It’s no secret that many adversaries continuously increase the sophistication of their attacks’ tactics, techniques, and procedures (TTPs), making it difficult for defenders to respond appropriately.
One challenge is the movement of threat actors. At Mandiant, we are actively tracking nearly 2,000 threat actor clusters — a number that is constantly rising. In 2019, the number of actors we tracked increased by 10%, due to novel threat activity identified via intelligence gathered from incident response engagements. Not all of these actors are active, and some attackers limit their targets to specific regions or industries, or by an organization’s susceptibility to intrusion using a particular initial access method.
Another challenge is spectrum of adversarial tactics. The MITRE ATT&CK® knowledge base currently includes 156 adversary tactics and techniques — based on real-world observations. This number is continually expanding, with another 272 sub-techniques, illustrating the breadth of techniques that adversaries have at their disposal.
Further compounding the problem, the latest Mandiant Security Effectiveness Report states that 54% of adversarial techniques and tactics to execute testing of lateral movement are missed. Worse, 96% of the behaviors don’t have a corresponding SIEM alert due to inability to distinguish behaviors from malicious activities.
For defenders, all of this begs the question, “Who should we track, based on what info, and how often should we review this?”
Understanding Tactics and Targets
In some cases, organizations may want to understand the techniques employed by a specific threat actor due to a current compromise within their environment or an expectation they will be targeted by that actor in the future. For instance, the threat actor FIN11, known to deploy ransomware, has continuously evolved their operations, using many different downloaders, backdoors and specially crafted malware over the past 18 months. Knowing the tools and tactics that the group is using today versus the past can help organizations prioritize and allocate scarce resources to mitigate the threat.
Comparing multiple actors and their related tactics illustrates an additional facet of the complexities that security teams face. In this case, defenders may want to focus on the techniques that are most commonly used. For example, when aggregating MITRE ATT&CK mappings for five actors, only a subset of the total associated techniques are likely to be used by all attackers. This provides a starting point for implementing security controls that will have the greatest impact.
Here are four strategies that can help:
Strategy 1: Get a front row seat to frontline intelligence
In today’s risk-sensitive business environment, real-time threat data backed by advanced research is required to keep up with new and evolving threats. With Mandiant Advantage: Threat Intelligence, security teams can have unmatched access to active, emerging data directly from the front lines. Security operations teams especially need access to actionable and timely threat intelligence to detect and respond to threats quickly and effectively. It’s critical that this intelligence goes beyond what is disclosed in the open source, and ensures security teams are able to quickly research threats and identify relevant context that they can use to respond appropriately.
Strategy 2: Understand which threats apply to you
Understanding which attackers are most likely to present a credible threat to the organization can help focus efforts and make security teams more proactive. Analytical finished intelligence reports are a powerful decision-making tool for all security personnel, helping them better understand an attacker’s motivations, targets and evolving TTPs. However, threat intelligence is not binary. Being able to quickly identify intelligence based upon threat actors’ targeting calculus or the technologies that they exploit can also help organizations pivot to threats that matter most.
Strategy 3: Validate controls, processes and performance
As threats evolve, it’s important to continuously validate the organization’s ability to detect, mitigate, and respond to ways attackers are behaving in the real world. Proper execution requires a security instrumentation platform that assesses and optimizes controls performance automatically and continuously. This allows organizations to account for and monitor changes to the IT environment and the organization’s risk profile. With ongoing security validation, vulnerabilities can be identified in relation to relevant and timely threat intelligence. Further, these insights can help determine where to optimize tools to improve organizational defenses and the speed of response.
Strategy 4: Organize and hunt for threats
As controls are optimized, it’s important to remember that actors may already have infiltrated and established a foothold in the network. Accurate and timely threat intelligence can help organize threat hunting efforts and provide a framework that can be used to report to leadership how the security team is addressing relevant threats. According to the SANS 2019 Cyber Threat Intelligence Survey, 56% of enterprises use comprehensive threat intelligence (CTI) such as adversary TTPs to hypothesize where attackers might be found, a strategy that has proven effective across many organizations.
Despite significant investments organizations make into their security programs, Mandiant continues to see a proliferation of threat actors and malicious campaigns that are often able to meet their objectives. Real-time threat intelligence and a commitment to continuous validation can help give defenders the insight, assurance, and decision-making advantage they need to protect themselves against threats that matter to them right now.
Learn how to better protect against these threat actors by registering for a free trial of Mandiant Advantage: Threat Intelligence.