The Necessity of Enemy Perspectives: The Enemy Gets a Vote

The enemy gets a vote. The current Secretary of Defense and retired Marine Corps General James Mattis is fond of this observation. However, in many areas, and especially in cyber security, it rings true. The enemy does get a vote. Good network hygiene, and ensuring that you have the latest technology only goes so far. What is necessary, is opening up the view of the cyber security staff to the enemy’s perspective and gaining an understanding of their capabilities.

When preparing for potential operations, U.S. military commanders perform mission planning, tasking their intelligence section to conduct Intelligence Preparation of the Battlefield (IPB). This allows the commander the ability to plan and act by intent, with knowledge of the nature of the threats their forces will most likely encounter, while also establishing the means to develop intelligence requirements for continued operations. The Army field manual describes IPB as “a systemic, continuous process of analyzing the threat and environment in a specific geographic area.” Within the realm of cyber security, we can convert this to describe the efforts of threat intelligence as a systemic, continuous process of analyzing the threat against a specific organization and its assets, as each organization faces differing threats based off of its industry, asset types and controls. The key is in gaining visibility into what the enemy sees within this battlespace.

This is the role that threat intelligence plays in an enterprise. It should be used as the connective tissue between network defenders and what they can anticipate defending against, based on not only vulnerabilities and malicious code, but also what is known about the enemy. Intelligence analysts need to “flip the map” and look at the organization from the eyes of an attacker, helping to illuminate the adversary and their capabilities.

Above, I briefly described the U.S. military’s process of IPB. In this process, the adversary’s order of battle, units, formations, and equipment of their military infrastructure are analyzed to understand their capabilities and how they “match up against” the capabilities of the U.S. military. Globalsecurity.org provides us with nine factors to consider when reviewing enemy order of battle and capabilities:

• Composition
• Disposition
• Strength
• Tactics
• Training&
• Logistics
• Combat Effectiveness
• Electronic Technical Data
• Miscellaneous

While not all of these factors can be accounted for when analyzing potential threat actors, there are several that should be considered or acclimated for our purposes, such as:

• Composition and Strength: Can we determine if the threat actor is a group or individual and if a group, do we have an association with like groups?
• Tactics: do we have intelligence on historical courses of action or Tactics, Techniques, and Procedures (TTPs)?
• Logistics: What does their infrastructure look like? Do they have command and control servers or; potential nation-state sponsorship or funding?
• Effectiveness: Are there previously or historically-identified successful attacks? How effective were they, and have they been known to have targeted us in the past?

Understanding threat actor capabilities is necessary to gain the advantage and rapidly respond with countermeasures to these threats. Consumers of intelligence (CISOs, security directors and network defenders) need to task their threat intelligence sections with providing well-analyzed information on known threat actors that would have the intent and capability to attempt exploitation or conduct an attack against their organization. It should be provided in a manner that is easily consumable and leads to control evaluations and therefore a better security posture.

The enemy may always get a vote, but the outcome can be in an organization’s favor, the better they know their enemy and can anticipate its moves.