Relying on Threat Actor Behavior Profiles Alone is a Great Way to get an Unwelcomed Outcome...
Over the past year, the buzz around tracking threat actors has been growing and in my opinion hitting the height of the hype cycle. I have had many conversations and debates with friends, colleagues and customers around what the industry is trying to accomplish by associating activity back to a specific cyber threat actor or actor group. I will share these thoughts and perspectives, but prior let us look at where the use of “threat actors” with reference to cyber originated.
While not a documented, historical, milestone by my knowledge, I am comfortable making the claim that it originated from the Government, specifically, Intelligence, Defense and Law Enforcement organizations and communities. At first, these actors were only referred to behind closed doors, but eventually common names began to surface. These names surfaced and became a vernacular through commercial and research organization’s gaining actor knowledge through first hand dealings with the aftermath of these actors, and through the public-private partnership initiatives driven by the Government. It became a way to get everyone on the same page with a shared and common taxonomy and more importantly motives, capabilities and tactics. This is not too far from how the Counter Terrorism world tracks and communicates the direct and indirect affiliations of organizations like Al Qaeda, their area of operations, influence, capabilities, command structure, financing, etc. However, terrorist organization names aren’t typically as whimsical and security software companies don’t seem as eager to create products and host webinars to talk about actors known to prefer a kinetic attack.
Separating value from hype
So let me share my perspective on separating the value from the hype and what I believe to be the dangers in over rotating on “threat actors.” From my vantage point I would say that the number one value point is placing a name on a faceless entity for communicating the threat and risk to senior management (i.e. non-technical and non-cyber versed individuals). I completely understand the value this has in helping security operations, threat intelligence analysts and others communicate current and potential situations up the management chain of command. Using the threat actor name helps convey the scope, intent, capability and risk to the business that before was essentially faceless. It helps management understand whether the threat is criminal, nation state or hacktivism. It helps management understand the actors’ motives, what they have been able to achieve in the past and the potential impact on the business should it be targeted.
Discerning the threat actor also helps us establish a baseline for the individual’s or group’s capabilities and sophistication. This is important as it potentially enables operations to track threat actor resources and identify breaches in a more effective and efficient means. However, this specific benefit is where I believe organizations can, and to some degree are, over rotating. There is beginning to be an over reliance on established information. In essence, the adversary can leverage our profiling of their behavior against us. In fact they may already be doing this by conditioning us into believing we understand how they operate and their motives. Unlike a traditional terrorist operation, the ability to adapt by spinning up new capabilities and standing up new groups is much easier. This is because cyber threat actors do not have the same physical reliance that conventional terrorist organizations have. One cyber threat actor or actor group can have a dozen virtual identities all with different targets and capabilities.
We must also realize that the actors know their own common names and what we know; therefore, they can change their tools, techniques and procedures to keep ahead of our understanding and to use diversionary techniques based on known and worse, expected, historical behavior. The ability for actors and actor groups to impersonate each other is also a strong possibility. I can think of numerous perversions in how to leverage our current fixation of profiling cyber threat actors to our disadvantage.
I am not advocating ignoring our current and developing knowledge of threat actors and groups, but I am suggesting to temper the focus appropriately. At the end of the day security operations and threat intelligence teams’ objectives are to detect, prevent and constantly prepare the organization against cyber threats. This has to happen regardless of any whimsical name or behavior profile. If we were to compare the lessons learned from combatting terrorism, it would be that profiling is easily defeated and any new actor can arise, unexpectedly and with great effect. Leverage all of your intelligence sources to expand context and to better position your organization. Relying on behavior profiles alone is a great way to get an unwelcomed outcome.