Using MICE to Understand Your Adversary

Using MICE to Understand Your Adversary

There are many different reasons why malicious actors would attack your network and assets; some for monetary gain and others just for fun. Intelligence officers use the acronym “MICE” to determine what would push a potential source of intelligence information over to providing such information to a U.S. intelligence official (Crumpton, 2012). This blog will cover what this acronym is and how these principles can be used to determine the motivation behind those targeting your network, assets and employees. Having this understanding will enable visibility into your organization’s threat profile and will allow your security staff to rate risk and relatability levels.




One of the main reasons that an adversary targets particular organizations, such as those in the retail space, is for monetary gain. Money is a huge motivating factor for us all, and it’s no different for those with the capability to hack point-of-sale devices or run adware and spam campaigns. There are several individuals and organizations that work for monetary gain, with one well-known example being the Russian Business Network.


Over the past year the retail industry has seen a significant spike in reported breaches resulting in the compromise of point-of-sale systems that have put at risk hundreds of millions of credit and debit card records. As malware of all types continues to evolve, attackers that are financially motivated will continue to target the retail, hospitality and financial sectors with POS malware, banking Trojans and cryptographic malware like cryptolocker or similar file encrypting malware. Knowing that an attacker is motivated by monetary gain and understanding their attack vendors enables security teams to make and push the appropriate policies.


It was recently reported that three bank employees worked with two outside individuals in an identity theft ring to compromise the identities of bank customers, creating fake IDs and then making false withdrawals throughout the Northeast. As you can see, money plays one of the largest roles in attacking both persons and corporations. A 2014 paper by Intel Security estimates that the global economy suffers a loss of more than $445 billion dollars annually due to cybercrime and espionage. This number is staggering, and malicious actors are motivated to gain their share.




For those that fall in the hacktivist group of threat actors, ideology is a big motivating factor. For example, the Syrian Electronic Army uses their ideology and support for troubled Syrian leader Bashar al-Assad as motivation behind their many successful attacks on media outlets, government organizations and private citizens. Their main goal is to spread propaganda in support of the Assad regime to counter negative press coverage.


Another well-known group of hacktivists, Anonymous, uses ideology to inspire themselves and like-minded followers to support their many “causes.” Their latest campaigns targeting sponsors of this year’s World Cup, their attempt to identify the police officer in the recent shooting incident in Ferguson, Missouri or their campaign against supporters of the terrorist organization Islamic State have not been as high-profile as those in recent years, but the fact remains that the basis for these campaigns revolve around ideology.


Ideology can also be based on patriotism. Russian actors, who some maintain are not controlled by the Kremlin, have been known to target adversaries in recent Russian military actions, like those seen in the Ukraine and the Russo-Georgian conflict of 2008. On our own shores, there is “The Jester” who uses patriotism as motivation for targeting sites of those that sympathize with terrorists or sponsor actions that would harm Americans or American interests.


Using MICE

THE JESTER's donated computer on display at the International Spy Museum.




The term compromise here is more about the threat in the human terrain, or the insider threat, and not the digital one. Compromise can be seen in the form of blackmail or coercion of an individual to assist in corporate espionage or sabotage. If a malicious actor has knowledge that poses a threat to someone’s livelihood or social standing, it would be easy to coerce that individual into performing actions on behalf of the actor. These actions could be assisting with remote or physical access or giving up proprietary data, intellectual property or sensitive system information.


Traditionally, we view compromise of the individual as a successful social engineering campaign. However, social engineering is only one aspect of compromise in the human terrain. Emotions, such as revenge, can also play a role in the compromise of the individual. In the case of Darnell Albert-El, he gained access to his former employer’s website with an active administrator account and deleted approximately 1,000 files. He had been fired about a month prior, fueling the attack. In another and more extensive case, a former employee of Gucci was indicted on over 50 counts for revenge hacking after his termination from the company.




Finally, there are those who hack simply for the joy of taking down a target and inflating their ego. They want to establish themselves and their power in the community. Many of the attacks those with power on their minds affect are other hackers. For example, when LulzSec was actively engaged in campaigns against Sony and the U.S. government in 2011, hackers of the group “A-Team” targeted LulzSec members and exposed them.


Attackers with this mentality can be extremely dangerous because their drive to make a name for themselves can make their targets unpredictable. However, those that do wish to make a name for themselves often leave calling cards after a successful attack. In the case of a suspected Chinese PLA hacker known as UglyGorilla, researchers tracking his activity state that he leaves his initials “UG” in logs and embedded in the malware used on compromised systems.




When determining what your threat landscape is and the risks to your information and assets, knowing an attacker's motivation can allow for grouping and categorizing these threats. Using “MICE” to gain this understanding will enable you to determine:


  • For those that are financially motivated, is my business a high target?
  • Would those that are motivated by ideology view my organization as a threat to their social views?
  • Are there former employees that have left with a grudge and have the knowledge of our infrastructure to gain unauthorized access?


Starting with these questions leads to building intelligence requirements that can focus your staff on collecting and analyzing intelligence information on the subjects and providing predictive, actionable intelligence assessments. These assessments in turn will enable decision makers to push policy to protect against the threats determined to be plausible and of risk to your organization.

Danny Pickens
Practice Director, Enterprise Incident Management | Optiv
Danny Pickens has two decades of experience in the fields of military intelligence, counterterrorism and cyber security. Throughout his career, he has spent time at the tactical, operational and strategic level of intelligence and cyber operations within the United States military and various divisions of the Department of Defense and other U.S. Government organizations, as well as private enterprise. As the practice director of Optiv’s Enterprise Incident Management professional services team, Pickens is responsible for the direction and engagements of Optiv’s incident management services, encompassing both proactive and reactive incident management operations.