The past year has been wrought with examples of changing how we do things – from the simple to the complex. And there’s no question that cybersecurity professionals are adept at adjusting to changing conditions on the ground… whether it’s securing remote workers or pushing out enterprise-wide updates to mitigate against fast-moving threats like Ryuk, Emotet, or Dridex.
The devasting Solarwinds (aka Sunburst) attack also highlights the need to protect each aspect of an enterprise’s business: suppliers, customers, and regional partners and peers.
The challenge is – despite our collective agility – these efforts will never be sufficient. Defending against an exponential onslaught of cyber threats will continue apace until we make it more difficult for our adversaries to be successful in their attacks.
At Opora, we believe that the most effective way to reduce risk is to ‘shift left of boom’; in other words, preempt threats before they can take hold and escalate. A ticking bomb will never go off if the bad guy cannot set the timer in the first place. That’s why we focus on what happens before attacks are launched… and there’s only one way to do this – preemptive intelligence.
Preemptive v. Classic Intelligence
Every cyber intelligence analyst shares a passion for curiosity and a desire to use data – lots of data – to answer questions with as much certainty as possible. Where they diverge lies in what questions they ask of the data. Preemptive intelligence seeks to answer the question, “How can I prevent an adversary attack RIGHT NOW?” whereas, classic intelligence tries to answer the question, “What will an adversary TRY to do to us.”
Currency and relevance become two key ingredients of a preemptive intelligence approach. After all, there is nothing more timely or relevant than ‘right now’. And while it’s instructive to know what an adversary may try to do, it’s far more valuable to know what they’re doing right now, particularly when they’re in attack preparation mode. That way, you have time to stop them.
|Primary question||How can I prevent attacks now? |
(based on current adversary behavior)
|What might an adversary do to us?|
(based on what they did before)
|Deliverables||Post-attack IOCs; Pre-attack IOCs; IOABs (Indicators of Adversary Behavior); Adversary profiles||Post-attack IOCs|
Risk scenario planning
|Highlights||Highly relevant, enterprise-grade intel|
|Generic, academic-grade intel|
Decisions, decisions, decisions
Behavioral analysis is an essential part of preemptive intelligence. And while most adversaries are stealthy, and work hard to operate without detection or attribution, they still leave behavioral clues. This is particularly true in how they make decisions during the build phases of their attack operations.
A threat actor is required to make dozens of operational decisions at each stage – some they are keenly aware of, and others they’re blissfully unaware of. We examine all these aware and unaware decisions and they become key components of our cognitive model.
For example, threat actors are very aware when choosing their weapons, domains, or ISP, but what about the time of day or day of the week they set up the domain? Or the unintended vocabulary mistakes or prolonged fixation on details…? This is particularly true when the action needs to be repeatedly taken over and over, and over again.
After all, threat actors need to find a way to make it all look legitimate to target their next victim.
While their lack of awareness might be immaterial to them, this decision-based activity is added to our cognitive model and enables us to track them. One of the most common questions we get is where we track these adversaries, and whether we surveil the dark web.
Barbarians at the (DNS) Gate
Even though dark web surveillance makes for a more exciting story, it doesn’t reap as many benefits in terms of preempting attacks. We have found that it is far more valuable to study how adversaries use public services such as DNS registration which we see as a critical ‘intelligence junction’ or ‘gate’. These gates are obligatory for all threat actors, while there are no such mandatory sites on the dark web.
Keep in mind that these gates raise the stakes for your adversary. They push him out of his comfort zone – forcing him to commit in making multiple decisions that introduce multiple dependencies. Compared to this restrictive environment, the dark web offers threat actors freedom while lacking any consistently rich data capable of creating the cognitive patterns we use to monitor adversary behavior.
We focus on DNS registration for its centrality: it’s a go-to junction for multiple adversaries when they build sustainable attack infrastructure, and as such provides enough behavioral data for us to discover observable patterns. Additionally, it reaps the following benefits:
- Preemptive: Early enough (pre-attack) to enable preemptive alerting and action
- Actionable: Yield concrete indicators (domains) for prevention, detection and response
- Continuous: New attack-infrastructure is constantly being created by the threat actors
Indicators of Adversary Behavior (IOABs) vs. Indicators of Compromise (IOCs)
Monitoring how threat actors behave at these ‘gates’ become key indicators – indicators of adversary behavior (IOABs) – that we use to build out adversary profiles our customers use to preempt attacks.
IOCs are indeed important aspects of the evidentiary trail, but they’re by definition ‘after-the-fact’ evidence, as a compromise has already occurred.
At Opora, we use IOABs to create pre-attack IOCs that teams use to instantly block connections to Phishing, Delivery, and C2 domains at the proxy or firewall. Additionally, integrating IOABs into your SIEM enables better detection and containment of adversary activity missed by other controls.
Our preemptive approach provides the visibility teams need to shift left of boom – regardless of the weapon your adversary uses against you, and wherever he targets your extended enterprise.