Thanks to the increasing professionalization of cyber crime, predicting the actions of attackers based on profiling is becoming more challenging for cyber security practitioners. To help address the challenge, WithSecure™ has published a new study that demonstrates an alternative model of predicting how attacks unfold.
In recent years, the cyber crime industry has become increasingly service-oriented*, where different threat actors provide specialized services to one another. Consequentially, it’s become increasingly difficult for security analysts to understand attackers and the threat they pose based strictly on their use of a particular tactic, technique, or procedure (TTP). It’s a trend that WithSecure™ Intelligence Senior Researcher Neeraj Singh says is likely to get worse.
“You also have to consider that attackers are constantly expanding their toolkits to include new resources to use in attacks. That means they have more avenues to pursue an attack than ever before. These types of changes make traditional profiling techniques, where you understand and predict specific types of attacks by associating them with particular TTPs or toolsets, less effective,” he explained. A new WithSecure™ study on common tactics and toolsets observed in data breaches demonstrates an alternative approach to predicting how cyber attacks can unfold.
Using data collected from cyber attacks observed by WithSecure™ in 2023, researchers were able to correlate tactics/toolsets used together in attacks—correlations that provide a foundation for further analysis. For example, researchers found that both discovery and collection commonly lead to exfiltration and command and control tactics, indicating adversaries’ reliance on information that’s gathered and stolen from the victim’s machines and sent back to the attackers to perform their next steps in an attack lifecycle.
According to Singh, correlations like these can provide a sound basis for making further predictions about different paths taken during attacks. “Machine learning can build on traditional data analysis techniques to train predictive models that can determine the likelihood of different tactics and toolsets being used on different premises. That’s the kind of preparation that organizations can use to begin reducing the risk of attackers using certain approaches against them,” explained Singh.
The study, Unveiling the Arsenal: Exploring Attacker Toolsets and Tactics, contains information about the most common tactics and toolsets observed in attacks during 2023, walkthroughs for a variety of security incidents investigated by WithSecure™, and security advice for organizations. The full study is available here.