In the first phase of the framework, the attacker determines the target and defines initial mission objectives. On the defenders’ side, analysts can take steps to safeguard the assets attackers are likely to target, such as determining what and where their most valuable data is and whether threat actors have been or may currently be interested in the organization and its assets, intellectual property, customers or proprietary data.
Security teams should also integrate threat intelligence into the organization’s cybersecurity program. By building a threat profile of adversarial actors who are likely to target the company, security teams can focus on the most relevant adversarial cyber actors instead of applying generic coverage to the entire pool of active cyber threat groups. This strategy is also in line with best practices suggested by the National Institute of Standards and Technology (NIST)’s framework for improving critical infrastructure cybersecurity.
Threat profiles help provide the contextual background for these malicious actors, such as their capabilities and tactics, which defenders can use to prioritize cyber events and defense.
To establish a threat profile, security analysts must answer the following questions:
Have Threat Actors Targeted the Organization?
Have threat actors breached the network in the past? If not, are there any indications that they may be interested in your company?
For example, has senior management received any spear-phishing emails? These clues can provide valuable insight into the type of actors that may be targeting the organization. Unusual network traffic on the company’s internet-facing ports is another clue. For example, large amounts of traffic originating from countries that your company doesn’t operate in could indicate potentially malicious activity.
What Type of Attacker Would Be Interested in Your Organization?
By understanding past attacks against companies in the same industry, security teams can assess the likely types of threat actors could target the organization and profile familiar capabilities and modus operandi.
For example, do these threat groups have the means and technical knowledge to perform an advanced intrusion? Do they typically compromise networks by exploiting known vulnerabilities? Anticipating the adversary’s likely entry path can help prioritize the most impactful areas for security investments.
Where Are These Threat Groups Located?
Security teams can gain insight into threat actors’ motives, mission and tactics by understanding contextual information about potential threat actors, such as where they are located. This data can help analysts determine the vectors where increasing vigilance and security could better protect against an attack.
What Are the Attackers’ Goals?
Understanding what threat groups are after can help organizations protect digital assets and data. Attackers target a variety of data — from financial information, which can be sold on the darknet, to intellectual property, which can be sold for profit or used in corporate espionage. Some threat actors may seek to destroy data or harm critical infrastructure.
Understanding the organization’s key assets and predicting which ones are most appealing to threat actors can help security teams determine governance, controls and best practices to help protect and secure their digital environments.