Blog

Focusing on Your Adversary

Read why organizations need to understand their adversaries and their preferred victims, tactics, techniques, and procedures to become proactive.

Joe Ariganello
January 4, 2023
Table of contents
<p>Every day, we hear news stories or read articles about data breaches and other cyber security threats. As malicious threat actors and the risk of cyber threats increase, protecting networks and valuable information becomes more critical. So what can organizations do to ensure their networks remain secure? </p> <p>Organizations must understand their adversaries’ identities to keep data safe and protect it from cyber-attacks. This article will explore the different types of threats facing enterprise organizations and what they can do to stay ahead of them.</p> <h2>Evolving Cyber Attacks</h2> <p>Cyber attacks are constantly evolving as attackers continue to find new ways to exploit vulnerabilities. This includes:</p> <ul> <li>Increased use of artificial intelligence (AI) and machine learning: Attackers are using AI and machine learning to automate and improve the effectiveness of their attacks. For example, AI can be used to generate convincing phishing emails or to bypass security systems.</li> <li>Rise of ransomware: Ransomware attacks, which involve encrypting a victim’s data and demanding a ransom to decrypt it, have become increasingly common in recent years. Ransomware attacks can significantly impact businesses, disrupting operations and resulting in financial losses.</li> <li>More targeted attacks: Rather than broad-based attacks that aim to compromise as many systems as possible, attackers are increasingly using targeted attacks designed to exploit a particular organization’s vulnerabilities.</li> <li>Increased focus on mobile devices: Mobile devices, such as smartphones and tablets, are becoming increasingly vulnerable to cyber-attacks. As a result, attackers focus more on exploiting these devices’ vulnerabilities.</li> <li>Increased use of cloud services: As more organizations move to the cloud, attackers are finding new ways to exploit vulnerabilities in these systems. For example, attackers may try to gain access to an organization’s cloud-based data or disrupt its cloud-based operations.</li> <li>It’s not only crucial for organizations to stay up-to-date on the latest trends in cyber attacks and to implement appropriate security measures to protect against them. It’s even more important to pinpoint your adversaries to understand their TTPs to protect and predict their next attack.</li> </ul> <h2>Types of Adversaries</h2> <p>There are many different types of cybersecurity adversaries that organizations have to deal with. Some common types of adversaries include:</p> <ul> <li><strong>Hackers:</strong> Individuals or groups who attempt to gain unauthorized access to systems or networks for various reasons, such as stealing data, disrupting operations, or causing damage.</li> <li><strong>Cybercriminals:</strong> Individuals or groups who use the internet to commit crimes, such as identity theft, fraud, or extortion.</li> <li><strong>Cyber Terrorists: </strong>A group that’s goal is to disrupt operations, cause harm, and destroy data. Increasingly targeting critical infrastructures such as power plants, water treatment facilities, transportation systems, and healthcare providers.</li> <li><strong>Nation-state actors:</strong> Governments or government-sponsored organizations that use cyber attacks as part of their foreign policy or military operations.</li> <li><strong>Insider threats:</strong> Individuals with legitimate access to an organization’s systems or networks use that access to cause harm or steal sensitive information.</li> <li><strong>Malicious insiders:</strong> These are individuals who are intentionally malicious and seek to cause harm to an organization’s systems or networks.</li> <li><strong>Hacktivists: </strong>The term “hacktivists” refers to people who use hacking techniques to disrupt computer systems and networks in pursuit of political goals. Hackers often work alone, though some groups do exist.</li> <li><strong>Script Kiddies: </strong>Originally used to describe young hackers, it now refers to anyone who uses tools designed by others because they lack the skills and knowledge required to build their own. Script kiddies are typically motivated by money, fame, or notoriety and tend to attack easy targets because it is easier to do so.</li> <li><strong>Competitors:</strong> Organizations or individuals seeking to gain an advantage over competitors by attacking their systems or networks.</li> </ul> <h2>Different Strokes for Different Folks</h2> <p>The terms “threat actor,” “hacker,” and “attacker” are often used interchangeably, but they do mean different things. These three terms are commonly used within the cybersecurity industry but don’t always refer to the same thing. Let’s take a look at what each one means.</p> <p>A threat actor is someone with malicious intent. They want to cause harm to another party. They might use hacking tools to steal credit card numbers or personal information or destroy computers or networks. Sometimes, they might try to scare people into giving up confidential information.</p> <p>An attacker uses a tool to break into a system or network. An attacker doesn’t necessarily have malicious intentions; they might be trying to learn how something works or test out vulnerabilities. If an attacker finds a way into a computer system, they can access files, change settings, or delete important data.</p> <p>Hackers are technically skilled individuals who find ways to break into systems. Hacking isn’t limited to breaking into a computer system; hackers can also break into phone lines or social media accounts. Some hackers work alone, while others form teams called “hacktivist” groups.</p> <p>The difference between a hacker and an attacker is one of the motivations. An attacker is motivated by profit, while a hacker is motivated by curiosity. For example, a hacker might want to learn how a system works to break into it later. An attacker, however, is looking to exploit vulnerabilities in a system for his benefit. He might use the same vulnerability to take over a server and sell access to others.</p> <p>Organizations must be prepared to deal with all types of adversaries to effectively protect their assets from cyber-attacks. This can include implementing robust security controls, regularly monitoring for threats, and planning to respond to security incidents.