Attribution and Threat Modeling
Thank you for joining us on article two of our series about the Future of Threat Intelligence at Netflix.
Early in my career I liked to imagine myself locked in a battle of wits with a Karla of somesort. The reality is less literary archrival and more diverse set of ne’er-do-wells, but equally challenging. Absent a specific villian, what is the role of attribution in a corporate threat intelligence program? As with most things it turns on business value delivered - if knowing the name of the person targeting your systems helps reduce risk for your organization then discovering that information should be a goal of your intelligence program; however, this is seldom relevant to business risk reduction outside the rare cases where one might cooperate with law enforcement to target a particularly problematic fraud actor, or, as we will discuss later, in the world of physical and information security convergence. While law enforcement needs individual attribution, most often corporate security programs can work at a coarser granularity without losing impact. The goal is to better understand the intent and capabilities that comprise a threat.
Attribution is valuable during an incident inasmuch as it provides leads on how to scope the intrusion or detect the attacker. If attribution provides actionable information on capabilities, such as TTPs (or even IOCs) that can be used to find other signs of intrusion then it is a worthwhile exercise. If a malicious third party integration is discovered in a user’s gSuite account, and this matches the TTPs/IOCs of a certain threat actor also known to setup forwarding rules in mailboxes, that knowledge can be used in cleanup efforts and to hunt for otherwise compromised accounts in the environment. Whether this actors was APT28 or 29, or the GRU vs the SVR, has little bearing, but the basic class of attacker (state actor - I will avoid the redundant 'nation state') reveals much about the broad capabilities one could expect.
Attribution to a specific international actor might reveal something more about the intent, and could inform the defender about the goals of the attackers, or the level of effort they are willing to exert. Taking a different example, if you observe malicious scanning activity, is this an in-the-wild struts scanner that is hitting everyone, or a targeted scan of just our ranges? If the former then it is likely a commodity payload and I have high confidence our OS level controls will thwart it, or if it lands it will do something annoying like mine coins as opposed to something awful like steal customer data; if the later then this warrants closer monitoring and possibly manual intervention to quarantine and observe the attack as it tries to evolve. Further efforts at attribution can be tantalizing, but if the information is not driving decision making, then it is not adding business value.
I see threat modeling as a closely related function - essentially attribution of potential attacks. Model in this case is a representation of an idea used to describe and explain phenomena that cannot be experienced directly. One could debate what it means to experience a threat directly, it feel pretty direct during an incident, but we seldom have complete information on the attack, particularly ahead of time, so I think the definition holds. A threat is an entity with the intent and capability to do you harm, so modeling threats is all about the attackers. Oddly many definitions of threat modeling pull in vulnerability identification, attack surface definition, and asset cataloguing as part of threat modeling. To me that is a harmful expansion of scope and loses focus on the relevant aspects of an adversary focused exercise. There is absolutely a need for asset inventory and vulnerability identification and tracking as part of an enterprise risk model; however to conflat those with threat modeling dilutes the purpose - though risk management functions should be a primary consumer of threat intelligence.
For me, threat modeling should start with a comprehensive listing of threat actors. This is difficult to create, at least in a highly granular fashion, so again we reach for abstraction and start out with broad categories of folks who want to do your business harm. For many applications these comprehensive categories are granular enough, but it can also be helpful to further break those down, and perhaps choose some exemplars from the various buckets to get more specific in modeling capabilities against specific controls (detection and prevention). I wasn’t able to find a standard taxonomy for threat actor classes, but: government, criminal, hacktivist, explorer seem to be appear in several places. I like these as they speak to intent, rather than position. For example you could use insider as a top level threat category, but insiders may have criminal or hacktivist (disgruntled) or even government-derived (spy!) intent. Within these top level intent-based classes you could further dissect based on capabilities, organized crime group vs individual fraud actor for example. You continue to refine this model until the distinctions you draw stop changing decisions on investments; then stop!
Within each of your chosen classes it is then helpful to define intent and capabilities. This feeds into scenario based training using table tops and/or red team exercises, which help sharpen the fangs between actual engagements, as well as measure current investments and increase confidence in your risk forecasts. The output (learning) of these simulations informs the enterprise risk and planning processes of your security program - see security learning organization.
Overall attribution has a role to play in a modern threat intelligence program, but you need to carefully align the level of investment and specificity needed by your particular business and not chase attribution for curiosity’s sake. Threat modeling is related to attribution and plays an important role in planning investments and testing assumptions. I would be curious to hear more from folks that have successfully integrated their threat intelligence with simulation as well as investment planning activities.
Stay tuned for our next post coming soon!
Passionate Cybersecurity Professional
6 年Determining the threat actor really only helps when determining what the target is our threat actor is likely after, what means they may have to help them succeed, and the TTP's for gaining access to your data. Identifying those TTP's either help you attribute the threat actor, or help you in further determining what the next step of an attributed event might be. ?It is extremely important to determine if these attempts to access your data have been observed by personnel within your network previously and, if so, what the progressive steps might be going forward. ?Keeping up to date with those actors in your space, wether APT or Hacktivist and the like, helps in determining if you've witnessed similar actions previously on your network and possible mitigation strategies?going forward. Scanning and attack progression, along with other TTP's post infection, are often characteristic of a particular threat actor and give both credence to the activities implemented to mitigate them and help the team bolster their defensive strategies going forward. ?Every correlated and attributed event helps the defender put things into perspective allowing them to make better business decisions to keep the network safe, the overall goal of every threat program. ?Providing the name of the actor likely only provides value to those directly tied to the event and for historical tracking (TTP's) purposes.