How Threat Actor Profiling Enhances Security Resilience – Part 1
It’s no secret that most security vendors monitor prominent cyber threat actors in one way or another. While sharing of cyber threat intelligence has come a long way, the profiling and sharing of threat actor data and Indicators of Attack (IoA), is still not common and is challenging to streamline.
When it comes to threat actors capable of carrying out significant cyber-attacks and posing a real threat to your security resilience, there are more differences than similarities. Threat actor profiling is inefficient as long as it remains sporadic and dependent on different vendors’ research and publication of threat intelligence.
ACCURATE KNOWLEDGE – what are the distinctions that make threat actors profiling and clustering so challenging?
The challenge of no naming conventions is present in two domains. The first is dependent on us, the security vendors, as we tend to create our own naming conventions for attack groups, making it difficult to connect the dots between available pieces of information. The second comes from the threat actors themselves. Attack groups present themselves under different names on different platforms and sometimes change names from one campaign to another.
Clustering all the names used by a specific threat actor and all the names given by different security vendors in a single threat actor profile will help identify all its operations and evaluate the risk.
Threat actor motivation, objectives and targets
Threat actor groups are formed for various reasons and the motivation for their actions influences their types of activities and levels of operations.
There are four main motivations for cyber-attack groups and each has its own objectives:
- Nation-state – geopolitical and espionage objectives
- Cybercrime – financial gain
- Hacktivism – social and ideological objectives
- Cyber-terrorism – political ideology
Knowledge of the attacker group motivation, can indicate the objectives of the threat actor, its level of sophistication as well as the industries targeted.
Geographical location and language
Revealing the geographical location of the threat actor helps identify the attack group as well as the possible motivation and targeted industries. The same applies to revealing the geographical location of the target of the attack – this information can indicate who the threat actor is and reveal the group’s motivation and capabilities.
The language used by the threat actors in their online digital footprint, also plays an important role in identifying the threat actors origin, motivation and objectives. Tracing their activities in underground forums, where they exchange their exploits intentions and leaked data, we are able to identify the language and origin.
Budget and technical skills
The budget and technical skills of the threat actor is highly influenced by the group’s motivation and origin. In some cases, we are facing a large-scale operations run by a nation state and in others, we can be facing an organized crime malicious activity. Analyzing the technical skills used in different attacks can help the profiling and clustering of threat actors.
OPERATIONAL VALUE – Not all profiles are created equal
A single knowledge base with a contextualized analysis of all the major parameters and distinctions that define the threat actors, their motives and objectives, their targets and their modes of operation, and their technical skills, as part of an ongoing profiling process, is an essential tool for any cyber threat intelligence operation.
The threat intelligence teams at Thales and Verint have taken it upon themselves to research the most prominent threat actors operating globally today, analyzing their campaigns to contextually map and accurately score threat actors.
The MITRE ATT&CK framework-based threat actor profiling
Analyzing each threat actor methods of operations, according to the MITRE ATT&CK framework and dissecting the threat actors Tactics, Techniques and Procedures (TTPs) enables to assess the level of threat represented by each threat actor analyzed and create an accurate threat actor profile. The analysis of different indicators, such as ease of implementation, level of control the attacker has on the system, the range of attack techniques used, the agility of the attack and more, is used to build an indicative score for each threat actor.
SECURITY RESILIENCE – The impact of threat actors profiles on threat hunting and investigation processes
Given the knowledge and the operational value derived from contextual analysis of threat actors’ activities and contextual based profiling, security teams can substantially improve investigation processes and enhance the overall security resilience, with much more accurate threat hunting and risk scoping.
Threat actors profiles improve threat hunting process definition
When threat actors profiles are presented in context and mapped according to the MITRE ATT&CK framework, with their associated malware campaigns, the attack vectors they use and their TTPs, analysts are able to better hunt for threat. Solid, detailed threat actor profiles, with information such as common exploits used, attack techniques, relevancy to sector and more, assist in creating a more precise threat hunting hypothesis and enable to focus on identifying threats according to a relevancy and a risk score.
Scoping the threat based on the threat actor profile
When the threat hunting process reveals Indicators of Attack (IoA) the analyst uses the threat actor profile to better understand the attacker’s attributes, operation patterns, specific TTPs etc. to accelerate the investigation process and more accurately scope the threat.
There is a path that connects threat intelligence about attack groups with cyber resilience and it goes through vigorous threat actor profiling and clustering, threat hunting and accurate scoping of threats and risks.
Look out for the second part of this post, where we provide technical examples of how to utilize threat actor profiling for threat hunting and investigation purposes.
The Ultimate Cyber Threat Handbook
Download the Thales-Verint Ultimate Cyber Threat Actors Handbook – A comprehensive analysis of the 66 most prominent threat actors, based on the MITRE ATT&CK framework.