In Part One of the series, the Fidelis TRT (Threat Research Team) discussed intelligence support to identify and prioritize threats based off telemetry data and external sources. In this blog (part two), we will consider how to apply qualitative risk metrics to known and observed threats.
Currently, there are several widely established and accepted metrics and matrices for scoring and measuring the technical capabilities and risks of campaigns, vulnerabilities, tactics, and artifacts. These include, but are not limited to, the MITRE ATT&CK framework, Lockheed Martin’s Cyber Kill Chain, and the Common Vulnerability Scoring System (CVSS). These are extremely valuable for the information and indicators they were established to provide.
In addition to these various quantitative matrices and metrics, intelligence analysis also has a certain qualitative aspect that needs to be considered. In my personal experience and practice, a mature and well-developed approach to threat intelligence takes into consideration these qualitative (sometimes referred to as “arbitrary”, negative connotation) approaches. These qualities are inherent to the actual actor or group “behind the keyboard”. This type of metric would focus not only on hard, technical and quantitative risks and activities, but also include aspects like a threat’s motivations, influences, intent, and purpose.
Below are samples of my concept of how this type of metric would be captured and visualized. Each vertex on the radar-charts represents a unique quality or dimension, which culminates into a total overall score that is computed by combining the values of each of the vertices.
Identifying and observing threat actor behavior, beyond their current technical capabilities and tools, can assist an intelligence team’s situational awareness in determining a threat’s future behavior, their impact, and the risk to a vertical or organization from that specific actor or group. Additionally, these metrics can serve as a quick reference for decision makers. This type of threat intelligence and threat evaluation should be coupled with a terrain-based cyber defense strategy and properly implemented existing matrices and frameworks that are designed to identify technical (network or endpoint-based) patterns and behaviors. This approach supports a more complete target package of a threat actor and a more accurate risk profile.
When assessing future threat actor activity and potential risks, two items that should be communicated as part of the analysis are the probability and effects of the assessed actions. These can be satisfied with two statements known as the Most Dangerous Course of Action (MDCOA) and Most Likely Course of Action (MLCOA). MDCOA/MLCOA are two simple, yet effective and clear, methods of explaining and communicating future activity and impacts based off observed trends, patterns, and terrain analysis. Both statements are also a cornerstone in military intelligence reports and briefings to supplement decision making, and they fulfill a current gap in cybersecurity threat intelligence. We see a lot of after-the-fact attribution and technical details, and less often see an explanation or assessment of why it happened and what could happen in the future based off past and current events and developments.
The MDCOA can be described as the tactics, techniques, or actions taken by a threat actor that could result in a worst-case scenario outcome. This can be based on new threat developments and observations or the defender’s/victim’s vulnerabilities and gaps. MDCOAs are usually also a deviation from the norm or expected course of action, and focus more on impact than probability; however, the probability of a MDCOA event occurring should be considered as part of the assessment.
Conversely, the MLCOA can be described as the expected and probable tactics, techniques, or actions taken by a threat actor based on observed patterns and historical events. The MLCOA focuses on probability and likelihood; however, just like any assessment, the MLCOA should be supplemented with an impact statement and explanation by the analyst.
The Fidelis Threat Research Team observes and follows intelligence best-practices throughout its collection, analysis, and dissemination cycle. Adhering to these well-established fundamentals, while also researching and incorporating new and innovative solutions to our intelligence operations allows us to deliver relevant and timely information to support organizational and asset protection, provide situational awareness, and drive content and countermeasures.