• United States




It’s time to get off the treadmill: Why you should understand adversary playbooks

Sep 06, 20184 mins
Advanced Persistent ThreatsData and Information SecurityHacking

Flipping the equation on known adversaries by developing and deploying controls at locations on the intrusion kill chain designed specifically for these known playbooks will increase a company’s ability to block an attack. The cybersecurity industry must collaborate to identify all know adversary playbooks and share this knowledge with each other and the public.

team of hackers / organized attack / group of threat actors
Credit: Getty Images / gorodenkoff

When deploying prevention and detection controls, most network defenders are on a treadmill of sifting through thousands of indicators of compromise, trying to prioritize which ones they should tackle first. Typically, they know nothing about the context of the indicator, just that it is bad, and that it should be blocked somewhere in the environment. The problem is they never sift through them all, which makes them feel like they are always behind – which they are.

What the Cyber Threat Alliance and Unit 42, Palo Alto Networks threat intelligence team, have been advocating for the past five years is to flip the equation and embrace adversary playbooks.

Prevention and detection controls should be designed to thwart all known adversaries

The idea is that network defenders should be deploying prevention and detection controls at all locations on the intrusion kill chain, designed specifically for all known adversary campaigns. In other words, get off the treadmill and start deploying controls designed specifically to thwart all known adversaries. This is an important idea because the network defender community already comprehends much about how adversaries run their attack playbooks. For all the “new” adversaries out there making headlines, most of the techniques they use are not new. I estimate that we, collectively, understand approximately 99 percent of the playbooks that cyber adversaries run on any given day.

The challenge has been: how do we organize that information and share it with the world at large? It turns out, that is way more complicated than it sounds. After much debate within Unit 42 and the Cyber Threat Alliance, we agreed that this is what constitutes an adversary playbook:

  • One or more cyber adversaries
  • Who run one or more campaigns
  • Who use a variety of techniques to attack their victims down the intrusion kill chain
  • Who leave indicators of compromise in their wake when they do

Once we agreed to the general idea of what an adversary playbook was, we needed a way to visualize it and built an open source playbook viewer earlier this year to do just that. Since then, they have been on track to publish one adversary playbook a month and have just published their ninth. (See Adversary Playbook viewer link at the bottom of the page).

Collaboration key to thwarting all known adversaries

But the question remains: how many adversary playbooks exist in the world on any given day? In other words, when the cyber adversary gets up in the morning, grabs a cup of coffee, sits down to work, and pulls an attack playbook off the shelf to begin the day’s activities, how many other adversaries or adversary groups are doing the exact same thing? We don’t know for sure, but the number is probably not high.

The current theory by the Cyber Threat Alliance is that the number of active playbooks running on the internet on any given day is less than 100, with some thinking it is less than 50. That is why we are all concentrating on building known adversary playbooks as fast as we can. If the number is less than 100 or even less than 50, this is a problem that we can solve.

Our mission is to build and maintain all of the known adversary playbooks that exist in the world so that network defenders can automatically deploy prevention and detection controls to their defensive posture in real time. Indeed, that is the reason we helped build the Cyber Threat Alliance in the first place. The alliance consists of vendors who can already update their own products with the latest prevention and detection controls. If alliance members are contributing to and sharing the intelligence for all of the known adversary playbooks running on the internet, their shared customers will have the means to block 99 percent of all adversary attacks. When something new is discovered, the alliance can deploy prevention controls to shared customers around the world in minutes to hours. That would be an amazing capability.

To accomplish this mission, two things have to happen. First, we have to build all the known playbooks. Second, we need more security vendors to join the Cyber Threat Alliance. Seventeen have recently joined, but our goal is to see the other hundreds of security vendors contributing as well. When you visit with your security vendors, encourage them to join the Cyber Threat Alliance. In the meantime, check out our new playbooks in the playbook viewer here.


As a 23-year military veteran, Rick Howard has a vast background in several different areas of InfoSec, ranging from experiences within both the public and private sectors. During his previous military career he learned the technical skill sets necessary to succeed in the IT/sec world and in his current role as the chief security officer (CSO) of Palo Alto Networks he continues to learn and contribute to the business aspects of this evolving industry.

Prior to joining Palo Alto Networks, Rick was the Chief Information Security Officer (CISO) for TASC and led the development of TASC’s strategic vision, security architecture and technical roadmaps for information security. As the GM of a commercial cybersecurity intelligence service at Verisign (iDefense), he led a multinational network of security experts who delivered cyber security intelligence products to Fortune 500 companies. He also led the intelligence-gathering activities at Counterpane Internet Security and ran Counterpane's global network of Security Operations Centers.

A veteran, Rick served in the US Army for 23 years in various command and staff positions involving information technology and computer security and spent the last two years of his career as the US Army's Computer Emergency Response Team Chief (ACERT). He coordinated network defense, network intelligence and network attack operations for the Army's global network and retired as a lieutenant colonel in 2004.

Rick holds a Master of Computer Science degree from the Naval Postgraduate School and an engineering degree from the U.S. Military Academy. He also taught computer science at the Academy from 1990 to 1995.

He has published many academic papers on technology and security and has contributed as an executive editor to two books: “Cyber Fraud: Tactics, Techniques and Procedures” and “Cyber Security Essentials.” In the spring of 2013, Rick Howard spearheaded the creation of a "Rock and Roll Hall of Fame" for cybersecurity books called The Cybersecurity Canon. The Cybersecurity Canon's goal is to identify a list of must-read books for all cybersecurity practitioners -- be they from industry, government or academia -- where the content is timeless, genuinely represents an aspect of the community that is true and precise, reflects the highest quality and, if not read, will leave a hole in the cybersecurity professional's education.

The opinions expressed in this blog are those of Rick Howard and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.