Delving into Threat Actor Profiles

Threat actor profiles – an expensive toy or a necessity for some? [if you see some excited vendor who says that everybody should create and maintain threat actor profiles, please ask whether a gas station at the corner should!]

In any case, our discussion of threat intelligence would be woefully incomplete without the discussion of threat actor profiles. Sure, if your organization thinks that TI data feeds are basically the same as AV or NIPS sig updates, threat actor discussions in general and threat actor profiles in particular are not for you. By the way, in the good old debate about APT being a WHO or a WHAT, threat actor is a WHO.

In fact, let’s briefly chat about this.

Plenty of organizations seem to want to forget about the threats and focus all their energies on patching holes in walls and building better walls (prevention), watch towers (detection) and maybe training firefighters (response). This always reminds me of this post from Richard.

So, yes, barbarians may be at their gate, but some people just wish to not have them rather them to study them. However, how’s that working for the industry? All in all, I think that many signs point that we will be spending more time trying to understand and classify the threat actors we face.

Let’s take a look at a sample STIX threat actor profile (heavily abbreviated to show only top level schema items):

(schema image)

(description from STIX materials)

In essence, the profile contains such information as:

• Threat actor name, description, etc
• Type of an actor, their goals (if known)
• Common tools, methods and even mistakes (often rolled into TTPs)
• Involvement in past activities, campaigns (localized information)
• Relationship to other actors
• Reliability, accuracy and confidence of available information

Where does the information comes from? Threat intelligence activities of course [your own and those of others; in particular, profiles received from others may be enriched with your own information as discussion in the TI fusion post]

Let’s figure out how having all this information will actually help you secure your organization. We are not doing it for fun, you know 🙂 Well, not only for fun….

Threat actor profiles can be used by a fledgling threat intelligence operation to organize their knowledge about who is “out to get them” and who they observe on their network. Such knowledge organization helps prioritize incident response and alert triage activities. In addition, threat actor profiles may have some predictive powers. Specifically, if you observe behavior X (as indicated by indicators X1, X2 and X3 – these may be accounts used, captured malware hashes and favorite tools used for recon) and this behavior can be matched to a threat actor profile (that you built from shared, purchased and your own data) then other data from the threat profile becomes relevant as well and can be used for predicting what may happen next or what has in fact already happened while you were not watching.

BTW, did I just say “attribution”? Well, I dint, but this is pretty much what we did when we matched observed indicators to the actor profile. In essence, attribution is not something that only trained telepaths inside Project Stargate can do. For our purposes, this is simply hypothesizing which threat actor(s) performed an act that you observed on your network based on threat intelligence data. So, yes, you do need threat actor profiles to do attribution… And, no, attribution is not magic. Or magick 🙂

On the other hand, threat actor profiles utility for a “pure consumer of TI” with no TI fusion or internal TI creation? In my view, NONE. However, I’d be very happy to be corrected here. So, I hereby call upon the Enlightened Ones to correct me…

Posts related to this research project:

• On Threat Intelligence Sources
• How to Make Better Threat Intelligence Out of Threat Intelligence Data?
• On Threat Intelligence Use Cases
• On Broad Types of Threat Intelligence
• Threat Intelligence is NOT Signatures!
• The Conundrum of Two Intelligences!
• On Comparing Threat Intelligence Feeds
• Starting Threat Intelligence Research