Recently, ACSC members were briefed by Assaf Dahan, the head of Cybereason’s Nocturnus Research Group. Dahan talked about an attack, dubbed Operation CuckooBees, which was assessed to be the work of Chinese APT Winnti. This example of cyber espionage shows how bad actors can silently steal intellectual property for years resulting in huge expenses and repercussions for years to come.
While Dahan briefed our members on how the campaign worked and provided a detailed analysis of the malware and exploits used – an even bigger takeaway was the importance of knowing yourself before you can adequately and properly protect yourself.
What Does ‘Know Thyself’ Mean?
It may seem like a silly question. Of course, you know your company, right? But – does everybody on your team? We always allude to cybersecurity as a team sport and if every player doesn’t understand the playbook, then it’s hard to compete.
Knowing thyself is an integral part of the intelligence lifecycle. You have to know your stakeholders – the people you are collecting intelligence for. You need to know what systems they have, what software they use – and anything else that will help guide you in deciding what intel they need.
Dahan says the first step in knowing thyself is doing a self-reflection and understanding the requirements of your organization. A good cyber threat intelligence (CTI) team comes in handy here.
“It’s not just about collecting external information,” Dahan said. “Talk to your stakeholders to understand what we are protecting as a threat intel team. Know thyself and then you can know thy enemies.”
Collecting external information can be done via threat intel sharing/exchange forums and frameworks you can join. Many vendors have more tailored offerings for intel feeds and reports as well as actionable intelligence – but that’s where you need the knowledgeable team to know what is actionable and to know what’s missing. This is where the ACSC’s Threat Intelligence Network comes in play – discussing strategies and effective integrations.
And Know Thy Enemy
Dahan says while it’s tempting to cast a wide net when considering potential bad actors, it’s not necessarily efficient.
“Somebody has to go through all of that data,” he said. “If you can laser focus your threat hunting on specific threat actors that are relevant to your industry, you’ll be in a better position."
This “inside-out” approach begins with the development of an enterprise risk model. Your model should include likely attackers, your most attractive assets and the techniques that could be used. If you can identify threat actor intent and behavior, you can understand where your vulnerabilities lie, assign them priorities and build defensive plans to pre-empt those attacks.
It’s a bit like playing a game of chess. You can only win if you can correctly predict the moves of your opponent. But chess isn’t a team sport – and cybersecurity is. Continuous training and practice paired with actionable threat intel is the only way the good guys will win.
The ACSC Threat Intel network focuses on effective practices for building, managing, and communicating threat intelligence using both internal and external resources. We believe in sharing the means of tracking and reporting threat intelligence metrics and discussing timely topics, like geopolitical intelligence, or large scale incident response support. Interested in becoming a member? Email jdinneen@acscenter.org.
Comments