Threat Profiling and Adversary Attribution

Recently I was part of a Twitter conversation that started with excellent points on profiling and managing threats that led to some good comments on the value of “who-based” attribution. If you’ve followed this blog and my related works, you will know that I already have strong feelings on the concept of threat profiling and really enjoy discussing the subject – to the point where I’m building a two-day class on the idea applied to strategic cyber defense. Thus one of John Hultquist’s comments in the referenced conversation above was interesting from a profiling perspective:

“The difference between a Chilean and an Iranian intrusion could come down to their willingness to disrupt. And that decision may be unique to the victim. I’d hate to be a Gulf O&G left without the information necessary to do risk management, even if incomplete.”

This statement pushes against the “how”-centric focus of attribution I’ve advocated strongly for in favor of the “who”-based conception typically followed in the cyber security and threat intelligence industries. To paraphrase and conceptualize my understanding of John’s and WylieNewmark’s arguments within the Twitter thread: “who”-focused attribution is vital from a threat profiling perspective as this provides a means to determine which threats you face, what their likely intentions will be, and how they may operate.

First, I will start with what some may consider a surprising statement: I do not disagree with this argument (at least as I understand it). You will notice that is a weaker statement than saying “I agree”, and the reason is the following: when you can actually, successfully, and consistently perform this type of attribution, significant value may result. The issue is: the ability, resources, and access to information required for organizations to successfully perform this type of attribution are distressingly large. Even for large organizations such as CrowdStrike or FireEye (or even Dragos, albeit more focused and not as large) that can combine internal technical analysis, dedicated threat intelligence collection, and incident response data, each organization still retains a “defender-centric” view of the situation – and one that is particular to the resources each entity has access to.

Contrast this with spooky intelligence services that can combine a defender-centric view (“what happened to us” or “what happened to our client”) with an adversary-focused view: information captured via signals or human intelligence providing internal insight as to the adversary’s planning, methodology, and intentions. These items can be inferred from observations of adversary actions – but they cannot be decisively proven. To borrow an image of Kantian metaphysics: defenders typically only get an image of an adversary as we can observe it from available information and observation methods, and not a picture of the adversary as the “thing-in-itself”. Or to instead borrow from Plato: what defenders see are merely the shadows cast upon the wall by the adversary based on what we can see and sense, but never the adversary itself.

Thus what I’m primarily arguing against is not the value necessarily of “who”-centric attribution (that will come later) – rather I call into question the ability to accurately perform this work. Based on this epistemic limitation, as threat researchers we do ourselves (and those we serve) good service by recognizing the capabilities and limitations of what we know (and what we can know) and focus efforts on what we are most able to achieve. So rather than try to achieve something that may not be possible, threat intelligence should focus instead on what can be accurately observed and analyzed – how an intrusion took place and what was done.

But this is a digression as one may still justifiably make the argument: “Yes, your fancy philosophical references make for fine trivia, but you have only shown that doing who-based attribution is hard – not that it lacks value.” Again, I don’t think such attribution lacks all value – but difficulties (if not impossibilities, depending on your organization) aside, I also question the value inherent in this sort of work, or at the very least its popular perception, compared to behavior-based approaches. Take John’s point: “The difference between a Chilean and an Iranian intrusion could come down to their willingness to disrupt.”

The meaning behind this statement is that accurate attribution allows one to prepare defenses against types of attack: Entity A focuses on disruption while Entity B does not; if I assess I am a target of Entity B instead of Entity A, I can therefore prioritize resources away from disruptive attacks as I am not a target of disruptive entities. There is a nice, neat little logic to this, but the underlying fallacy is that this takes an attacker-centric view of why an intrusion would take place (goals and mission) which is hard to (consistently and accurately) discern.

