I always loved Halloween as a kid; not because I was particularly into the scary theme, but because I enjoyed looking at how all the scary devices and displays worked. It always fascinated me that the zombie or whatever it maybe could sense you walking up, pop through a mechanism and try to scare you. While all my friends were busy either being scared or laughing at it, I would getup close to see how it worked. How did it detect you, what mechanism made it pop out so quickly? Real life of the party, I know. But, when it comes to our cybersecurity there can be some real benefit to have a childlike curiosity when it comes to understanding what we are up against. Just like the ghouls and ghosts that may come after you this Halloween, we will be exploring what these look like in the cyber realm and how understanding them might can give you a better chance and quell the scary ambiguity they hold.
When we think about adversaries, we usually think of people such as criminals acting alone or groups that come together with like minds, usually identified with an acronym. Terrorist organizations and the likes follow this method in the same way. In cyberspace, we identify threat actors in this same way. Using the open source and public database MITRE ATT&CK, we can view a catalog of adversaries along with who they target, how they plan to exploit, and much more. The database serves to act as a way to make understanding threat actors and the techniques/tactics they use more simplistic by using a common language. Envision yourself in the zombie apocalypse, and your commonwealth of people are trying to protect yourself from the monsters outside. By using this almanac of information, you were able to gather the monsters that are likely to target your community can fly, and often find open windows as alluring ways of entry. Knowing this, you equip your homestead with reinforced roofs and barricaded windows. While this example may seem sort of funny, you actually just perfomed an analysis of your threats, identified the tactics and techniques they can use against you, and took preventive measure against it to the best of your ability; the goal of the MITRE ATT&CK framework. Let’s take our example to the real world and see who we can identify that may be targeting our organization based on the industry it is a part of.
Starting with the website, when we navigate to it we find a host of information about techniques and tactics that are currently in use. Since we are approaching at a high level, we are only going to be focusing on finding specific adversaries that may be targeting us. Using the search bar, we can input the industry we operate in – healthcare for example – and view a list of adversaries which have those industries in their sights. Once we’ve identified an actor we would like to learn more about, we can select their name and the page displaying known information about them will be displayed. We can see firstly the name which they are identified with, along with which groups they commonly affiliate with, their country of origin, and what their motives may be.
Scrolling down, we find the techniques they employ to exploit the organization. As a business owner, this is likely to not make a whole deal of sense, but that is ok. Simply parse through some of the techniques and look for key computer words you may already be familiar with, such as PowerShell, and make a mental note of if that tool is used in your organization often. Along with this, look through some of the tactics they use to gain a foothold such as compromising users social media or using deceptive emails to launch spearphishing attacks.
Moving down the page some more, we can look at the software section to see which types of applications they use to further their operation. These applications map to the tactics and techniques used and can be excellent indicators that something fishy may be happening if they are detected. Again, while this may not be immediately useful if the organization doesn’t have a way to control applications, simply understanding there is a list of malicious applications targeted toward your industry is the goal here.
After having reviewed our threat actor, it is wise to search for a couple more adversaries to see if there are common ties among them. For example, if our organization deals in the healthcare space, we might see more ransomware based attacks, as the information on the systems may be less desirable to exfiltrate as opposed to the massive payout a successful ransomware attack may have on a hospital. Conversely, if the organization deals in the military space a ransomware attack may be less likely as opposed to exfiltrating potentially classified information.
After using this database, hopefully you can see the value in how simply searching for our sector of healthcare led us to identify groups targeting us, the tactics and techniques they may use, and combining multiple common threads of action to determine the ways in which our organization may be targeted. Even if no action is taken after looking through the items, it is still insightful to determine the type of target your organization may have on its back, and to take a step back to analyze if your systems could withstand one of the attacks from an adversary. We hope neither of those ghouls or ghosts end up pursuing you, but if you ever have the feeling somebody’s watching you, now you know a place to start looking.