Next Module: Threat Scenario Development
Summary
What are adversary personas and why do we use them? Context makes security complicated. Continent, country, region, state, locality, political union, political party, opposition or in-power, served audience, community, religion, demographics, labor, environment, elections, media, social media may direct how you control for risk. This is also true for adversaries, their capabilities, and motivations. Personas help describe the who (description), why (motivation/goals), and what (resources/capabilities) for an adversary of an organization. By borrowing some tools from product and user experience design, we can construct adversary personas to help us challenge common assumptions and fallacies about attackers while imagining other creative yet realistic possibilities.
Learning Objectives
- Enable students to think broadly and creatively about potential cybersecurity threats
- Understand and build a realistic “who” behind security threats considering their identity, motivations, and resources
- Identify common fallacies about adversaries
Pre-Readings
- See Course Readings for “Adversary Personas”
Resources
- Daylight Security Research Lab’s Adversary Persona Cards
Activities
Create Initial Adversary Personas: Create groups of 3-5 students based on their client or project. Tell each group to decided upon their top 3 adversaries. Each group will present the adversaries’ identity, their motivation for attacking the client’s assets, the resources they have at their disposal including any particular capabilities or tactics used.
Discussion
- How do these inital personas incorporate the perspectives from the readings?
- Do any of these adversaries fall into Julian Cohen’s categories of attacker fallacies (Resourced Attackers, Motivated Attackers, Intelligent Attackers, Inadequate Attackers)?
- What does your adversary’s typical day look like? What would your adversary be doing when off from work or during their downtime?
Input
- Organized Crime
- Nation State
- Professional Hacker (Individual / Collective)
- Hacktivists
- Corporations
- Terrorism (Organized / Lone Wolf)
- Criminal (Scammer / Opportunist)
- Trolls
- Insiders (Intentional / Unintentional)
Attacker Fallacies
Realistic concepts of attackers have been a focus of Julian Cohen’s work (see https://medium.com/@HockeyInJune/). Below are some passages from Playbook-based Testing.
To achieve low-overhead and scalability, attackers create playbooks. Attackers that have multiple targets care about repeatability and scalability.
Repeatability — The capability to change the target and have the attack still work with the same success rate.
Scalability — The capability to launch the attack against multiple targets with minimal cost per additional target.
Resourced attackers (whether by size, amount of money, or skill) may still prefer low-sophistication but effective attacks such as phishing. This does not mean they are inadequate or unmotivated. See APT1.
Motivated attackers may have very strong incentives for attacking an organization, but still might only work during business hours. See APT28.
Intelligent attackers can still make mistakes or their methods may not be resistant to simple countermeasures.
Unsophisticated attacks should not be confused with inadequate attackers. Market efficiency drives the tactics used based on repeatability and scalability.
If attackers with multiple targets care about repeatability and scalability, then…
“All attackers are resource-constrained.” – Dino A. Dai Zovi
“All attackers have a boss and a budget.” – Phil Venables
Consider adversaries such as intimate partners or lazy employees. Do they also have resource constraints, bosses, and budgets?
Creating Adversary Personas.
Traditional “Threat Actor Profiles” may be found across the web for various threat groups (See https://oasis-open.github.io/cti-documentation/stix/intro). In accordance with standardized formats, these profiles include name, description, aliases, roles, goals, sophistication, resource level, and motivations (primary, secondary, and personal).
How might we avoid fallacies? Ground these profiles in reality (https://methods.18f.gov/decide/personas/).
- Gather research from earlier activities.
- Create a set of [adversary] archetypes based on how you believe the [adversary will threaten your partner]
- Analyze your records for patterns as they relate to [adversary] archetypes
- Pair recurring goals, behaviors, and pain points with archetypes. Give each archetype a name and a fictional account of their day.
- Link your persona to your research.
Deepening
Synthesis
Reiterate the reasons for understanding one’s adversaries. Developing personas is a great technique for brainstorming and uncovering likely adversary strategies, tactics, and targets. In a future module, we will learn about constructing a threat scenarios to communicate potential actions of the adversaries in a meaningful way to our clients.
Assignments
Have each team develop a set of adversary personas. These personas will be used to create effective threat scenarios.