to gauge the capacity of an adversary to act on their motivations. If you determine that a specific threat actor has displayed the motivation and capacity to target your organization, prioritizing their TTPs for mitigation and sweeping the network for known indicators is yet another way to quantify risk reduction.
The ultimate goal is to be able to go through the following chain of reasoning with some confidence:
- Is this adversary motivated to target my organization?
- If so, what are their objectives? What assets in my organization would they target?
- Do they possess the technical acumen to achieve those objectives?
Action on Objective
Now that the operating environment and the adversary have been defined, examining the intersection of these two components allows for defenders to begin to formulate mitigations that are both proactive and predictive. Taking proactive steps means asking yourself, “Based on what we currently know, are we doing everything we need to defend ourselves?” And taking predictive steps means asking, “Based on my understanding of the operating environment, can I decipher the most likely courses of action for my adversary in order to mitigate events before they have occurred?”
For most organizations, the starting point is proactive — after identifying adversaries, their objectives, and their TTPs, they take immediate steps to resolve any vulnerabilities present in their environment. The ability to take immediate, concrete steps is key for threat intelligence — if it isn’t contextual and actionable, it isn’t true threat intelligence.
After that step, it’s time to start thinking about how to be predictive. In the case of a persistent threat, we know that new tactics will be developed to continue to pursue the targets on their collection requirements as old TTPs are discovered and shut down.
Since these objectives have already been defined in the second step of developing an IPB, the defender is now a step ahead of the adversary. Taking predictive steps to mitigate these threats means asking yourself what the most likely courses of action your adversary will take are, and then identifying ways to proactively monitor for new tactics or increase your controls to prescriptively mitigate these threats.
Taking Action on Threat Intelligence
If an organization can position themselves this way and develop a comprehensive IPB, it can significantly decrease the advantage attackers have in the cyber realm. A strong grasp of the operating environment can allow for defensive actions such as manipulating what terrain the adversary encounters so that the defender can dictate their movement within the network.
This also opens other possibilities for creative approaches to testing network defenses. Red-team activities can now be enriched by focusing on the same collection requirements as the adversary. Newly discovered TTPs can be simulated for effectiveness against current network configurations and security controls. As mentioned in the beginning, the development of an IPB has been standard practice in the military to understand how terrain and environmental elements impact how engagements could play out in a specific operating environment. Cyber should be looked at with the same level of strategic understanding — but with one big advantage to any of the other defined battlespaces.
This battlespace is digital and manmade, providing the ability to shift the landscape as the engagement occurs. Security professionals that are able to gain the insights and understanding discussed above will put themselves in a position to finally get off their heels, flip the advantage in favor of the defender, and take control full control over the systems they are tasked to defend.