</p> <h2>Types of Attacks </h2> <p>Cyber attacks come in many shapes and sizes. Some are obvious, while others are stealthier. It can sometimes be difficult to tell whether you’re being attacked or experiencing routine network traffic. Regardless of how sophisticated the attack appears, there are specific basic tactics attackers use to compromise systems. These include malware, phishing, man-in-the-browser (MITB), distributed denial-of-service (DDoS), and social engineering.</p> <p><em>Malware: </em>Malicious software is one of the oldest forms of cyberattack. It includes viruses, worms, Trojan horses, rootkits, keyloggers, spyware, adware, ransomware, and botnets. Malware is often used to steal sensitive information such as credit card numbers, passwords, emails, chat messages, and personal photos.</p> <p><em>Phishing: </em>A phishing email looks like it’s coming from someone you know. For example, it could look like it came from your boss, bank, or spouse. If you open the link or attachment, you’ll likely download malicious code onto your computer. This attack is usually done via email attachments or links embedded within web pages.</p> <p><em>Man-In-The-Middle Attack (MITM): </em>This is where an attacker intercepts data traveling over a network and alters it in transit. A MITM attack is typically performed against SSL/TLS connections. An attacker might modify the encryption keys, change the certificate authorities, or insert his own certificates into the chain.</p> <p><em>Distributed Denial-of-Service (DDoS) Attack: </em>This type of attack floods a target with traffic, overwhelming it and making it impossible for legitimate users to access the site.</p> <p><em>Social Engineering: </em>Social engineering exploits human weaknesses to access personal information and protected systems. </p> <h2>Types of Threats By Industry</h2> <p>Different types of cyber-attacks can be targeted at specific industries. For example:</p> <ul> <li><strong>Financial services:</strong> These industries are often targeted by cybercriminals because they handle sensitive financial information and large amounts of money. Attacks such as phishing, malware, and ransomware can be used to steal sensitive information or disrupt business operations.</li> <li><strong>Healthcare: </strong>Healthcare organizations store sensitive patient data and are, therefore, a target for cybercriminals. Attacks such as ransomware and phishing can be used to access and steal this sensitive information.</li> <li><strong>Retail: </strong>Retail companies often hold sensitive customer data, including payment information, which makes them a target for cyber attacks. Attacks such as point-of-sale (POS) malware and card skimming can be used to steal this data.</li> <li><strong>Government: </strong>Government agencies handle sensitive information about citizens and national security, making them targets for cyber attacks. Attacks such as phishing and malware can be used to access and steal this information.</li> <li><strong>Manufacturing: </strong>Manufacturing companies often have complex supply chain systems and handle sensitive intellectual property, making them targets for cyber attacks. Attacks such as industrial control systems (ICS), malware, and ransomware can disrupt business operations and steal intellectual property.</li> </ul> <p>It’s essential for organizations in all industries to be aware of the potential risks and to implement appropriate security measures to protect themselves against cyber attacks.</p> <h2>The Need to Focus on the Adversary</h2> <p>Organizations need to focus on the adversary because they need to understand the motivations and tactics of attackers to protect their assets effectively. Organizations can take steps to prevent, detect, and respond to attacks by understanding adversaries’ methods and tactics to compromise systems. This can include implementing security controls to prevent unauthorized access, monitoring for malicious activity, and planning to respond to security incidents quickly.</p> <p>Additionally, focusing on the adversary can help organizations prioritize their security efforts and allocate resources more effectively. By understanding the types of threats, they are likely to face and the tactics that attackers are likely to use, organizations can focus their efforts on the areas most likely to be targeted and implement the most effective security measures to protect their assets.</p> <h2>MITRE ENGENUITY Attack Flow Project</h2> <p>In 2021, Anomali joined <a href="https://mitre-engenuity.org/">MITRE Engenuity’s Center for Threat-Informed Defense</a> to collaborate on the <a href="https://ctid.mitre-engenuity.org/our-work/attack-flow/">Attack Flow Project</a> to understand adversary behavior better and improve defensive capabilities. This partnership culminated with the public release of the project in March 2022.</p> <p>Anomali has been working to incorporate attack flows into The Anomali Platform. With our latest product release, we’ve introduced an Attack Flow Library within Anomali ThreatStream that will provide an access point for new Attack Flows that sequence cyberattack techniques. This new capability provides context around adversary behavior that help security teams expertly profile the adversary to help better protect their organization before an attack occurs.</p> <h2>Understanding the Adversary with Anomali</h2> <p>Utilizing the largest global repository of threat intelligence, The Anomali Platform focuses on the attacker’s patterns rather than the victim’s behavior to help security teams understand:</p> <ul> <li>Who are my adversaries, and how could they attack me?</li> <li>What should I be looking out for?</li> <li>Where am I most vulnerable?</li> <li>How can I reduce my company’s risk of a cyber attack?</li> </ul> <p>Anomali extends visibility with intelligence from over one hundred million attack sensors. It gives us a unique ability to understand attacker activity globally, take a previously unknown threat, and make it known to the world. This allows our teams to apply machine learning to precisely understand an attacker’s next move and help stop them before they strike.</p> <p>Adversaries are constantly evolving. Your security program should too.</p> <p><a href="https://www.anomali.com/resources/ebooks/the-need-to-focus-on-the-adversary">Download</a> our new eBook, “<a href="https://www.anomali.com/resources/ebooks/the-need-to-focus-on-the-adversary">The Need to Focus on the Adversary,</a>” to hear from industry experts on how you can better understand your adversary.</p>
Joe Ariganello

