What are these funny names of opponents like FANCY BEAR, MAGICIAN SPIDER and DEADEYE JACKAL? You read about them in the media and see them on CrowdStrike T-shirts and referenced by MITER within the ATT&CK framework.
Why are they so important for cyber defenders? How is an adversary born?
You may think you have a problem with Ransomware, bots, or Distributed Denial of Service (DDoS) attacks, but you’d be wrong. Because humans are behind every cyber attack, what you really have is an adversary problem. Understanding the adversaries most likely to target your business is essential as it helps you focus your resources and better prepare your defenses to defeat them.
CrowdStrike is currently tracking and profiling over 180 adversaries, having added 21 new adversaries in 2021 alone. So let’s dive into the world of adversaries and understand why attribution and an adversary-centric approach to cybersecurity are essential to defend against modern cyberattacks.
Attribution 101: what’s in a name?
EEach adversary is motivated by a specific goal, whether it’s financial gain, espionage, or politics. CrowdStrike uses a two-part cipher so that opponents can be easily identified based on these three key motivators:
- SPIDERs are cybercriminals motivated by monetary gain
- Nation states practice espionage and are identified by the national animal of their country of origin, such as BEAR (Russia) or PANDA (China)
- Hacktivists, seeking to create political disruption, are JACKALS
The honor of providing the name used for the first part of the cryptonym rests with the CrowdStrike threat intelligence analyst or team that attributed the activity to a specific threat actor or group. While this part of the name may be arbitrary, CrowdStrike analysts are generally influenced by the major tools and techniques they have observed being used by the actor.
Identification of activity clusters
As you’ve probably guessed, observing related activity or “groups of activity” is a crucial aspect of CrowdStrike’s threat research that helps determine attribution.
The first step in identifying a cluster of activities is to collect the right data in order to expose illicit actions. Only CrowdStrike has access to the trillions of events per day collected by the CrowdStrike Falcon® Platformthat protects millions of endpoints worldwide and provides real-time and zero-day attack visibility.
In addition, CrowdStrike Intelligence collects raw intelligence from several other sources, including incident response engagements, millions of malware samples processed daily, deep dark networks, underground communities, social media, open source and much more. This is where CrowdStrike has a distinct advantage, confirmed by the highest score among all providers in the Wave Forrester™ External Threat Intelligence Services, Q1 2021 for the “raw intelligence gathering” criterion.
The second step is to analyze this data using machine-based analytics as well as human intelligence analysts. CrowdStrike Intelligence analysts are organized into cyber threat expertise cells such as adversarial prosecution, tactical malware analysis, geopolitics, threat campaign analysis and others. CrowdStrike produces comprehensive threat intelligence across multiple dimensions such as attack motivation, threat operations techniques and tactics.
Activity clusters are usually based on one or more related technical attack techniques, tools or infrastructure that are exploited by the adversary. For adversaries sponsored by nation states, CrowdStrike intelligence analysts overlay an understanding of the geopolitical nexus of all observed activity to elevate a cluster’s confidence level to a named, state-sponsored adversary. The process is slightly different for cybercrime, where Intel analysts focus on adversary tooling, craft and infrastructure, with an emphasis on actor threat operations such as use of ‘as a service’ frameworks, shared infrastructure or inclusion of basic public tools during the attack phase.
Maintain rigorous naming standards
CrowdStrike has set rigid analytical integrity standards that are regularly reinforced among analytical frameworks. All intelligence analysts are trained to ensure the appropriate use of estimative language, awareness and elimination of bias, and the use of analytical tools such as “alternative competing hypotheses”.
Throughout the award process, integrity is maintained through extensive scrutiny between the various CrowdStrike teams with threat expertise. Only after a series of rigid analytical steps will an actor be given a name and added to CrowdStrike’s list of named opponents.
How defenders benefit from an opponent-centric approach
Adversary attribution allows defenders to understand the “who, how and why” behind cyberattacks targeting their business. By understanding their opponents’ motivation, tools, and tactics, defenders can apply proactive and preventative actions.
For example, targeted attacks may be motivated by spying, which indicates that the threat will most likely be persistent and include several sophisticated attacks that may attempt to gain access to your company’s sensitive data. Knowing this about the espionage-motivated adversary provides guidance on where to get defensive”shields up” measures and how you can best prepare for them. This could include proactively patching vulnerabilities or blocking file hashes or IP addresses at the perimeter, defensive tactics based on attack vendors the adversary is known to have used in the past. Attribution allows security teams to understand their true position on risk by defining who might prosecute them and how, and to preemptively adjust their security strategy.
Adversary attribution also allows security teams to reduce noise by filtering an overload of security data to focus on specific tactics. The CrowdStrike Intelligence team’s profiling of more than 180 global threat actors across cybercrime adversaries, nation states, and hacktivists allows you to find only those actors most likely to attack your organization. A good place to start is to filter security data based on adversaries’ preferred targets, typically by industry and geographic region. Security analysts can focus on this much smaller subset instead of focusing on low-risk commodity attacks that are blocked by the security controls they have in place.
Additionally, once a known and sophisticated adversary has been spotted within your organization’s infrastructure, alert levels can be raised, shields declared, and information available about the adversary can drive the threat-hunting process. threats to find and expel the adversary. Without this knowledge, Security Operations Center (SOC) analysts waste time and resources, playing “hit a mole” by pursuing every product attack or being blind to adversary activity that may considered normal activity without the context provided by threat intelligence.
While attribution provides the insights that help security teams prepare, there is additional intrinsic value in taking an adversary-centric approach to security. Attribution allows the entire team – both proactive and reactive advocates – to direct their actions to specific actors that target the organization, create their behaviors and tools, and begin communicating between all teams with a common language including opponent’s name, attack steps and point of view. This approach helps teams move away from tool- or process-heavy tactics and develop strategies to increase the effectiveness of their security efforts.
Additionally, security organizations are often divided into operational silos, with each silo focusing on specific detection or protection tools. This structure with attention to “tools used” and “small team goals” is not always beneficial. Focusing instead on a higher level – fighting opponents who try to break through your defenses – changes the dynamic of the entire team and begins by knowing the opponent, which benefits the individual security practitioner as well as the whole. organisation.