Building the cyber threat landscape
In this section, we will explain the process of performing a unified cyber threat analysis while exploring its key factors and defining the next steps.
First, we need to define the list of key assets. EASM solutions may help to automate this process. Usually, you’ll require the following:
- A list of public IP addresses of the infrastructure that have been exposed to the internet
- A list of DNS zones both used internally (Active Directory domain) and externally (to publish their web resources over the internet)
- Some organization-specific keywords that may help to identify all externally hosted assets
This will result in you identifying all the organization’s assets, such as exposed business applications, any vulnerabilities and misconfigurations in them, owned IP addresses and DNS zones, third-party solutions, exposed employees’ details, and their geography.
The next step is to gather CTI to build the cyber threat landscape. To start, you should choose the most valuable source of CTI. It may include cybersecurity vendors’ threat reports, purchasing access to the CTI platforms, subscribing to cybersecurity blogs and newspapers, or engaging CTI consultants. The more relevant feeds that are used, the better. However, it may lead to significant time and financial costs for the organization, something outside the scope of this book.
Once all the prerequisites have been met, you can proceed. The following example shows how to apply the CTI platforms to get a list of threat actors as quickly and efficiently as possible:
- Filter cyber threat actors by target region. Here, all regions of presence must be specified.
- Filter cyber threat actors by target industry while ensuring all sectors are mentioned.
- Filter by activity. The threat actor should be active. The trick here is that attackers may be inactive for a variety of reasons: some members of the group may have been arrested (Emotet, NetWalker in January 2021; Egregor, Cl0p in June 2021), the attackers’ infrastructure may have been identified and decommissioned by law enforcement (Hive), or they may have regrouped and joined other syndicates (REvil, DarkSide). An example of filtering is shown in Figure 1.2:
Figure 1.2 – Example of the threat actors in the cyber threat landscape after filtering by region and industry
It is important to mention that some groups may be inactive for other reasons. For example, they might have identified the fact of disclosure and curtailed the activity to certain circumstances. When it comes to APTs, they may keep silent for a while until further directives arise. In such cases, they must still be considered in the cyber threat landscape but the priority of covering their TTPs may be lower compared to the active actors for the sake of consuming the resources of the cybersecurity team. When these cybercriminals become active again, the security team may act accordingly after CTI provider notification while following the same steps. However, this is not a call to action and is just one of the tips on how to build a process in cases of limited team resources.
Once the cyber threat actors list has been compiled, a strategic summary is created. Further actions include doing a deep dive into operational, technical, and tactical threat intelligence details.
This is where the cybersecurity team steps in. The next step is to learn the adversaries’ attack life cycle. Usually, vendors provide such information by mapping to well-known and industry-standard frameworks. Almost all cybersecurity companies provide MITRE ATT&CK® (see Figure 1.3) mapping; a few provide a detailed list of procedures that were observed during the attack:
Figure 1.3 – Example of a MITRE ATT&CK ® mapping for the threat actors in a cyber threat landscape
However, not all these tactics apply to organizations’ infrastructure, particularly Windows systems. Keeping this in mind, we will focus more on how adversaries attack Windows infrastructures so that we can make them safer.
Let’s stop here for now and summarize this chapter.