Joe Ariganello is the former VP of Product Marketing at Anomali.

Propel your mission with amplified visibility, analytics, and AI.

Learn how Anomali can help you cost-effectively improve your security posture.

January 4, 2023
-
Joe Ariganello
,

Focusing on Your Adversary

<p>Every day, we hear news stories or read articles about data breaches and other cyber security threats. As malicious threat actors and the risk of cyber threats increase, protecting networks and valuable information becomes more critical. So what can organizations do to ensure their networks remain secure? </p> <p>Organizations must understand their adversaries’ identities to keep data safe and protect it from cyber-attacks. This article will explore the different types of threats facing enterprise organizations and what they can do to stay ahead of them.</p> <h2>Evolving Cyber Attacks</h2> <p>Cyber attacks are constantly evolving as attackers continue to find new ways to exploit vulnerabilities. This includes:</p> <ul> <li>Increased use of artificial intelligence (AI) and machine learning: Attackers are using AI and machine learning to automate and improve the effectiveness of their attacks. For example, AI can be used to generate convincing phishing emails or to bypass security systems.</li> <li>Rise of ransomware: Ransomware attacks, which involve encrypting a victim’s data and demanding a ransom to decrypt it, have become increasingly common in recent years. Ransomware attacks can significantly impact businesses, disrupting operations and resulting in financial losses.</li> <li>More targeted attacks: Rather than broad-based attacks that aim to compromise as many systems as possible, attackers are increasingly using targeted attacks designed to exploit a particular organization’s vulnerabilities.</li> <li>Increased focus on mobile devices: Mobile devices, such as smartphones and tablets, are becoming increasingly vulnerable to cyber-attacks. As a result, attackers focus more on exploiting these devices’ vulnerabilities.</li> <li>Increased use of cloud services: As more organizations move to the cloud, attackers are finding new ways to exploit vulnerabilities in these systems. For example, attackers may try to gain access to an organization’s cloud-based data or disrupt its cloud-based operations.</li> <li>It’s not only crucial for organizations to stay up-to-date on the latest trends in cyber attacks and to implement appropriate security measures to protect against them. It’s even more important to pinpoint your adversaries to understand their TTPs to protect and predict their next attack.</li> </ul> <h2>Types of Adversaries</h2> <p>There are many different types of cybersecurity adversaries that organizations have to deal with. Some common types of adversaries include:</p> <ul> <li><strong>Hackers:</strong> Individuals or groups who attempt to gain unauthorized access to systems or networks for various reasons, such as stealing data, disrupting operations, or causing damage.</li> <li><strong>Cybercriminals:</strong> Individuals or groups who use the internet to commit crimes, such as identity theft, fraud, or extortion.</li> <li><strong>Cyber Terrorists: </strong>A group that’s goal is to disrupt operations, cause harm, and destroy data. Increasingly targeting critical infrastructures such as power plants, water treatment facilities, transportation systems, and healthcare providers.</li> <li><strong>Nation-state actors:</strong> Governments or government-sponsored organizations that use cyber attacks as part of their foreign policy or military operations.</li> <li><strong>Insider threats:</strong> Individuals with legitimate access to an organization’s systems or networks use that access to cause harm or steal sensitive information.</li> <li><strong>Malicious insiders:</strong> These are individuals who are intentionally malicious and seek to cause harm to an organization’s systems or networks.</li> <li><strong>Hacktivists: </strong>The term “hacktivists” refers to people who use hacking techniques to disrupt computer systems and networks in pursuit of political goals. Hackers often work alone, though some groups do exist.</li> <li><strong>Script Kiddies: </strong>Originally used to describe young hackers, it now refers to anyone who uses tools designed by others because they lack the skills and knowledge required to build their own. Script kiddies are typically motivated by money, fame, or notoriety and tend to attack easy targets because it is easier to do so.