Part I of V: Our Holistic Approach to Cyber Threat Intelligence
This post is the first in a series of five short blogposts, in which we will explain why geopolitics is an integral part of our cyber threat intelligence analyses. Each blogpost will outline an aspect of the importance of this approach for us, our clients, and the Cyber Threat Intelligence community.
At QuoIntelligence, we look at cyberattacks holistically as we enhance the technical aspects of Threat Actors and cyberattacks with additional analyses on their context. While we closely analyze technical details including Tactics, Techniques, and Procedures (TTPs) and Indicators of Compromise (IOCs), we also take the victim as well as economic, social, and geopolitical aspects into account. This way, we create an all-embracing understanding of a given cyberattack to provide the best possible context.
In contrast to the analogue world, where it can be easier to understand a given context and to attribute certain facts about a crime and the offender, it can be extremely difficult to do the same in cyber space. In cyber space the problem of attribution is inherent to the digital environment:
‘On the Internet, nobody knows you’re a dog’
(© The New Yorker, July 1993. Image: Peter Steiner, The New Yorker, The Cartoon Bank)
Despite the improving performance of tracking methods and tools, cyberspace provides attackers with additional layers of anonymization that do not exist in the analogue world. Due to this, it is potentially harder to identity attackers and to understand their motives, capabilities, and intentions at first sight.
However, it goes without saying that no criminal activity is an isolated act, but takes place in a certain time, a specific environment, and is always motivated by something that leads to the criminal act itself. In short, there is no attack without a context.
This context is key for the analysis of any attack as well as for spotting patterns and trends that help identifying potential future targets. While analyzing the technical aspects of an attack is essential, if the wider context is disregarded, this analysis can only provide a partial understanding of the attack. Naturally, a technical assessment and mitigation recommendations can lead to better defenses from a technical perspective. However, by disregarding wider influences, such as geopolitical or economic circumstances, trends and patterns could be missed, which could provide indicators for potential future targets. Exactly comprehending the context of an attack strengthens any tactical and strategic recommendations that are critical to future defenses and organizational success.
Therefore, we are convinced that a holistic approach to Threat Intelligence is essential to conduct thorough analyses. A holistic approach includes the analysis of how other disciplines, such as geopolitics, impact threat actors, their motivations, intentions, and capabilities. Furthermore, analyzing geopolitical developments can give an idea of emerging threats.
In the upcoming blog posts, we will address why we see geopolitics as an essential aspect of our Threat Intelligence analysis and how we incorporate it in our analyses.