Outmaneuvering the Adversary: How to Detect Cyberthreats You Didn’t Know Were There

If you’re concerned about the increased threat of cyberattacks by state-sponsored hackers and hacktivist groups in the current geopolitical atmosphere, you’re certainly justified.

Criminal groups are emerging from the shadows and pledging their allegiance to Russia. They’re conducting reconnaissance attacks and coalescing into the roles they’ll play in the global cyberwar many see on the horizon—one that will likely be coordinated by a central command.

These real threats are driving intense efforts within security organizations across industries, from critical infrastructure and financial markets to government organizations, supply chain and logistics, and many others. The security organization is realizing that it must become better at identifying and ultimately outmaneuvering adversaries.

At the CISO level, we’re seeing an unprecedented focus on gathering information about attackers to better understand what’s at risk and how to mitigate threats. Within the CISO’s team, the imperative is to apply a macro view of attacker motivation to the organization’s understanding of their vulnerability to attack, allowing teams to prepare for and detect unknown cyberthreats.   

Fostering bidirectional communication   

If there’s a silver lining to preparing for imminent of cyberattacks, it’s this: we’re finally starting to achieve the collaborative bidirectional communication between security operations and the threat intelligence team required to quickly detect and respond to attacks.

Instead of the traditional one-way flow of information where the threat intelligence team delivers briefs to the security operations center (SOC) team, we’re seeing teams work together to understand the attacker. The vision of a cyber fusion center is coming to fruition.

Discussions are happening across roles, from the practitioners discovering threats to the security engineer concerned with controls to the CISO weighing the priorities for remediation. In turn, the informed CISO translates the intelligence the team has gathered into business impacts and communicates those to executives.

But communication and intelligence alone are not enough to win the battle. You need to be able to analyze this intelligence and act on it quickly. In other words, you need to operationalize it.

Operationalizing intelligence in three steps  

When CISOs and SOC analysts come to us at Anomali for insight into the adversaries and attacks that they should be prepared for, we help them understand and refine a process for operationalizing intelligence.

Here’s what we’ve seen work effectively in best-in-class security organizations:  

• Step one: Define the security posture

The security organization, including SOC analysts, threat intelligence analysts, and the CISO, work together to define the organization’s defensive security posture and explain it to non-technical executives outside of the CISO’s organization.

• Step two: Extract lessons learned

As incidents happen (both internally and externally), teams move quickly to gather intelligence and identify lessons learned. They work to understand the details of the attack, such as the payload, the method used to propagate it, and other adversary behaviors used in advanced persistent threats. With the nuggets of relevant information about the attack, the team extracts lessons learned and feeds them back into their defensive posture.  

• Step three: Prepare for an attack

The next step is for the red team to emulate the attack within your environment. Similar to war gaming, incident responders then try to identify the attack as it unfolds. Replaying an incident and identifying the details of the techniques being used by an attacker gives teams the insights they need to put the right security controls in place to stop the attack and harden their security posture.

These steps take place in a continuous loop every time new intelligence comes in.

Improving your defense with automation and AI    

The process I just described to operationalize intelligence is predicated on having access to comprehensive threat intelligence. This includes relevant global threat data, including actor, technique, and indicator intelligence. (For more insight into the importance of relevant threat intelligence, check out “How Can You Identify an Attack and Predict the Next Move? It Takes Relevant Threat Intelligence“)

Given what’s at stake for organizations today, CISOs should also consider investing in tools that automate the collection and management of threat intelligence. Automation accelerates detection and investigation while making it easier for different roles and parts of the organization to collaborate.

Another critical tool that supports this process is the MITRE ATT&CK framework, which helps organizations apply intelligence to understand attackers’ tactics, techniques, and procedures (TTPs). You can read more about MITRE ATT&CK and how it can help your team in my ATT&CK blog post “Leveraging MITRE ATT&CK: How Your Team Can Adopt This Essential Framework”.

And finally, there’s an emerging model for understanding the context and relationships between the sequences of techniques attackers use. Called the Attack Flow project, it’s a data format for describing sequences of adversary behavior that the Center for Threat-Informed Defense is developing in collaboration with cybersecurity leaders. The goal is for the format to become a standard leveraged throughout the industry to support threat intelligence use cases—including the three-step process detailed above. You can learn more about the format and see an example of it built from a public intrusion in “Attack Flow—Beyond Atomic Behaviors.”      

Want to learn more about achieving intelligence-driven security operations? I recommend watching the webinar “Climbing the Threat Intelligence Maturity Curve.”

Mark Alba

_{Chief Product Officer at Anomali}

_{Mark Alba is Chief Product Officer at Anomali, joining the company in April 2020. Mark has over 20 years of experience building, managing and marketing disruptive products and services. Throughout his career, Mark has been on the front lines of innovation, leading product efforts in both start-up and large enterprise organizations including Check Point Technologies, Security Focus, Symantec and Hewlett Packard Enterprise.}

_{His proven track record includes bringing to market the security industry’s first fully integrated appliance firewall, leading the integration of global threat intelligence into perimeter security technologies and introducing advanced analytics in support of cyber security operations.}