This article is the first installment in a four-part series that examines how the X-Force IRIS framework can help identify opportunities for security practitioners to increase network security and lower risk by addressing the steps an adversary typically takes to attack a network. Be sure to check out the entire series for the full scoop.

Security teams may need guidance to better understand, track and defend against patterns of malicious behavior, which will help them contend with today’s evolving — and increasingly sophisticated — threat landscape.

This is why IBM X-Force Incident Response and Intelligence Services (IRIS) developed a cyberattack framework to help organizations predict the steps an adversary might take to infiltrate corporate networks. The IBM X-Force IRIS cyberattack preparation and execution frameworks are designed to help security analysts understand malicious actors’ objectives, track threat data and communicate security intelligence more clearly.

Defenders can further dissect the threat model to preemptively build defenses and tracking capabilities to help identify and protect against attacks before they occur.

Break Down the X-Force IRIS Cyberattack Preparation Framework

While many of the phases described in the preparation framework may be undetectable to target organizations and defenders, the early stages of a cyberattack offer opportunities to increase visibility into attackers’ targeting and planning operations. Often, these measures can be undertaken relatively cheaply and with little to no reduction in operations.

Two of the key phases to focus defenses against in the IRIS attack preparation framework are points in time when an “attacker determines objective” and when attackers “prepare attack infrastructure.”

IRIS Cyberattack Preparation Framework — Schematic View

Read the white paper: IBM X-Force IRIS Cyberattack Preparation and Execution Frameworks

Attacker Determines Objective: Know Your Enemy

In the first phase of the framework, the attacker determines the target and defines initial mission objectives. On the defenders’ side, analysts can take steps to safeguard the assets attackers are likely to target, such as determining what and where their most valuable data is and whether threat actors have been or may currently be interested in the organization and its assets, intellectual property, customers or proprietary data.

Security teams should also integrate threat intelligence into the organization’s cybersecurity program. By building a threat profile of adversarial actors who are likely to target the company, security teams can focus on the most relevant adversarial cyber actors instead of applying generic coverage to the entire pool of active cyber threat groups. This strategy is also in line with best practices suggested by the National Institute of Standards and Technology (NIST)’s framework for improving critical infrastructure cybersecurity.

Threat profiles help provide the contextual background for these malicious actors, such as their capabilities and tactics, which defenders can use to prioritize cyber events and defense.

To establish a threat profile, security analysts must answer the following questions:

Have Threat Actors Targeted the Organization?

Have threat actors breached the network in the past? If not, are there any indications that they may be interested in your company?

For example, has senior management received any spear-phishing emails? These clues can provide valuable insight into the type of actors that may be targeting the organization. Unusual network traffic on the company’s internet-facing ports is another clue. For example, large amounts of traffic originating from countries that your company doesn’t operate in could indicate potentially malicious activity.

What Type of Attacker Would Be Interested in Your Organization?

By understanding past attacks against companies in the same industry, security teams can assess the likely types of threat actors could target the organization and profile familiar capabilities and modus operandi.

For example, do these threat groups have the means and technical knowledge to perform an advanced intrusion? Do they typically compromise networks by exploiting known vulnerabilities? Anticipating the adversary’s likely entry path can help prioritize the most impactful areas for security investments.

Where Are These Threat Groups Located?

Security teams can gain insight into threat actors’ motives, mission and tactics by understanding contextual information about potential threat actors, such as where they are located. This data can help analysts determine the vectors where increasing vigilance and security could better protect against an attack.

What Are the Attackers’ Goals?

Understanding what threat groups are after can help organizations protect digital assets and data. Attackers target a variety of data — from financial information, which can be sold on the darknet, to intellectual property, which can be sold for profit or used in corporate espionage. Some threat actors may seek to destroy data or harm critical infrastructure.

Understanding the organization’s key assets and predicting which ones are most appealing to threat actors can help security teams determine governance, controls and best practices to help protect and secure their digital environments.

Prepare the Attack Infrastructure: Searching for the Attacker

During the preparation of the attack infrastructure phase, threat actors may establish command-and-control (C&C) servers and build infrastructure that can be used to craft web pages, emails and domains that look legitimate to unsuspecting targets. Although threat actors typically operate in a stealthy manner, security teams can take steps to uncover and mitigate their actions.

Attackers often buy, register or gain illegal ownership of domains, servers, secure sockets layer (SSL) certificates, web service accounts and other network resources to orchestrate their campaigns. They then use their C&C network of servers and web resources to drop, execute, access and control the malware with which they infect their hosts.

During the setup process, attackers who mount malicious domains for their infrastructure’s communication schemes may use legitimate or typo-changed domains to fool target users into interacting with their sites or emails. Such email spoofing is often very subtle and can trick even the most observant users into clicking malicious links.

To mitigate this threat — and make it harder for attackers to typosquat domains — defenders can purchase all the likely typo-changed domains associated with their company name or monitor for suspicious domain registrations that resemble official domains.

Keep Social-Engineering Schemes at Bay With Education

Nevertheless, attackers do devise other traps. Depending on the target, attackers may use social-engineering schemes to make it seem like their activity is legitimate. For example, fraudsters can create more believable, personalized phishing messages by befriending targets online via fake online profiles.

To prevent these types of communications from succeeding, defenders should educate employees about the current trends in spam and spear phishing and describe the dangers of interacting with fraudulent online personas. Security teams should also establish proper governance to help employees respond and react appropriately when they fall victim to social-engineering schemes.

It’s also imperative to ensure that employees have positive experiences when reporting potential security incidents — and that security leaders do not punish or shame them for falling victim to phishing or social-engineering schemes.

To learn more, stay tuned for the next article in this series, which will examine the external reconnaissance and launch attack phases of the framework. The final two posts in this series will model the activities an attacker takes after compromising the network and while attempting to accomplish their mission objectives. That part of the attack is further explained in the X-Force IRIS Cyberattack Execution Framework.

You can also download the IBM white paper and listen to the podcast for more insights. Learn more about IBM Security X-Force’s threat intelligence and incident response services.

More from Incident Response

How I got started: Incident responder

3 min read - As a cybersecurity incident responder, life can go from chill to chaos in seconds. What is it about being an incident responder that makes people want to step up for this crucial cybersecurity role?With our How I Got Started series, we learn from experts in their field and find out how they got started and what advice they have for anyone looking to get into the field.In this Q&A, we spoke with IBM’s own Dave Bales, co-lead X-Force Incident Command…

How Paris Olympic authorities battled cyberattacks, and won gold

3 min read - The Olympic Games Paris 2024 was by most accounts a highly successful Olympics. Some 10,000 athletes from 204 nations competed in 329 events over 16 days. But before and during the event, authorities battled Olympic-size cybersecurity threats coming from multiple directions.In preparation for expected attacks, authorities took several proactive measures to ensure the security of the event.Cyber vigilance programThe Paris 2024 Olympics implemented advanced threat intelligence, real-time threat monitoring and incident response expertise. This program aimed to prepare Olympic-facing organizations…

How CIRCIA is changing crisis communication

3 min read - Read the previous article in this series, PR vs cybersecurity teams: Handling disagreements in a crisis. When the Colonial Pipeline attack happened a few years ago, widespread panic and long lines at the gas pump were the result — partly due to a lack of reliable information. The attack raised the alarm about serious threats to critical infrastructure and what could happen in the aftermath. In response to this and other high-profile cyberattacks, Congress passed the Cyber Incident Reporting for Critical…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today