Trends Emerging
The cornerstone of Security Energy is determining which defense capabilities need to be implemented by predicting the capabilities that a cyber adversary will use against you (reference Influence Energy post). In a few weeks, I'll release a Github project mapping all MITRE ATT&CK techniques into the security energy framework and allowing you to export ATT&CK navigator layers to visual each level.
Each capability includes a brief description/example command and a URL to a threat report showing a use of the capability (where possible). This is not meant to be exhaustive, instead it is meant to show a representative example to prompt future threat report analysis and put techniques into the appropriate bucket. This also will provide a way to keep the model up to date as new threat actors emerge and capability energy changes.
A few trends are emerging in the analysis:
- Truly public capabilities must be readily available to be incorporated into a new campaign. Most malware in compiled form is not usable like this and the effort of reverse-engineering it would drive influence energy up higher. Most public capabilities thus come from open source penetration testing tools.
- Not all public capabilities are Influence Energy level 1. Many have prerequisite knowledge of cyber topics and how they relate to your goal which pushes them to IE 2 or 3.
- Many altered capabilities require programming knowledge which puts them at IE3. This aligns with the concept of public being some ready-to-use form of a technique which can be altered with sufficient programming knowledge.
- Most cybercriminal malware families fall into the altered capability level as they are adapted from public capabilities and combined for use by the threat actor.
- Bespoke capabilities involve per-target customization like blending in with existing network traffic or applications. This keeps their influence energy high as it requires intimate knowledge of the target and their environment in order to execute well.
- Many bespoke capabilities require speculation since we are limited by public knowledge. An example like Command and Scripting Interpreter (T1059) has 10 sub-techniques as of this writing. A reasonable assumption is that a threat actor will find a novel scripting interpreter mechanism and use it in a bespoke manner. This would require high influence energy (IE4) and would be very effective against targets that don't have good visibility and analytics.
This is an exciting project which will change how people analyze threats. After this phase is complete, we can move on to matching up against defense capabilities and lay out the roadmap to optimized security.
Stay tuned for more updates here and on X!