Want more from your threat intelligence? Learn to think like an APT

Unprotected, unsupported, and end-of-life internet-connected devices are regularly sought out by threat actors, most recently using an evolving mesh network to hide global espionage operations.

These operational relay box (ORB) networks, which tie compromised devices to virtual private servers, have been constructed by advanced persistent threat (APT) actors to grow quickly even while shedding devices that are patched or taken offline. While governments and larger enterprises are regular targets of APT activity, no organization is immune. It could be that you're a direct target of an APT group, or it may be that they're using your organization as a stepping stone to reach their intended target.

The risk of becoming a target of APT activity accelerates in times of geopolitical tensions, where APTs are more willing to conduct aggressive operations. Regardless of motivation — espionage, financial gain, disruption, or destruction — organizations of all shapes and sizes need to be ready for threats posed by APTs.

“Understanding actors and the motivations behind their activity is really important," said John Doyle, a principal intelligence enablement consultant at Mandiant, during an episode of our Cloud Security podcast. “They all have different objectives they’re trying to achieve.”

He continued, “Mapping between groups and how they functionally align themselves and undertake operations gives you the foresight to understand — am I in the crosshairs? Is my organization something that will be targeted? And if so, how can I prioritize defense against it?”

Mandiant, part of Google Cloud, recently launched a new on-demand course, Inside the Mind of an APT, to help organizations develop a better understanding of APT groups, how they operate, and forecast the types of threats they are most likely to face with a heavy focus on Russia, China, Iran, and North Korea. The course origins lie in the desire of Doyle and his colleagues to create education that they believe can help give the next generation of threat intelligence analysts a step up on their career paths.

Maximizing the value of your intel with better context

One common perception about threat intelligence is that developing it is more of a tactical, technical exercise. You evaluate your exposed attack surface and gather current threat indicators to create detection rules that help flag potential threats.

While valid, this approach alone doesn’t give you enough context to prioritize defenses for your individual organization. Understanding what motivates APT groups can help you understand if you are a likely target, help you invest resources in the right capabilities, and help apply them where they are most effective. It can also help move an organization from being reactive, always in response mode to proactive, using foresight to anticipate implications of shifts in world events.

While smart analysts armed with more contextual understanding will be able to better apply threat intelligence, we're also exploring how we can apply AI to make the process easier.

Doyle observed that many IT departments focus on protecting what they view as their highest-value assets, assuming they will be likely targets in an APT attack. However, a better understanding of the threat landscape can help you understand if attackers are valuing your assets differently. Better background knowledge of a group’s specific doctrines and long-term objectives can help you invest time and resources more appropriately.

An APT group’s priorities dictate how it employs cyber operations and its chosen targets. For instance, a group operating in a country under sanctions may be tasked with gaining information that supports revenue generation. However, a group with directives to increase domestic competitiveness or military superiority is more likely to focus on cyber espionage to avoid investing in research and development.

“There's a lot of misalignment around what the defenders think and what the adversaries think,” he said. “Defenders will say, ‘We need to make sure this system doesn’t break. This is our critical dataset, database, or some other asset.’ That’s important, but sometimes, threat actors don’t care about any of it.”

Injecting threat intelligence earlier in the targeted attack lifecycle can help shape good decisions that cost less, deliver quick detections, reduce dwell time, and even prevent breaches. For example, comparing what an APT group has targeted historically against your identified high-value assets may reveal surprising gaps or certain biases that impact how you identify and analyze threats, which can cause you to misdirect budget and resources.

In addition, mapping knowledge about doctrines and specific targeting priorities to distinctive threat actor tactics, techniques, and procedures can help you develop playbooks and cybersecurity strategies that enable you to stay a step ahead of threats.

“These actor groups are called APTs for a reason. They’re persistent, and they’re going to come after you time and time again,” Doyle said, because these governments are interested in information you possess, or you operate in areas of strategic interest to them. “Having that functional understanding of the various different groups and the background of familiarization lends itself to you not having to do work over and over again,” he said.

Building a solid foundation to be better prepared

When it comes to using threat intelligence, following the threat actors most likely to target your organization can help you defend against the activity you're most likely to experience. It can also help more quickly respond to and remediate the threats that get through.

“It's fundamentally important for organizations to understand who is going after them and why,” Doyle said. “Instead of looking at logs and technical data and working back, you can look at the mission mandate and say you don’t have coverage or heat maps or playbooks created for this group.” Developing accurate threat models and building a cyber threat profile can help prioritize security investment.

For instance, in Mandiant’s annual M-Trends report, we highlight cases where persistent adversaries including APTs carry out successful, high-profile intrusions without the use of zero-day vulnerabilities, custom malware, or new tools. These tactics underscore a troubling deviation from traditional threat behaviors — and the need to anticipate how adversaries may shift their approaches over time.

In other words, you might successfully defend against an attack from a group once, but are you confident you’ll be ready the next time they strike? The only way to do that is to improve your awareness of and expertise on APT groups — notably those most likely to target your organization.

Mandiant’s course provides a critical frame of reference that enables organizations to understand how threat groups operate, and what they are most likely to do next. While it focuses on the “Big Four” cyber countries — China, Iran, North Korea, and Russia — Doyle said the course was designed to give a comprehensive mental model that can be applied to any potential persistent actor.

“It’s really getting into the mind of the actor itself and building a thought process,” Doyle said. “Going from the whole ‘everybody’s out to get us’ to a reasonable set of actor groups that you should care about and, more specifically, the technologies they might go after.”

For more on building enterprise threat intelligence, you can listen to the Cloud Security podcast here or sign up for the course, Inside the Mind of an APT.