Adversarial testing using technique-based threat intelligence can strengthen organisational resilience

Written By fra juniper

Executive Summary

  • Traditional cyber threat intelligence focuses on threat actors, downplaying the importance of identifying dangerous techniques being exploited in the wild.

  • Organisations at early stages in their security maturity journey will achieve greater return on investment by prioritising the identification and mitigation of actively exploited techniques relevant to their digital estate.

  • Structured adversarial testing programmes incorporating breach attack simulation (BAS) are more effective at building organisational resilience than ad hoc or serial penetration testing. 

Looking for a structured, repeatable assessment
of your organisation’s level of vulnerability? 

Our Adversarial Resilience & Testing service
stress-tests organisational exposure
against realistic threat scenarios. 

Contact us

Traditional CTI

Traditional Cyber Threat Intelligence (CTI) often focuses on attributing cyber incidents to specific threat actors (TAs). It also prioritises assessing industries or sectors at risk of targeting by TAs in what is often termed ‘threat-informed defence’.

Many TI teams spend considerable time and resources producing briefings and slideware on individual TA groups, using arcane industry reporting names such as ‘Scattered Spider’ and incorporating geopolitical analysis. This information is often briefed to seniors as part of cyber threat awareness campaigns, arguably to little effect.

We are aware of cases where vulnerabilities have been identified but left unpatched because the TA groups identified by the organisation’s TI team are not known to exploit those vulnerabilities. 

In other instances, vulnerabilities are left unaddressed because of a perception that layered controls and other safeguards would prevent an attacker from gaining access, moving laterally, or otherwise prosecuting an attack. 

This thinking is outdated. There is often large overlap between TA groups and an increasing amount of ‘non-specific’ targeting. TA groups are using ‘spray and pray’ to hit whoever they can using an exploit and only working out whether there is sufficient return on investment once they have achieved access. 

Some groups have elevated this process to an art, with playbooks to guide their teams. Documents leaked from the Conti ransomware group in 2022 contained training manuals for hackers seeking to identify the organisation that they had breached via this kind of non-specific targeting. 

Improve security and resilience

Teams should focus on frequently used and newly discovered tactics, techniques and procedures (TTPs), irrespective of attribution to TA groups. The highest priority should be given to known exploits or recent advisories around configuration and patching from key vendors. Rapidly identifying and fixing these issues across the organisation is key, not arguing about which TA group uses them. 

Threat Intelligence linked to how attacks are carried out end-to-end is much more important. New exploitable TTPs seen in the wild should be escalated as incidents that are dealt with at pace, not just another statistic within an overwhelmed vulnerability management team or in the back of a TI report to non-technical audiences. 

Organisations should adopt an ongoing testing regime that incorporates scanning at scale for new technical vulnerabilities with testing for techniques that rely on human engagement, such as phishing and other forms of social engineering. This testing regime should be continually updated based on the newest and most prevalent TTPs, with results being escalated for quick fixes, rather than concentrating on backlogs of individual CVSS scored vulnerabilities. 

Modelling attack paths

Understanding how far an attacker could get within your systems requires following a complete attack path. Traditionally this is done as an annual penetration test, conducted under a narrow scope. The testers are humans who often declare success after a single end-to-end attack path is proven in a limited timeframe. 

This proves that the system is vulnerable, which is rarely surprising or useful information for the target organisation. Moreover, this human-led approach leaves untested and unidentified many more different potential attack paths. 

Traditional pen-testing, even when coupled with regular vulnerability scanning, is no longer fit for purpose. Implementing ongoing regular testing of as wide a range of end-to-end attack paths as possible, using automated solutions such as Breach Attack Simulation (BAS), provides much broader coverage of high-probability TTPs, irrespective of which TA group has developed them. Importantly, it also provides more detailed remediation advice, prioritised according to real world risk. 

Adversaries are human and will use known TTPs if they find low hanging fruit, saving their zero-day or bespoke exploits. Companies need to move beyond tying remediation efforts to specific threat actors, and instead prioritise structured identification and remediation of known TTPs. Doing so will make organisations more resilient and more secure. 

Contact us

Secured is a UK-based organisation that provides strategic advisory services to organisations concerned about threats to the security of research, innovation, and investment.

Our security practitioners help entities secure their intellectual property, build operational and financial resilience, and cultivate a positive organisational security culture. 

We provide research on the national security implications of emerging technologies as part of our scientific and technical intelligence assessment capability.

Secured is part of Tyburn St Raphael Ltd, a boutique security consultancy.

info@tyburn-str.com

hello@secured-research.com

fra juniper
Next

DMARC monitoring provides efficient visibility and protection for growing organisations