Introduction
When discussing cyber threat actors and their activities, it's important to use precise language, especially regarding terms like "targeted." Often threat intelligence providers or cyber threat intelligence (CTI) reporting will use the word targeted when they are describing the victimology of a threat actor group or campaign, even when the attack was opportunistic in nature. For example, in describing the MoveIt exploit campaign, CTI reports would note that the attack “targeted multiple industries including healthcare, retail and education” which can be misleading since it may imply to a non-CTI reader that the threat actors specifically selected companies in those industries prior to launching the attack.
While there are some examples of specific organizations that
were truly pre-selected by threat actors for persistent campaigns, most threat
activity is opportunistic in nature and the word targeted maybe only
appropriate to describe the practice of Big Game Hunting (BGH) by some groups.
CTI teams risk desensitization of their readers when targeted or targeting
is used excessively or inappropriately as it undermines the significance of the word when of
when targeted activity does take place.
Further, it is important that cyber threat intelligence teams are able to communicate that opportunistic targeting generally compromises the vast majority of cyber threat breaches and likely presents the most significant risk to an organization. It is not uncommon for those outside the cyber threat intelligence practice to generally regard the concept of a threat actor group targeting an industry or organization specifically as a greater risk.
This guide openly acknowledges there is a lot of variability and debate around use of the word targeted. For example, if a threat actor group have a large victimology in healthcare and education – do you describe that as targeted or do you acknowledge companies in those sectors are often included in campaigns due to their reliance on critical data and generally lower levels of cybersecurity investment compared to financial or government entities? Do you consider a threat actor group mass exploiting vulnerabilities and then selecting specific organizations or sectors from their victimology to infect with ransomware based on a belief they are more likely to pay a type of "targeting"?
This are all very important concepts that cyber threat intelligence teams should consider standardizing into their team's analytical writing style guidance for analysts. It is not as important that everyone agrees what the "right" way to use the word targeting, as much as it is important that a framework is agreed on and standardized so reports from different analysts form the same team do not conflict.
An example:
To understand why this can be a problem in CTI reporting,
let’s look at a specific real-world example.
In 2023, many CTI reports would have described the Qilin
group as "targeting healthcare" to describe their activity, trying
to communicate that the Qilin
victimology included companies that are healthcare and pharmaceutical. Or that
campaigns Qilin ran attacked many organizations in many different verticals but had statistically notable success against companies classified as pharmaceutical
or healthcare. However, they are a financially motivated and opportunistic
group. The Qilin group was not targeting healthcare organizations
specifically in 2023, in fact only 7% of their total victims on the data leak
site were healthcare. To make matters more confusing even HC3’s recent
published advisory on the group stated, “Qilin is a ransomware-as-a-service
(RaaS) offering in operation since 2022, and which continues to target
healthcare organizations and other industries worldwide... The group’s
targeting appears to be opportunistic rather than targeted.”[1]
However, in June 2024 Qilin posted on their data leak site “We also officially declare that in the near future there will be a series of attacks on medical institutions U.S.A”. Although the truthfulness of this statement maybe debated[i], it is a distinctive shift in the way we understand Qilin operates.
If CTI teams have used the word
“targeted” historically to describe this group, reporting on this supposed
shift in tactics may lose its impact on non-CTI readers.
Purpose
This guide hopes to provide example guidelines for CTI teams around the use of language describing targeting so that teams speak with a
consistent voice in reports and communications. This guide does not claim
this is the only correct way, only to acknowledge there is a real need
for consistency.
When to Use "Targeted"
"Targeted" should be used when there is clear
evidence that a threat actor specifically chose and pursued a particular
organization, industry, or group. This typically involves:
- Customized
tactics: The threat actor tailored their techniques or malware
specifically for the victim.
- Persistent
efforts: Multiple attempts or a sustained campaign focused on the same
target.
- Specific
victim selection: Evidence that the actor deliberately chose the
victim based on certain attributes.
When to Avoid "Targeted"
Avoid using "targeted" in the following scenarios:
- Opportunistic
attacks: When threat actors cast a wide net and attack any vulnerable
system they encounter.
- Broad
campaigns: Attacks affecting multiple industries or a large number of
organizations without clear focus.
- Big
Game Hunting: While these attacks go after specific types of victims,
they're often based on general criteria like company size or potential
ransom value rather than targeting a specific entity.
Alternative Terminology
Instead of "targeted," consider using more precise
language:
- "Affected"
or "impacted" for general victims of an attack
- "Focus
on" or "prioritize" for industries or sectors that receive
more attention from threat actors
- "Opportunistically
compromised" for victims of non-targeted attacks
- "The
organization was impacted by a campaign associated with [APT group]."
This phrasing acknowledges the
effect on the organization without implying that they were the primary target.
- "Organizations
in [specific industry/sector] are frequently affected by the campaigns of
[APT group]."
This approach highlights the trend
of certain industries being commonly affected without asserting direct
targeting.
- "The
attack victims typically include companies from [specific
industries/sector], often due to [reasons like size, data value,
etc.]."
This emphasizes that while certain
types of companies are commonly affected, the focus may be on characteristics
like company size or the value of data rather than specific targeting.
- "The
campaign is known to affect a broad range of organizations, with a
particular impact on companies in [industry]."
This phrasing allows for the
inclusion of industry-related patterns without suggesting direct targeting.
Key Considerations
- Evidence-based
language: Only use "targeted" when you have concrete
evidence of specific targeting.
- Avoid
assumptions: Don't assume targeting without clear indicators.
- Contextual
analysis: Consider the broader context of the threat actor's
activities and motivations.
By adhering to these guidelines, cyber threat intelligence
professionals can provide more accurate and nuanced reporting on threat actor
activities, avoiding the common pitfall of overusing the term
"targeted" when it may not be appropriate
No comments:
Post a Comment