Instead, as I have focused in most of my previous work on threat profiling, organizations are better served by “flipping” this script: “What items of value – either intrinsic or as ‘means-to-an-end’ – do I possess that are vital to my organization, and how might they be compromised or degraded?” This view takes a defender-, own-organization-centric viewpoint by looking at what it is about me that I require to maintain the operations and value of my organization and how these nodes or sources of value might be degraded, disrupted, stolen, or compromised. From this perspective, who is attempting to undermine these value sources is irrelevant from the perspective of preserving value – all that is important is how such nodes might be impacted. Or, what behaviors and prerequisites are necessary to ensure successful compromise, degradation, etc., of key value sources.

In this fashion, threat profiling focuses not on “likely threats” in the typical sense of “who are my likely enemies” but rather shifts to the perspective of “for any potential adversary, what are the important parts of my network that require attention and how might they be threatened?” The answers to these questions will vary depending on organization, and responses will also be tailored to risk and operations. Furthermore, this approach allows an organization to determine what are vital and non-vital resources – an important step in performing threat modeling and profiling as this allows the organization to make strategic decisions as to what resources require aggressive defense, and which are acceptable losses.

To paraphrase Frederick the Great, “in trying to defend everything, he defended nothing.”* Thus Tim’s machine in accounting may be valuable in the sense that sensitive information may reside there (maybe think of secure ways for Tim to access this information on a remote host with higher levels of security than a personal desktop?) – but if compromised can be wiped, rebuilt, and put back into production without too significant a loss (excepting sensitive data exfiltration). Meanwhile, the corporate active directory servers are not just vital to continuing operations across the network, but an infection means you cannot simply take these devices down, wipe them, and put them back on the network – a completely different defense and remediation plan is required along with a far different allocation of resources. Namely, identify how different types of intrusion – and their goals – impact the organization, and outline defenses, responses, and recovery plans accordingly to ensure the continued ability of the organization to create or preserve business value.

More importantly, by adopting this approach an organization does not merely defend against an adversary but instead against attacks and behaviors. Thus to John’s point earlier, at present the Iranians may focus or be prone to disruptive events while the Chileans “play nice” – and our organization currently is only targeted by Chileans. But in evaluating our business and network requirements disruption (or specific types of disruption) are identified as attacks on vital sources of value to the entity – thus the organization will adopt plans and defenses against such attacks because it is important and thus be prepared whether the Chileans have a change of heart or we now find ourselves as Iranian targets. The focus here isn’t on who might attack us – as this would lead to a deprioritization of disruptive events – but rather on what would truly impact the organization based on the organization’s own values and operations.

This goes to another, vital point in defense, at least in this sphere: you cannot really choose who your adversaries are or who decides your network is a target, whether for theft, disruption, or destruction. So instead of building defense around items outside of your own control, I strongly advocate focusing resources on the internally-driven, value-based analysis of defense requirements followed by taking the generic adversary image of what behaviors are required to subvert these values. In this approach an organization defends itself against important attacks instead of focusing intently on a single entity – which may very well change over time, either in interest, tradecraft, or intentions.

To draw this to a close before we go on too long, a summary of the points made thus far:

1. “Who”-based attribution may be valuable, but consistently and accurately achieving this is at best difficult and at worst impossible for most organizations.
2. Instead of relying on imperfect information on adversaries – or letting adversaries completely dictate your defense and response – a value-centric approach identifying targets and required behaviors to compromise targets defends against classes of attack focused on vital aspects of the organization.
3. Focusing on the required behaviors for compromising, disrupting, or destroying sources of value ensures the organizations is prepared for and can treat as irrelevant changes in adversary intention and focus.

There is much to be said on this subject, and this is but a brief overview of some ideas central to the concepts of adversary attribution and threat profiling. As always, I’m happy to discuss these items and hope this has at least spurred some thought on the subject or different ways to approach the topic.

* To be honest, I’ve never actually seen this quote directly – in German or translation. HOWEVER this is the general point of Frederick the Great’s “field instructions” and guidance to his commanders and is the thrust of Article VIII. “Of Camps” when discussing fixed defenses and similar arrangements.