Part I - Understanding Each Type of Targeted Attacker

When trying to defend an organization, it's imperative to understand the nature of the threats who seek to compromise the enterprise. This is not a common belief, unfortunately. Several months ago I heard a colonel in the US military say "I don't care who attacks me in cyberspace. I'm going to defend the enterprise the same way, regardless."

If you put that same colonel in charge of defending physical space, he would have likely trotted out Sun Tzu's most famous quote:

"It is said that if you know your enemies and know yourself, you will not be imperiled in a hundred battles; if you do not know your enemies but do know yourself, you will win one and lose one; if you do not know your enemies nor yourself, you will be imperiled in every single battle." Source:

Most readers would agree that Sun Tzu's advice applies equally well in cyberspace as it does to physical space. Perhaps the colonel in question is happy to just "win one and lose one" by not knowing his cyber enemy. More likely he also fails to know himself (or more accurately, his enterprise) and is therefore "imperiled in every single battle."

What does it mean to "know your enemies?" Is it necessary to specifically identify names, pictures, and home addresses? Is it enough to instead recognize an adversary when observed in the enterprise, but not have attribution at the name level? Is it more important to know an adversary's origin or the adversary's behavior?

Answering those questions depends on the person doing the asking. For those working in law enforcement, the military, the diplomatic corps, government decision-making bodies, or the intelligence community, the specific identity of the adversary is very important. These parties have the authority to take action outside the "cyber" or technical fields. They can also act outside the boundaries of victims of digital attack. By specifically identifying adversaries, these groups can apply pressure of various means to influence enemy actions.

For those in the enterprise trying to defend themselves against targeted attacks, it is more important to recognize an adversary when observed in the enterprise. It is not so crucial to gain specific identities because the enterprise generally can't apply the same sorts of pressure that other groups can bring to bear. The reason it's important to recognize an adversary is that understanding the nature of the enemy allows better defense.

The idea is to develop an internal intelligence capability that observes threat actors in the enterprise, categorizes them according to Tactics, Techniques, and Procedures (TTPs), and assigns unique labels to those actors or groups. These are not static determinations and should be subject to constant revision, and where possible, comparison with peer and partner intelligence teams. By treating intrusions as interactions with threat actors, the security and incident response teams can better prioritize their defense and response actions.

In future posts I will outline a few key aspects of several different targeted attacker types. By examining each, you will be able to better tailor your detection and response programs for maximum effectiveness.