Threat playbooks have become an essential tool in the arsenal of today's cyber professionals. Threat actors often follow specific protocols and practices to help them manage all the moving parts of an attack or malware development.
One of the most important objectives for a defensive playbook is to ensure that it is aligned with the process and strategies of these cyber-criminals. The CISO and their security teams can then use them to detect malicious activity and better understand how to detect and defend against those threats.
Organizations like the MITRE Corporation have designed tools to help standardize how attacks and attackers are analyzed, helping to ensure consistent analysis between groups. Their ATT&CK system, for example, provides a comprehensive matrix for analyzing threats and organizing knowledge bases related to malware, threats, and attack methods. Some members of the cross-industry Cyber Threat Alliance, for example, are promoting the use of MITRE’s ATT&CK matrix to standardize the threat reports and playbooks being shared between security vendors.
However, this move towards a comprehensive system for organizing and analyzing threat data are just the first steps of a more comprehensive method that needs to be in place if we hope to get out ahead of today's cybercriminal organizations.
Turning Playbooks into Digital Resources
The next critical step that needs to take place is to develop a system for converting these playbooks into actionable intelligence that can be consumed by security devices. This requires converting playbooks into digital formats that can be fed into a system looking for abnormal behaviors. A few security vendors have already begun to produce their playbooks in JavaScript Object Notation (JSON) so they can be more easily pulled into a threat intelligence platform. More should follow.
Deep analysis of this data will help identify patterns of behavior for specific threats and even threat actors. Understanding the tactics, techniques, and procedures (TTP) of cyber-criminals has been one of the most difficult and elusive elements of threat intelligence to deduce – which is why it sits at the top of the “pyramid of pain” graphic developed by threat researchers to illustrate what traditional IOCs can and cannot identify.
However, those development strategies and attack methodologies are often as unique as the criminals using them, and can be used like a fingerprint to identify both attacks and attackers. As playbooks begin to uncover those details, patterns of behavior will finally begin to emerge. Security researchers can then further refine the data in their playbooks so that those images can come into sharper focus.
Eventually, tactics like behavior matching will be able to uniquely identify specific attack strategies and stages, enabling threat researchers to more quickly identify and assess an attack, implement appropriate countermeasures – and in some cases, even trace the malware back to the original developers. This information could further improve the ability to assess and address cyber-attacks.
To achieve this, the attack analysis used in playbooks should be designed to help cybersecurity professionals identify which organizations are behind an attack, whether directly or through the development of malware used by others. This would require a consistent methodology for breaking down an attack so that individual actions can be seen and compared.
The security systems used by threat researchers could then be updated with detailed playbook data to enable them to not only identify specific threats, but also help predict the details and stages of an attack based on known behaviors of specific threat actors. At the same time, narrowing down the list of possible culprits would be of great benefit to law enforcement.
That is just the start. As more data is gathered and included in these playbook resources, security systems ought to also be able to recognize the fingerprint of a specific type of attack. This would go beyond the sorts of broad-brush elements that allow security systems to differentiate between different kinds of malware.
It could also immediately determine, for example, not only which specific ransomware attack has been detected but also whether it has been modified, without having to undergo tedious lab analysis.
Combining Playbooks with AI
When fed into an AI, this data should enable the anticipation of an attack’s next moves so the security system can take appropriate countermeasures. This would involve combining data about specific types of attacks with the known idiosyncrasies of specific criminals and criminal organizations. Over time, AI systems should not only be able to identify large markers in an attack and subvert them, but also see deep into internal systems to quickly identify an attack.
Those AI systems could also use those known behavioral patterns to engage in proactive threat hunting. Once a specific attack pattern has been identified, an AI system would then know what related behavior patterns to expect and begin to hunt for them to accelerate a security system’s ability to disrupt and even prevent an attack.
This data could then be included in real-time vendor threat feeds to ensure that deployed devices are not only able to detect a new attack, but can also automatically seek for and contain any threats in progress. This will require that locally deployed devices not only benefit from the use of AI-enhanced threat feeds, but that also have AI-enabled functionality built-in.
Enhancing Distributed AI
As digital innovation expands the potential attack surface, dealing with attacks will need to evolve and security decisions will need to be made locally. This will require intelligent decision-making, as intelligence is only as good as the information it has been feed.
Data provided by playbooks and fed into AI systems by threat researchers can then be updated to all locally deployed security devices. This will help local and regional AI-enabled systems make increasingly reliable and autonomous decisions.
Sharing that information back to the central AI system will not only allow the general database to become more intelligent and effective. It will also enable the primary system to provide corrective measures to fine-tune whatever initial response was initiated by local security.
Standardization is Key
The core of this process, however, is developing the ability to uncover, process, and weaponize digital intelligence related to malware, attack strategies, and criminal developers. Much of that intelligence could be derived from threat playbooks. It will just require the security community to further identify and refine how data is collected, analyzed, and cataloged to ensure that our defensive playbooks are aligned with the offensive ones being used by the criminal community. Once that system is in place, cyber defenders will have a real shot, probably for the first time, at getting out in front of their cyber adversaries.