This post is about factors involved in forming a cyber-criminal, and why understanding those factors are key in thwarting cyber-attacks. I need to give credit to Jeffrey Bardin at Treadstone71 for his posts and his insight. Take time to review his courses for a more in-depth analysis on data collection and formulation of resources.
Why write this post?
- For both the Enterprise and the Cloud, paid and open-source tools are available. There are well understood solutions for protecting hardware, software, and data. There are controls and frameworks with instructions and training and when and how to apply controls and frame works. However global corporations, federal, state, and local governments, schools, hospitals, energy suppliers, folks on fixed incomes, etc. are successfully compromised on a daily basis.
- There are incident response tools available to detect, isolate and restore services. Yet many compromises go undetected for months, even a year. Detect after the attack and the consequences are available in the media on a daily basis.
- There are AI tools available, some paid and some open source. There are information sharing frameworks in place to sound the alarm when an attack is detected. However, the AI based tools and shared information are available to both attacker and defender. Attackers reflect the common sense, training, and experience of the culture. Train end users to look for poor spelling in a phishing attack, and attackers simply pass text through open-source spell checkers. Train end users to look for odd sentence structure, and the attackers passes text through open-source word processors to correct for cultural differences.
- Seems like every few days a new cyber-security company comes on-line. Impressive marketing campaigns. Common today – infused with AI. Effective pitches are made to decision makers. Pay a fee, click on a few buttons, and you can sleep well at night. Decision makers very often do not know enough to ask the right questions. When questioned, most cyber-security companies will acknowledge that their solution only address a small subset of the attack surface.
- The reason that so many compromises are successful is that the “people” that attack and that the “people” that build and use services are rarely factored into protecting systems. People, both attackers and those being attacked, are born, raised and educated in cultures that define surroundings. These surroundings shape how folks within a group reason. These groups of people operate under different sets of laws, have different levels of protection, different religions, different views about the sanctity of life. There are groups that are controlled by males and females are directed to stay home. Some cultures have more risk takers and other cultures wait for others to make the first move. For centuries there have been those that have collected raw information about people, massaged and enriched the raw data into intelligence with the goal of better understanding what a person/group is capable of accomplishing and what a person/group will most likely do. Today, the collection of data, and shaping of the collected data to better understand people, the same people that compromise and are compromised, take a distant second to technology and the quick buck. The consequences of that prioritization are available every day in the media. Basically, a failure to address understanding the source of the problem.
STEMPLES can be thought of as a framework, a set of classes with properties, the values assigned to the properties are used to better understand both attacker and defender. In incident response (IR), the intelligence gathered can help in increasing the efficacy of the IR flow. IR flow is applied after the attack is detected. The intelligence gathered from applying STEMPLES analysis can be utilized both BEFORE and After the attack.
Utilizing the intelligence gathered from applying STEMPLES to cyber-threats before the attack, is very similar to what a G2/S2 unit in the DOD or a Gang Intelligence Unit would do in Los Angeles, Chicago, or Baltimore. Whether it is the cyber world, the DOD or a Gang Intelligence Unit, from the Art of War, it is about knowing yourself and your enemy. Without understanding both, the war is lost.
Stemples Classes:
S-> About understanding the social environment of the individual, team, organization, or culture.
T-> About understanding the technologies available to the individual, team, organization, or culture.
E-> About understanding the economic factors impacting the individual, team, organization, or culture.
M-> About understanding the military support, could be police, FBI, etc., available to the individual, team, organization, or culture.
P-> About understanding the politics, government type, policies, and regulations bounding the individual, team, organization, or culture.
L-> About understanding laws bounding hacking, doing business, etc., bounding the individual, team, organization, or culture.
E-> About understanding education and training available to the individual, team, organization, or culture.
S-> About understanding cyber and cognitive warfare, intelligence and operations capabilities available to the individual, team, organization, or culture.
Plus-> About understanding demographics, religion, psychology, Hofstede, etc., by the individual, team, organization, or culture.
How to Collect the Values:
Most of the lectures and papers that I have read, reference analysts researching, collecting raw data, enriching the data to form intelligence and assigning values. My experience is that in the world of analysis there are terabytes of near real time information being collected each day of every week, and of every month of every year. Far too much data to process manually. Enter the world of big data, automation, and analysis of real time streams to assign values.
In my next post, I will walk through the collection of information by using the chat service from Microsoft named CoPilot. I will provide examples of submitting prompts to locate cities in Russia with cyber-criminal groups, identify members of the groups, understand hobbies, relationships, etc. of individuals within the group. Even show the bounties that the US Government will pay for information leading to an arrest. The amounts of money offered are worth the efforts.
Need help?
If you need help in understanding the attacker before and after the attack:
If you have any questions:
www.overvotch.com
norradcloud@overvotch.com
Discover more from Threat Detection
Subscribe to get the latest posts sent to your email.