Chapter 2: Understanding Adversaries

Security adversaries are human, you can expect them to have some sort of motivation for their actions. Understanding your adversaries lets you prepare a better response for them. Some examples of motivation: private fun; community fame; public activism; financial gain; coercion or manipulation for goals; covert espionage; or plain destruction. Keep in mind what can attract attackers to you.

It is also useful to consider profiles of possible attackers which affect their modus operandi.

  • Hobbyists are mostly harmless and just curious, rarely criminal.

  • Vulnerability researchers often work for hire and have standards of behavior.

  • Governments have access to vast resources and have strong interests.

    Governments have institutional experience in gathering intelligence. They also sometimes engage in military activities, information warfare. Another common thing is policing domestic activity as they see fit.

    Carefully consider if you can realistically be a target of nation-sized adversaries, and whether you have and willing to use adequate resources for counter. Keep in mind that attacks might be indirect, come from unexpected angle, and be very persistent.

  • Activists have a message to deliver and can/will be loud for that sake. They might have strong feelings but not always relevant experience, so it can be hard to predict their actions. Be aware of controversies that might attract them.

  • Criminals are a diverse bunch but often opportunistic: that is, they might turn to someone else if you seem to be not worth the hassle. Also note that they are usually skilled at manipulating individual people.

  • AI can come as a surprise with their bizzare logic, sheer volume, and persistence. While they are hardly common, AI threats might become possible in near future. It is a good idea to be ready to provide a matching automatic response.

Organizations always have insiders who are trusted with internal access. Insiders are a risk, whether they make honest mistakes, turn onto you, or are exploited by a third-party attacker for leverage. Insiders can be split into three groups:

  • First-parties like employees, interns, executives, board members.
  • Third-party contributors, vendors, contractors, partners.
  • Related individuals such as friends, family, roommates of the above.

First-parties usually have the biggest possible impact on security and reliability, given their direct access capabilities and the fact that everyone has them. Third-parties are becoming increasingly common attack vector in the days of open-source libraries, public APIs, global economy, etc. They might come from an unexpected angle. Related insiders are often implicitly trusted and neglected, thus sometimes becoming an easily accessible target.

There are many frameworks that model insider risks. The book suggests a simple one, in a form suitable for a card game. (Mion’s club will be delighted at this whodunnit!)

Actor/Roles Motives Actions Targets
Engineering Accident Data access User data
Operations Negligence Exfiltration Source code
Sales Compromise Deletion Documents
Legal Financial Modification Logs
Marketing Ideological Injection Infrastructure
Executives Retaliatory Press leak Services
  Vanity   Financials

Pick an actor with their target and motives explaining their actions. You can combine them as ridiculous as you like for brainstorming sessions. For example, Legal Contractor is entrusted with Source Code for license audit, but they happen to be Negligent and eventually Leak to Press, revealing common vulnerabilities and politically incorrect jokes in comments, which trigger Activists

Sometimes people just make mistakes. Insiders can make the most grave mistakes with the most impact on the business. Eventually someone somewhere will make a mistake. Design your systems to take that into account. Anyone having access to data or capabilities might be an attacker, their proxy, or can make a mistake. Some helpful principles for mitigating mistakes:

  • Least privilege limits impact, both in scope and time.
  • Zero trust prevents direct unrestricted human access to systems.
  • Multiparty authorization avoids single point of trust, counters “lone wolfs”.
  • Business justification could be formally documented on each access.
  • Audit and detection by reviewing and vetting access logs and justifications.
  • Recoverability is helpful in case destruction happens.

In order to protect your systems in an informed manner, you shoud be aware of methods used by attackers. There are many frameworks for that too, providing systematic view on methods and behaviors. However, note that variations are common: no two attacks or attackers are the same.

Threat intelligence increases awareness of attacks happening in the wild. It is provided or published by security agencies in many forms, such as written reports on indivial attacks, indicators of compromise (IOC) useful for automatic detection, malware reports often used for cross-correlation of unrelated attacks. All of this gives you a perspective on what attacks are popular, which are effective in your industry, etc.

Cyber Kill Chains are adaptation of a military idea to describe steps used by attacker. Typically they include reconnaisance for weak points, entry to gain access, lateral movement to widen the access, persistence to cement the acquired access level, followed by goal execution.

Tactics, Techniques, and Procedures (TTP) is a methodology for categorization of attackers’ modus operandi. MITRE’s ATT&CK matrix, for example, lays out hundreds of possible approaches to each attack step.

Understanding attackers is nuanced activity but it is essential for proper risk assessment. Here are some common cognitive biases to avoid:

  • You may not realize that you are a target. Even if you are small and uninteresting, your customers and associates might not be.
  • Unsophisticated attacks might be widely successful. Especially when they have been dismissed in favor of protection against more exotic threats.
  • Don’t underestimate your adversaries. While most of them might not be extremely motivated, outliers may go through great lengths with what are acceptable costs.
  • Attacks might be hard to attribute to a specific entity. Focus on observable TTPs rather that prioritizing identification of attackers. Deception is a thing.
  • Not everybody is afraid of getting caught. Especially if they act via Internet from another country, knowing that they won’t be extradited for prosecution.