</li> <li><strong>Competitors:</strong> Organizations or individuals seeking to gain an advantage over competitors by attacking their systems or networks.</li> </ul> <h2>Different Strokes for Different Folks</h2> <p>The terms “threat actor,” “hacker,” and “attacker” are often used interchangeably, but they do mean different things. These three terms are commonly used within the cybersecurity industry but don’t always refer to the same thing. Let’s take a look at what each one means.</p> <p>A threat actor is someone with malicious intent. They want to cause harm to another party. They might use hacking tools to steal credit card numbers or personal information or destroy computers or networks. Sometimes, they might try to scare people into giving up confidential information.</p> <p>An attacker uses a tool to break into a system or network. An attacker doesn’t necessarily have malicious intentions; they might be trying to learn how something works or test out vulnerabilities. If an attacker finds a way into a computer system, they can access files, change settings, or delete important data.</p> <p>Hackers are technically skilled individuals who find ways to break into systems. Hacking isn’t limited to breaking into a computer system; hackers can also break into phone lines or social media accounts. Some hackers work alone, while others form teams called “hacktivist” groups.</p> <p>The difference between a hacker and an attacker is one of the motivations. An attacker is motivated by profit, while a hacker is motivated by curiosity. For example, a hacker might want to learn how a system works to break into it later. An attacker, however, is looking to exploit vulnerabilities in a system for his benefit. He might use the same vulnerability to take over a server and sell access to others.</p> <p>Organizations must be prepared to deal with all types of adversaries to effectively protect their assets from cyber-attacks. This can include implementing robust security controls, regularly monitoring for threats, and planning to respond to security incidents.</p> <h2>Types of Attacks </h2> <p>Cyber attacks come in many shapes and sizes. Some are obvious, while others are stealthier. It can sometimes be difficult to tell whether you’re being attacked or experiencing routine network traffic. Regardless of how sophisticated the attack appears, there are specific basic tactics attackers use to compromise systems. These include malware, phishing, man-in-the-browser (MITB), distributed denial-of-service (DDoS), and social engineering.</p> <p><em>Malware: </em>Malicious software is one of the oldest forms of cyberattack. It includes viruses, worms, Trojan horses, rootkits, keyloggers, spyware, adware, ransomware, and botnets. Malware is often used to steal sensitive information such as credit card numbers, passwords, emails, chat messages, and personal photos.</p> <p><em>Phishing: </em>A phishing email looks like it’s coming from someone you know. For example, it could look like it came from your boss, bank, or spouse. If you open the link or attachment, you’ll likely download malicious code onto your computer. This attack is usually done via email attachments or links embedded within web pages.</p> <p><em>Man-In-The-Middle Attack (MITM): </em>This is where an attacker intercepts data traveling over a network and alters it in transit. A MITM attack is typically performed against SSL/TLS connections. An attacker might modify the encryption keys, change the certificate authorities, or insert his own certificates into the chain.</p> <p><em>Distributed Denial-of-Service (DDoS) Attack: </em>This type of attack floods a target with traffic, overwhelming it and making it impossible for legitimate users to access the site.</p> <p><em>Social Engineering: </em>Social engineering exploits human weaknesses to access personal information and protected systems. </p> <h2>Types of Threats By Industry</h2> <p>Different types of cyber-attacks can be targeted at specific industries. For example:</p> <ul> <li><strong>Financial services:</strong> These industries are often targeted by cybercriminals because they handle sensitive financial information and large amounts of money. Attacks such as phishing, malware, and ransomware can be used to steal sensitive information or disrupt business operations.