Security Intelligence Handbook Chapter 7: Understand Your Adversaries
January 26, 2021 • The Recorded Future Team
Editor’s Note: We’re sharing excerpts from the third edition of our popular book, “The Security Intelligence Handbook: How to Disrupt Adversaries and Reduce Risk with Security Intelligence.” Here, we’re looking at chapter seven, “Threat Intelligence Part 1: Understanding Attackers.” To read the entire section, download your free copy of the handbook.
Hollywood dramas like The Godfather or the award-winning TV show The Sopranos offer a glimpse into the large, complicated web of leaders, gangsters, rivals, and family members that can make up organized criminal groups. In these fictional stories, law enforcement works for years — even decades — to uncover intelligence on these groups and understand each members’ methods and motivations so they can methodically take down the larger operation.
Today’s threat analysts can relate to this challenging task, as they hunt down new threats, work to uncover elusive cyber villains, and sometimes, hit frustrating dead ends. To stay a step ahead, threat analysts need to be able to understand and unmask their adversaries before they attack. This means thinking outside of the box — and outside the walls of their organization — to gather intelligence on the dark web communities, criminal gangs, and state-sponsored hacking groups most likely to target them.
Yet the criminal underground is vast and organized into many distinct communities — making it impossible for even the most seasoned threat analyst to connect all the dots on their own.
That’s why many organizations are expanding their threat intelligence programs with precision security intelligence to eliminate manual research, provide external context on the criminal groups attacking them, threat actors’ motivations and capabilities, and indicators of compromise to look for in their systems. With this “big picture view” of risk, threat analysts are empowered with the advanced warning and actionable facts needed to proactively disrupt adversaries.
Explore the role of threat analysts and see how conversations in underground communities present opportunities to gather valuable security intelligence in “The Security Intelligence Handbook, Third Edition: How to Disrupt Adversaries and Reduce Risk With Security Intelligence.” In this excerpt, which has been edited and condensed, we’ll examine three real-world use cases for applying intelligence about attackers to security activities to amplify impact:
A key function of threat analysts is to model risks and empower managers to make informed decisions about reducing risk. Risk modeling offers a way to objectively assess current risks, and to estimate clear and quantifiable financial returns from investments in cybersecurity.
However, many cyber risk models suffer from either:
- Vague, non-quantified output, often in the form of “stoplight charts” that show green, yellow, and red threat levels
- Estimates about threat probabilities and costs that are hastily compiled, based on partial information, and riddled with unfounded assumptions
Non-quantified output is not very actionable, while models based on faulty input result in “garbage in, garbage out” scenarios with outputs that appear to be precise, but are actually misleading. To avoid these problems, organizations need a well-designed risk model and plenty of valid, current information — including security intelligence.
Cybersecurity risk assessments should not be based only on criteria defined to prove compliance with regulations. With those criteria, assessing risk usually becomes an exercise in checking boxes against cybersecurity controls like firewalls and encryption. Counting the number of boxes checked results in a very misleading picture of actual risk.
The FAIR Risk Model
The equation at the core of any risk model is simple:
“Likelihood of occurrence times impact equals expected cost”
But, clearly, the devil is in the details. Fortunately, some very smart people have developed effective risk models and methodologies that you can use and adapt to your own needs. One that we like is the Factor Analysis of Information Risk (FAIR) model from the FAIR Institute. Figure 8-1 shows the framework of this model.
The FAIR framework is useful for creating a quantitative risk assessment model that contains specific probabilities for loss from specific kinds of threats.
Learn more about FAIR at the FAIR Institute website. This quantitative model for information security and operational risk is focused on understanding, analyzing, and quantifying information risk in real financial terms.
Measurements and transparency are key
The FAIR framework (and others like it) enable you to create risk models that:
- Make defined measurements of risk
- Are transparent about assumptions, variables, and outcomes
- Show specific loss probabilities in financial terms
Measurements, formulas, assumptions, variables, and outcomes need to be made transparent in order to be discussed, defended, and changed. Because much of the FAIR model is defined in business and financial terms, executives, line of business managers, and other stakeholders can learn to speak the same language to classify assets, threats, and vulnerabilities in the same way.
Whenever possible, incorporate specific probabilities about future losses in your risk model. Specific probabilities enable risk managers and senior executives to discuss the model and potential ways to improve it, after which their confidence in the model and the recommendations that come out of it will increase.
Security Intelligence and Threat Probabilities
As shown in the left side of Figure 8-1, a major part of creating a threat model involves estimating the probability of successful attacks (or “loss event frequency” in the language of the FAIR framework).
The first step is to create a list of threat categories that might affect the business. This list typically includes malware, phishing attacks, exploit kits, zero-day attacks, web application exploits, DDoS attacks, ransomware, and many other threats. The next step is much more difficult: To estimate probabilities that the attacks will happen, and that they will succeed (i.e., the odds that the organization contains vulnerabilities related to the attacks and existing controls are not sufficient to stop them).
Avoid the following scenario: A GRC (governance, risk, and compliance) team member asks a security analyst, “What is the likelihood of our facing this particular attack?” The security analyst (who really can’t win) thinks for 30 seconds about past experience and current security controls and makes a wild guess: “I dunno, maybe 20 percent.”
To avoid appearing clueless, your security team needs answers that are better informed than that. Security intelligence, and specifically threat intelligence, makes it possible to answer questions such as:
- Which threat actors are using this attack, and do they target our industry?
- How often has this specific attack been observed recently by organizations like ours?
- Is the trend up or down?
- Which vulnerabilities does this attack exploit, and are those vulnerabilities present in our organization?
- What kind of damage, technical and financial, has this attack caused in organizations like ours?
Threat analysts still need to know a great deal about the organization and its security defenses, but threat intelligence enriches their knowledge of attacks, the actors behind them, and their targets. It also provides hard data on the prevalence of the attacks.
Figures 8-2 and 8-3 show some of the forms the intelligence might take. Figure 8-2 lists the kinds of questions about a malware sample that a security intelligence solution answers for analysts.
Figure 8-3 shows trends in the proliferation of ransomware families. The trend line to the right of each ransomware family indicates increasing or decreasing references across a huge range of threat data sources such as code repositories, paste sites, security research blogs, underground forums, and .onion (Tor accessible) forums. Additional information might be available about how the ransomware families connect to threat actors, targets, and exploit kits.
Security Intelligence and the Financial Cost of Attacks
The other major component of the formulas in our model is the probable cost of successful attacks. Most of the data for estimating cost is likely to come from inside the organization. However, security intelligence provides useful reference points on topics like:
- The cost of similar attacks on organizations of the same size and in the same industry
- The systems that need to be remediated after an attack, and the type of remediation they require
Get ‘The Security Intelligence Handbook’
This chapter is one of many in our new book that demonstrates how to disrupt adversaries and measurably reduce risk with security intelligence at the center of your security program. Subsequent chapters explore different use cases, including the benefits of security intelligence for brand protection, third-party risk management, security leadership, and more.