Defining Adversaries as Threats

Several aspects are important when studying and attempting to understand adversarial behavior. First, be careful in assuming you understand their objective. False flag or 5th column activities can muddy what appears to be a straightforward attack. Threat objectives are ultimately one of the hardest topics on which to achieve clarity. Continuing to understand adversaries would include knowledge of their capabilities. I would refer the reader back again to Fig. 14.1: DoD Cyber Adversary Tiers. Understanding that not all threats are equal, not all threat actors have similar skills, resources or abilities will help enable a more nuanced study and observation of this aspect of cyber security research. Contextualizing adversaries into whatever modalities you prefer (DoD tiers) common label (hacktivist, organized crime, nation-state, etc.) will all add more precision and fidelity that the overloaded, often inaccurate “hacker” label.

Dig Deeper: False Flags and 5th columns

False flags is a term from spycraft when one actor will plant or leave, indicators and evidence that they are associated with a different organization or country. This could be as simple as wearing a uniform of another country, or as complex as mimicking TTP, language, and stylistic details of another cyber actor. Similarly, the 5th column is a hidden element within an organization or contrary that covertly works to subvert the objectives of the host. This is akin to an organization or a group of insider threats.

In addition to understanding capabilities, adversary Tactics, Techniques, and Procedures can be studied to better understand how they operate, what their intentions are, and perhaps even attribute them to a specific organization. This line of inquiry requires, often, considerable information to be collected from the various IT systems throughout the adversary campaign. Models such as the Cyber Kill Chain, conceptualized by Lockheed Martin, can be used to collect information (some of which will be outside the victim network, and very hard to get) and the rest (inside) might be tampered on unavailable. Alternative approaches would include lurking on various criminal and semi criminal message boards, website, and darknet forums. Open source information is often provided to the public free of charge from commercial organizations and other researchers. Often the raw information is missing, but the information can be a reasonable starting point. Organizations with an appropriate risk tolerance can actually set up a Honeypot or Honeynet.²² This can be a very hard system to set up and integrate, but it can be an invaluable source of information. The key challenges are to ensure that the honeypot is of sufficient quality and realism so that sophisticated threats do not realize that they are not on a real system. However, you also do not want to allow any vital resources to be compromised or worse your systems to be used to compromise some other organization. Similarly, the integration of the honeynet into your operations network can be a technical challenge. For more details on Honeypots refer to Chapter 13, Instrumentation.

Research Methods for Cyber Security