It’s time to get off the treadmill: Why you should understand adversary playbooks

Flipping the equation on known adversaries by developing and deploying controls at locations on the intrusion kill chain designed specifically for these known playbooks will increase a company’s ability to block an attack. The cybersecurity industry must collaborate to identify all know adversary playbooks and share this knowledge with each other and the public.

team of hackers / organized attack / group of threat actors
Getty Images / gorodenkoff

When deploying prevention and detection controls, most network defenders are on a treadmill of sifting through thousands of indicators of compromise, trying to prioritize which ones they should tackle first. Typically, they know nothing about the context of the indicator, just that it is bad, and that it should be blocked somewhere in the environment. The problem is they never sift through them all, which makes them feel like they are always behind – which they are.

What the Cyber Threat Alliance and Unit 42, Palo Alto Networks threat intelligence team, have been advocating for the past five years is to flip the equation and embrace adversary playbooks.

Prevention and detection controls should be designed to thwart all known adversaries

The idea is that network defenders should be deploying prevention and detection controls at all locations on the intrusion kill chain, designed specifically for all known adversary campaigns. In other words, get off the treadmill and start deploying controls designed specifically to thwart all known adversaries. This is an important idea because the network defender community already comprehends much about how adversaries run their attack playbooks. For all the “new” adversaries out there making headlines, most of the techniques they use are not new. I estimate that we, collectively, understand approximately 99 percent of the playbooks that cyber adversaries run on any given day.

The challenge has been: how do we organize that information and share it with the world at large? It turns out, that is way more complicated than it sounds. After much debate within Unit 42 and the Cyber Threat Alliance, we agreed that this is what constitutes an adversary playbook:

  • One or more cyber adversaries
  • Who run one or more campaigns
  • Who use a variety of techniques to attack their victims down the intrusion kill chain
  • Who leave indicators of compromise in their wake when they do

Once we agreed to the general idea of what an adversary playbook was, we needed a way to visualize it and built an open source playbook viewer earlier this year to do just that. Since then, they have been on track to publish one adversary playbook a month and have just published their ninth. (See Adversary Playbook viewer link at the bottom of the page).

Collaboration key to thwarting all known adversaries

But the question remains: how many adversary playbooks exist in the world on any given day? In other words, when the cyber adversary gets up in the morning, grabs a cup of coffee, sits down to work, and pulls an attack playbook off the shelf to begin the day’s activities, how many other adversaries or adversary groups are doing the exact same thing? We don’t know for sure, but the number is probably not high.

The current theory by the Cyber Threat Alliance is that the number of active playbooks running on the internet on any given day is less than 100, with some thinking it is less than 50. That is why we are all concentrating on building known adversary playbooks as fast as we can. If the number is less than 100 or even less than 50, this is a problem that we can solve.

Our mission is to build and maintain all of the known adversary playbooks that exist in the world so that network defenders can automatically deploy prevention and detection controls to their defensive posture in real time. Indeed, that is the reason we helped build the Cyber Threat Alliance in the first place. The alliance consists of vendors who can already update their own products with the latest prevention and detection controls. If alliance members are contributing to and sharing the intelligence for all of the known adversary playbooks running on the internet, their shared customers will have the means to block 99 percent of all adversary attacks. When something new is discovered, the alliance can deploy prevention controls to shared customers around the world in minutes to hours. That would be an amazing capability.

To accomplish this mission, two things have to happen. First, we have to build all the known playbooks. Second, we need more security vendors to join the Cyber Threat Alliance. Seventeen have recently joined, but our goal is to see the other hundreds of security vendors contributing as well. When you visit with your security vendors, encourage them to join the Cyber Threat Alliance. In the meantime, check out our new playbooks in the playbook viewer here.

This article is published as part of the IDG Contributor Network. Want to Join?

SUBSCRIBE! Get the best of CSO delivered to your email inbox.