Attribution and Threat Modeling

Thank you for joining us on article two of our series about the Future of Threat Intelligence at Netflix.

Early in my career I liked to imagine myself locked in a battle of wits with a Karla of somesort. The reality is less literary archrival and more diverse set of ne’er-do-wells, but equally challenging. Absent a specific villian, what is the role of attribution in a corporate threat intelligence program? As with most things it turns on business value delivered - if knowing the name of the person targeting your systems helps reduce risk for your organization then discovering that information should be a goal of your intelligence program; however, this is seldom relevant to business risk reduction outside the rare cases where one might cooperate with law enforcement to target a particularly problematic fraud actor, or, as we will discuss later, in the world of physical and information security convergence. While law enforcement needs individual attribution, most often corporate security programs can work at a coarser granularity without losing impact. The goal is to better understand the intent and capabilities that comprise a threat.

Attribution is valuable during an incident inasmuch as it provides leads on how to scope the intrusion or detect the attacker. If attribution provides actionable information on capabilities, such as TTPs (or even IOCs) that can be used to find other signs of intrusion then it is a worthwhile exercise. If a malicious third party integration is discovered in a user’s gSuite account, and this matches the TTPs/IOCs of a certain threat actor also known to setup forwarding rules in mailboxes, that knowledge can be used in cleanup efforts and to hunt for otherwise compromised accounts in the environment. Whether this actors was APT28 or 29, or the GRU vs the SVR, has little bearing, but the basic class of attacker (state actor - I will avoid the redundant ‘nation state’) reveals much about the broad capabilities one could expect.

Attribution to a specific international actor might reveal something more about the intent, and could inform the defender about the goals of the attackers, or the level of effort they are willing to exert. Taking a different example, if you observe malicious scanning activity, is this an in-the-wild struts scanner that is hitting everyone, or a targeted scan of just our ranges? If the former then it is likely a commodity payload and I have high confidence our OS level controls will thwart it, or if it lands it will do something annoying like mine coins as opposed to something awful like steal customer data; if the later then this warrants closer monitoring and possibly manual intervention to quarantine and observe the attack as it tries to evolve. Further efforts at attribution can be tantalizing, but if the information is not driving decision making, then it is not adding business value.

I see threat modeling as a closely related function - essentially attribution of potential attacks. Model in this case is a representation of an idea used to describe and explain phenomena that cannot be experienced directly. One could debate what it means to experience a threat directly, it feel pretty direct during an incident, but we seldom have complete information on the attack, particularly ahead of time, so I think the definition holds. A threat is an entity with the intent and capability to do you harm, so modeling threats is all about the attackers. Oddly many definitions of threat modeling pull in vulnerability identification, attack surface definition, and asset cataloguing as part of threat modeling. To me that is a harmful expansion of scope and loses focus on the relevant aspects of an adversary focused exercise. There is absolutely a need for asset inventory and vulnerability identification and tracking as part of an enterprise risk model; however to conflat those with threat modeling dilutes the purpose - though risk management functions should be a primary consumer of threat intelligence.

For me, threat modeling should start with a comprehensive listing of threat actors. This is difficult to create, at least in a highly granular fashion, so again we reach for abstraction and start out with broad categories of folks who want to do your business harm. For many applications these comprehensive categories are granular enough, but it can also be helpful to further break those down, and perhaps choose some exemplars from the various buckets to get more specific in modeling capabilities against specific controls (detection and prevention). I wasn’t able to find a standard taxonomy for threat actor classes, but: government, criminal, hacktivist, explorer seem to be appear in several places. I like these as they speak to intent, rather than position. For example you could use insider as a top level threat category, but insiders may have criminal or hacktivist (disgruntled) or even government-derived (spy!) intent. Within these top level intent-based classes you could further dissect based on capabilities, organized crime group vs individual fraud actor for example. You continue to refine this model until the distinctions you draw stop changing decisions on investments; then stop!

Within each of your chosen classes it is then helpful to define intent and capabilities. This feeds into scenario based training using table tops and/or red team exercises, which help sharpen the fangs between actual engagements, as well as measure current investments and increase confidence in your risk forecasts. The output (learning) of these simulations informs the enterprise risk and planning processes of your security program - see security learning organization.

Overall attribution has a role to play in a modern threat intelligence program, but you need to carefully align the level of investment and specificity needed by your particular business and not chase attribution for curiosity’s sake. Threat modeling is related to attribution and plays an important role in planning investments and testing assumptions. I would be curious to hear more from folks that have successfully integrated their threat intelligence with simulation as well as investment planning activities.

Stay tuned for our next post coming soon!