Know you adversaries

The escalating expansion of the ransomware-as-a-service (RaaS) sector, APT organizations, and hacktivists has rendered every corner of the globe susceptible to cyber threats. This notable surge in cybercrime activities has presented considerable risks to both small businesses and MSPs, which are notably susceptible due to their comparatively limited preparedness and cybersecurity infrastructure. Understanding the various attackers and their motives in advance can aid in predicting their actions and crafting robust defense mechanisms and countermeasures.

This article will examine the methods by which adversaries are focusing on your organization, their underlying motivations, other potential targets, and the strategies your organization can employ to conduct threat adversary profiling.

Profiling threat advisories provides you with a comprehensive picture of the most critical and relevant cyber threats to the organization, as well as how those threats are likely to develop and damage your organization. This is a critical component of the cyber threat intelligence security strategy, which should be considered by every organization to establish a proactive defensive approach to protect against adversaries.

There are several important factors to consider when defending against adversaries.

• Which threat actors who are likely to target your organization.
  

• What Tactics, Techniques & Procedures (TTPS) that they are likely to follow to infiltrate your organization.

• What mitigation and detections available to defend against the adversaries.
  

There are hundreds of threat groups that operate worldwide, and hundreds more are emerging. While it's a sensible security measure, it might be challenging to profile each group and develop defenses against their TTPSs. For example, MITRE is currently tracking 152 threat groups and 794 software. Following each adversary may be difficult and irrelevant.

The best approach is to narrow down the adversaries who are targeting your industry. For this purpose, we can use frameworks such as the MITRE ATT&CK matrix from the MITER framework, which gives the majority of global TTPs used by various adversaries to carry out an attack, and the Lockheed Martin Cyber Kill Chain, which explains stages of a cyberattack.

Method 1 : Identify the adversaries.

Phase 1: Utilizing MITRE ATT&CK framework for the identification of potential threat actors.

The MITRE groups section on the MITRE page can help you identify threat actors who may be targeting your organization or industry.

If you work for a company that offers online gambling services, you may start searching for all of the adversaries who are targeting the gambling industry.

Use the "gambling" keyword on MITRE's group page.

You can refine the obtained list if you want to focus on threat groups active in the region where the organization operates, such as United States.

You can further refine your search based on how active the threat group is.

Phase 2: Utilizing ATT&CK Navigator to map adversaries' Tactics, Techniques, and Procedures (TTPs).

Access ATT&CK Navigator

Select Enterprise ATT&CK option.

Use the search button to search the threat group.

Provide the score as 1 to highlight the techniques used by the threat group.

The low and high values under Tactic Row Background should be marked as 1 and 3, respectively, as seen in the image.

If you are dealing with multiple threat groups, you can repeat the aforementioned steps as needed.

The steps outlined for mapping TTPs of Earth Smilodon.

It is recommended to consolidate multiple threat actors in order to optimize the mapping process when dealing with multiple threat groups. The score "a + b" has been utilized, incorporating both Earth Lusca and Earth Smilodon.

You have the option to extract the aforementioned Tactics, Techniques, and Procedures (TTPs) into an Excel document for offline maintenance.

Method 2 : Identify the software

The software category in MITRE ATT&CK framework encompasses the tools, malware, and utilities used by adversaries to conduct their operations. This includes a wide range of software types, each with specific purposes and functionalities that attackers leverage during their campaigns.

The software category in the MITRE ATT&CK framework can include open-source, commercial, and cracked (illegally obtained or modified) tools. Such as Agent Tesla, AysncRAT, Black Basta, IcedID, BloodHound and Mimikatz.

The figure below shows the top banking trojans detected in 2023, according to Recorded Future research.

As an illustration, I utilized IcedID, a well-known malware currently prevalent in the threat landscape. Upon activation, Prior to exfiltrating sensitive financial data, IcedID performs a number of operations, including persistence, discovery, and connecting to a C2 server. The MITRE ATT&CK Navigator is a valuable tool for tracking the actions conducted by this banking trojan post-execution.