</li> <li><strong>Healthcare: </strong>Healthcare organizations store sensitive patient data and are, therefore, a target for cybercriminals. Attacks such as ransomware and phishing can be used to access and steal this sensitive information.</li> <li><strong>Retail: </strong>Retail companies often hold sensitive customer data, including payment information, which makes them a target for cyber attacks. Attacks such as point-of-sale (POS) malware and card skimming can be used to steal this data.</li> <li><strong>Government: </strong>Government agencies handle sensitive information about citizens and national security, making them targets for cyber attacks. Attacks such as phishing and malware can be used to access and steal this information.</li> <li><strong>Manufacturing: </strong>Manufacturing companies often have complex supply chain systems and handle sensitive intellectual property, making them targets for cyber attacks. Attacks such as industrial control systems (ICS), malware, and ransomware can disrupt business operations and steal intellectual property.</li> </ul> <p>It’s essential for organizations in all industries to be aware of the potential risks and to implement appropriate security measures to protect themselves against cyber attacks.</p> <h2>The Need to Focus on the Adversary</h2> <p>Organizations need to focus on the adversary because they need to understand the motivations and tactics of attackers to protect their assets effectively. Organizations can take steps to prevent, detect, and respond to attacks by understanding adversaries’ methods and tactics to compromise systems. This can include implementing security controls to prevent unauthorized access, monitoring for malicious activity, and planning to respond to security incidents quickly.</p> <p>Additionally, focusing on the adversary can help organizations prioritize their security efforts and allocate resources more effectively. By understanding the types of threats, they are likely to face and the tactics that attackers are likely to use, organizations can focus their efforts on the areas most likely to be targeted and implement the most effective security measures to protect their assets.</p> <h2>MITRE ENGENUITY Attack Flow Project</h2> <p>In 2021, Anomali joined <a href="https://mitre-engenuity.org/">MITRE Engenuity’s Center for Threat-Informed Defense</a> to collaborate on the <a href="https://ctid.mitre-engenuity.org/our-work/attack-flow/">Attack Flow Project</a> to understand adversary behavior better and improve defensive capabilities. This partnership culminated with the public release of the project in March 2022.</p> <p>Anomali has been working to incorporate attack flows into The Anomali Platform. With our latest product release, we’ve introduced an Attack Flow Library within Anomali ThreatStream that will provide an access point for new Attack Flows that sequence cyberattack techniques. This new capability provides context around adversary behavior that help security teams expertly profile the adversary to help better protect their organization before an attack occurs.</p> <h2>Understanding the Adversary with Anomali</h2> <p>Utilizing the largest global repository of threat intelligence, The Anomali Platform focuses on the attacker’s patterns rather than the victim’s behavior to help security teams understand:</p> <ul> <li>Who are my adversaries, and how could they attack me?</li> <li>What should I be looking out for?</li> <li>Where am I most vulnerable?</li> <li>How can I reduce my company’s risk of a cyber attack?</li> </ul> <p>Anomali extends visibility with intelligence from over one hundred million attack sensors. It gives us a unique ability to understand attacker activity globally, take a previously unknown threat, and make it known to the world. This allows our teams to apply machine learning to precisely understand an attacker’s next move and help stop them before they strike.</p> <p>Adversaries are constantly evolving. Your security program should too.</p> <p><a href="https://www.anomali.com/resources/ebooks/the-need-to-focus-on-the-adversary">Download</a> our new eBook, “<a href="https://www.anomali.com/resources/ebooks/the-need-to-focus-on-the-adversary">The Need to Focus on the Adversary,</a>” to hear from industry experts on how you can better understand your adversary.</p>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.