I’ve been speaking a lot lately about one of my favorite topics: the need for threat prioritization. The threat landscape is expanding and evolving. The volume of threats continues to increase, especially in the ransomware space, which has seen longstanding groups splinter and new ones emerge organically. And tradecraft is growing and evolving as well. There aren’t enough CTI resources to track and address comprehensively every one of these threats at any point in time. So, prioritization is a must.
More and more CTI teams agree that prioritization is important and are taking on the challenge, but there’s little consensus on how prioritization should be done. In case you missed my presentation at the FIRST CTI Conference in Berlin or can’t make it to the EU MITRE ATT&CK® Workshop in mid-May, I also delivered a webinar on “Improving Ransomware Threat Assessment with Structure Prioritization.”
In this blog, I’ll share some of the key takeaways from the webinar to help teams move towards understanding the top ransomware threats that are relevant to them and how effective their existing security stack is at defending against them. For the complete discussion, watch the replay.
The Mechanics of Prioritization Through Quantification
Working with 100+ CTI teams in multiple roles over the last several years, I’ve seen the challenges teams face with prioritizing the complex threat landscape and discrete malware families and believe we need practical steps to implement prioritization.
At Tidal Cyber, we advocate for prioritizing threats in a consistent way by quantifying these cyber threats so we can rank them – in a literal high-to-low list – informed by concrete evidence.
However, quantifying threats for prioritization is extremely complex, involving nuanced factors that point to how significant a threat might be, including: capability, proximity, intent, sophistication, and opportunity. In order to make fair comparisons between different threats, we need to look as much as possible at normalized data sets. This allows you to drive greater consistency in your threat profiling and your prioritization practices and limit built-in bias. Consistency also leads to repeatability so you can more easily update your Threat Profile over time.
Public sources for threat quantification and prioritization
Publicly available data sets for quantification and prioritization largely align with the formal definition of a threat:
Threat = Intent x Capability x Opportunity
Of these components, the two subcomponents that are most practical for finding and applying relatively normalized data sets for comparison purposes are Intent and Capability.
Intent: Primary sources for intent data are from the threat intel community, government-backed organizations, and CTI vendors that are particularly adept at labeling, tracking, and categorizing threat data. These resources are also good at highlighting which sectors or geographies are known to have been impacted in the past by a particular threat. If you lack data specific to your organization, you can draw comparisons with similar organizations to identify threats that might be relevant to you.
Capability: The capability component is a more controversial and debatable area of this process which is why it’s important to start surfacing and utilizing data to draw better estimates of adversary capability. Some sources you can use as a baseline from which to fine-tune your Threat Profile include MITRE ATT&CK and the Tidal Cyber Community Edition. These sources provide data on adversary motivation, use of custom vs legit software, exploits, software type, recency, reliability, relationships with other groups, and more. Some of this data can also be found in the intent sources.
A tricky but growing area are sources that provide relative activity levels associated with some of these threat groups. This data, put out by security vendors and the ransomware groups themselves, may include the top threat groups they have observed, top phishing attempts and how they are used, malware family trends, and ransomware victim data sources. While there’s been much discussion about the reliability of this data, it has proven to be useful in identifying trends.
Much of this normalized data has been added to the Tidal Cyber Enterprise Edition and is making its way into the Community Edition of the platform as well.
Prioritization in practice
So how do we use this quantification to inform our understanding of the evolving threat landscape and the impact on Tidal Cyber customers’ organizations?
Track emerging ransomware: Bringing together data from ransomware group data leak and victim sites allows us to do time-based and direct comparisons between groups. We can drill into specific ransomware threats and families for deeper analysis. We are able to identify specific behaviors and TTPs, including techniques and sub-techniques, linked to the group. Adding this data to the Tidal Cyber platform enhances our threat intel content, which we further enrich with additional data that includes the publicly available sources discussed above.
Quantify risk to your organization: Putting quantification into practice enhances our Threat-Informed Defense approach to fine tune our customers’ defenses accordingly.
Our list of the top ransomware threats updated monthly, informs actions within the Tidal Cyber platform. Using our structured quantification methodology, the platform prioritizes these threats by rank order, informed by the number of claimed victims in that given timeframe. Weightings apply relative importance levels to all the techniques associated with these threats at scale.
The customer’s Threat Profile reflects the top 10 ransomware groups and all the associated TTPs. On a monthly basis, new groups and updates are clearly called out, down to the granular level of scoring changes made to techniques and sub-techniques related to those groups. Threat Profiles are updated to reflect the changes.
The data is rolled into the Coverage Map, and the platform generates a Confidence Score driven by your mappings to ATT&CK for your entire Defensive Stack, broken down into distinct capabilities. You see how well you are defended against a particular ransomware group and receive recommendations, down to specific capabilities to configure “on,” to reduce risk.
Structured, repeatable threat prioritization is an essential skill for CTI teams operating in today’s ever-evolving landscape. This practical guidance is intended to help teams move toward improved comparison of new and long-standing ransomware threats for improved risk assessment and mitigation.
Watch the replay of the webinar for a detailed walk through of how to put this prioritization into practice and for more information on what we consider to be the top publicly available sources of data.