Tracking adversaries and tracking software within the MITRE ATT&CK Framework involve different focuses and methodologies, each serving a distinct purpose in cyber security defense. while tracking adversaries provide a strategic understanding who might be targeting the organization and why, tracking software offers a tactic approach to detect, analyze and mitigate specific malware used in attacks. By combining both approaches, organizations can build a robust defense posture that addresses both the strategic and technical aspects of cyber threats.

I have prepared a comparison table to compare tracking adversaries and tracking software in the context of the MITRE ATT&CK Framework.

Mitigation and Detection

The security community contributing to MITRE has done an outstanding job by adding detection and mitigation strategies for each technique used by adversaries. These resources are invaluable for security professionals and detection engineers in building robust security measures and crafting effective detection rules.

The same applies to the software category, where mitigations and detections have been provided for the techniques used by malware upon execution.

Ransomware Groups

The approach might be broadened by researching ransomware groups and other threat actors who aren't tracked by MITRE, as ransomware gangs have been known to employ the software and target a variety of industries. For example, MITRE does not track ransomware groups such as LOCKBIT, PLAY, or 8BASE. However, other cybersecurity providers and security agencies, such as CrowdStrike, Cisco Talos, Mandiant, CISA, and Europol, actively track and investigate these groups.

For example, CrowdStrike uses a tool known as the CrowdStrike eCrime Index (ECX) to monitor eCrime in the digital economy. Based on this index, there has been a significant increase in ransomware activities.. Also, CrowdStrike uses the term "cyber big game hunting," which refers to a form of cyberattack that uses ransomware to target large, high-value enterprises or high-profile groups. According to a research carried out by CrowdStrike, the number of individuals identified on BGH exclusive leak platforms saw a notable rise in 2023, with 4615 victim entries posted on DLS, marking a 76% surge compared to the previous year. This increase can be due to various factors, including the emergence of new ransomware groups, expansion of current adversary activities, and the execution of large-scale campaigns.

LockBit, ALPHAV, Clop, PLAY and 8BASE accounted for 77% of posts across all tracked adversary DLSs according to CrowdStrike.

The names above are according to CrowdStrike's naming taxonomy for cybercriminals motivated by monetary gain, which is SPIDERs.

It is strongly advised to refer ransomware tracking reports to understand the TTPs of active ransomware groups provided by security vendors who track them. Given the number of industries targeted by ransomware groups, it is critical for organizations to thoroughly refer to these findings and develop comprehensive security measures based on the insights provided.

Conclusion

In conclusion, the escalating expansion of ransomware-as-a-service (RaaS) sectors, APT organizations, and hacktivists has made it imperative for organizations to proactively defend against cyber threats. The increasing risk to both small businesses and MSPs underscores the necessity of understanding potential attackers and their motives to predict their actions and craft robust defense mechanisms.

Profiling threat adversaries is essential for gaining a comprehensive picture of the most critical and relevant cyber threats to an organization. Utilizing frameworks such as the MITRE ATT&CK matrix and the Lockheed Martin Cyber Kill Chain can help in identifying adversaries and mapping their tactics, techniques, and procedures (TTPs). This strategic understanding of "who" and "why" behind attacks complements the technical details of "how" and "what" of specific malware used in attacks.

Tracking software is also vital, as it involves monitoring a wide variety of malware, from banking trojans like IcedID to sophisticated ransomware. This technical approach aids in detecting, analyzing, and mitigating specific malware threats, thereby strengthening an organization's cybersecurity defenses.

Additionally, considering the vast number of ransomware groups not tracked by MITRE, it is crucial to refer to ransomware tracking reports from reputable security vendors such as CrowdStrike, Cisco Talos, Mandiant, CISA, and Europol. These reports provide valuable insights into the TTPs of active ransomware groups, enabling organizations to develop comprehensive security measures based on the latest intelligence.

By combining strategic adversary profiling with technical malware tracking and leveraging security vendor intelligence reports, organizations can build a robust defense posture that addresses both the strategic and technical aspects of cyber threats. This integrated approach is key to establishing a proactive and effective cybersecurity strategy in today's ever-evolving threat landscape.