You should read this article if you want to learn more about how to identify the specific threats your organization faces, which environmental variables affect the threats, and how to construct a defensive strategy based on real-world attack data. All this research and analysis combined is what we call a threat profile.
I hope you enjoy this first article and find it a useful tool in your organization’s defense.
• Know thyself, know thy enemy. A threat profile will help you understand the threats your organization faces. It can be used to establish a common understanding among your colleagues regarding the threats facing your business. Rooted in this understanding, you’ll be able to confidently devise a coherent set of defensive activities.
• A threat profile will help you identify and understand what that which was previously unknown, all threats facing your organization. It will identify all environmental parameters that may affect your susceptibility to cyber attacks and ensure you know precisely what intelligence is required to support your defensive activities.
What Is a Threat Profile?
Cybersecurity is a constant battle of priorities. Which security control should you implement? Choosing the correct security control could be what stands between a successful defense and a successful breach. A threat profile will help you be more confident in your decisions concerning defensive security controls.
A threat profile is a detailed description of all threats that have or are likely to attack your organization. It’s also a description and analysis of all contextually relevant details that may influence the outcome of an attack, or in other words, your susceptibility to an attack.
According to Truesec, there are several key components to a threat profile:
• Environmental context
• Threat intelligence
• Defensive capabilities
• Threat scenarios
Let’s briefly explore each component.
For environmental context, you’ll want to thoroughly explore the digital footprint of your organization which includes the following:
• National and international presence
• Attack Surface – your publicly accessible servers, services, and applications
• Technologies used
• Cloud providers and data center locations
• Employees’ social media footprint
• Deep web and darknet mentions
By understanding your national presence, you’ll know if you’re vulnerable to threat actors that target the country from which you operate. This is what we refer to as an inherited country threat profile.
Attackers will enumerate your public attack surface either as part of a broad-spectrum attack or as part of a targeted campaign against your industry or your specific organization. It is important to fully understand what your organization has exposed on the internet. According to our intelligence, attackers preferred to use vulnerabilities in publicly facing servers in approximately 45% of the attacks investigated by Truesec in 2021.
Altogether, these represent your organization’s environmental context. These variables affect the likelihood you’ll be attacked, some more than others, and they affect the consequences of an attack.
Based on the environmental context, you’ll be able to determine which adversaries your organization is more likely to face. The TI section of the threat profile will detail the characteristics of how threat actors are most likely to attack you. Ideally, it should be an enumeration and analysis of attacker techniques observed in real-world attacks.
We would describe and explain, based on our extensive experience investigating and responding to incidents, how threat actors have previously conducted attacks against organizations similar to your own in the same industry. Based on an extensive enumeration of your organizational and digital footprint (the context), we’ll describe the most likely paths an attacker might take when attacking your organization.
This section will also provide intelligence regarding attacker infrastructure and the specific types of malware used. With access to this intelligence, you’ll be able to tactically and proactively defend against future attacks.
Based on your environmental context and the threat intelligence, we’ll recommend a set of defensive capabilities we believe should be prioritized and implemented. These capabilities should primarily be rooted in real-world attacks and should describe specific criteria for how they can be supported by continuous intelligence.
Deploying an endpoint detection and response (EDR) solution is an example of a detection capability primarily oriented around a “detective” capability. Another example might be the deployment of deceptive technologies such as honey networks which would be part of a deception capability.
The capabilities suggested will be mapped to specific techniques observed and used by attackers, ensuring a clear connection between the real world and what you should implement.
Another important aspect of the threat profile is that it should provide you with realistic scenarios for blue team exercises. Threat scenarios are derived from combining everything we’ve learned about your organization, the threat intelligence, and our understanding of the preferred tactics and techniques of attackers.
As a final result, you will receive a very specific set of realistic threat scenarios to test your defensive capabilities and provide valuable information should you opt to conduct a red team exercise, either internally or externally.
In this first article in a series about threat profiles, we’ve explored the four key components of a threat profile, which, when combined, will enable you to defend more effectively and efficiently and provide valuable information to help you evaluate the efficacy of your defensive capabilities.
In the next article, we’ll dive a little bit deeper into the technical aspects of identifying your public attack surface and how we can identify and observe attacker infrastructure.
Until then, please let us know what you thought about this article and if there are any particular areas, you’d like to see explored in more detail.