This  means  we  fail  to  recognize  the  scale  at  which  these  attacks  can  unfold.  Within  each
               attacker group, individual people have extremely specific jobs. Typically, some are assigned the
               task  of  acquiring  infrastructure,  while  others  work  to  develop  a  target  database—that  list  of
               people or organizations which they plan to attack. Still others analyze the data they pull from the
               victim to find key usernames, passwords, and other details that can fuel further attacks. Each of
               these occupations maps well to Lockheed Martin’s Cyber Killchain, which outlines the 7 stages
               of  a  typical  cyber  attack:  Reconnaissance, Weaponization,  Delivery,  Exploitation,  Installation,
               Command and Control, and Action on Objectives.



               While  the  security  industry  focuses  significant  resources  on  attribution,  true  attribution  often
               remains  elusive.  It’s  human  nature  to  seek  understanding  of  who  is  behind  a  cyber  attack.
               However,  attribution  is  not  even  necessary  in  order  to  adequately  protect  yourself  or  your
               organization  from  a  successful  attack.  In  fact,  “assembly  line”  cyber  attacks  actually  provide
               preemption  opportunities  for  defenders  at  a  point  in  time  when  it  is  possible  to  change
               outcomes.



               While a nation-state actor might focus heavily on intelligence gathering; a financial actor such as
               Carbanak turns its attention to financial gain. Nevertheless, each actor utilizes similar Tactics,
               Techniques,  and  Procedures  (TTPs)  to  conduct  their  attacks.  TTPs  offer  a  way  for  cyber
               defenders to think about attacks in a unified, cohesive manner, in order to develop an effective
               risk-based approach to cyber security. In fact, TTP overlap has become so common, that the
               MITRE  Corporation  has  released  its  MITRE  Adversarial  Tactics,  Techniques,  and  Common
               Knowledge (ATT&CK™) framework, which outlines TTPs used in attacks as “a threat model…
               for describing adversary behavior within different computing environments.”



               Developing a Risk-Based Cyber Security Approach

               The  Lockheed  Martin  Killchain  and  MITRE’s  ATT&CK  constitute  an  effective  model  for
               constructing  a  risk-based  approach  to  cyber  security.  This  is  because,  regardless  of  their
               differing end-goals, attackers target individuals and organizations in only a few specific ways.
               For instance, Russian information warfare and Russian espionage actors both employ phishing
               to  gain  access  to  their  targets.  Email-borne  phishing  attacks  represent  90  percent  of  all
               sophisticated  nation-state  attacks.  Social  media-based  attacks  rely  on  the  social  engineering
               component of phishing in order to coerce a target into clicking on a link. Over the last several
               years, multiple actors have utilized fake Facebook profiles of attractive women to coerce men
               into accepting their friendship requests. This new wave of targeting provides yet another vector
               to phish users.







                    78   Cyber Defense eMagazine – September 2017 Edition
                         Copyright © Cyber Defense Magazine,  All rights reserved worldwide.