This article is the first installment in a four-part series that examines how the X-Force IRIS framework can help identify opportunities for security practitioners to increase network security and lower risk by addressing the steps an adversary typically takes to attack a network. Be sure to check out the entire series for the full scoop.

Security teams may need guidance to better understand, track and defend against patterns of malicious behavior, which will help them contend with today’s evolving — and increasingly sophisticated — threat landscape.

This is why IBM X-Force Incident Response and Intelligence Services (IRIS) developed a cyberattack framework to help organizations predict the steps an adversary might take to infiltrate corporate networks. The IBM X-Force IRIS cyberattack preparation and execution frameworks are designed to help security analysts understand malicious actors’ objectives, track threat data and communicate security intelligence more clearly.

Defenders can further dissect the threat model to preemptively build defenses and tracking capabilities to help identify and protect against attacks before they occur.

Break Down the X-Force IRIS Cyberattack Preparation Framework

While many of the phases described in the preparation framework may be undetectable to target organizations and defenders, the early stages of a cyberattack offer opportunities to increase visibility into attackers’ targeting and planning operations. Often, these measures can be undertaken relatively cheaply and with little to no reduction in operations.

Two of the key phases to focus defenses against in the IRIS attack preparation framework are points in time when an “attacker determines objective” and when attackers “prepare attack infrastructure.”

IRIS Cyberattack Preparation Framework — Schematic View

Read the white paper: IBM X-Force IRIS Cyberattack Preparation and Execution Frameworks

Attacker Determines Objective: Know Your Enemy

In the first phase of the framework, the attacker determines the target and defines initial mission objectives. On the defenders’ side, analysts can take steps to safeguard the assets attackers are likely to target, such as determining what and where their most valuable data is and whether threat actors have been or may currently be interested in the organization and its assets, intellectual property, customers or proprietary data.

Security teams should also integrate threat intelligence into the organization’s cybersecurity program. By building a threat profile of adversarial actors who are likely to target the company, security teams can focus on the most relevant adversarial cyber actors instead of applying generic coverage to the entire pool of active cyber threat groups. This strategy is also in line with best practices suggested by the National Institute of Standards and Technology (NIST)’s framework for improving critical infrastructure cybersecurity.

Threat profiles help provide the contextual background for these malicious actors, such as their capabilities and tactics, which defenders can use to prioritize cyber events and defense.

To establish a threat profile, security analysts must answer the following questions:

Have Threat Actors Targeted the Organization?

Have threat actors breached the network in the past? If not, are there any indications that they may be interested in your company?

For example, has senior management received any spear-phishing emails? These clues can provide valuable insight into the type of actors that may be targeting the organization. Unusual network traffic on the company’s internet-facing ports is another clue. For example, large amounts of traffic originating from countries that your company doesn’t operate in could indicate potentially malicious activity.

What Type of Attacker Would Be Interested in Your Organization?

By understanding past attacks against companies in the same industry, security teams can assess the likely types of threat actors could target the organization and profile familiar capabilities and modus operandi.

For example, do these threat groups have the means and technical knowledge to perform an advanced intrusion? Do they typically compromise networks by exploiting known vulnerabilities? Anticipating the adversary’s likely entry path can help prioritize the most impactful areas for security investments.

Where Are These Threat Groups Located?

Security teams can gain insight into threat actors’ motives, mission and tactics by understanding contextual information about potential threat actors, such as where they are located. This data can help analysts determine the vectors where increasing vigilance and security could better protect against an attack.

What Are the Attackers’ Goals?

Understanding what threat groups are after can help organizations protect digital assets and data. Attackers target a variety of data — from financial information, which can be sold on the darknet, to intellectual property, which can be sold for profit or used in corporate espionage. Some threat actors may seek to destroy data or harm critical infrastructure.

Understanding the organization’s key assets and predicting which ones are most appealing to threat actors can help security teams determine governance, controls and best practices to help protect and secure their digital environments.

Prepare the Attack Infrastructure: Searching for the Attacker

During the preparation of the attack infrastructure phase, threat actors may establish command-and-control (C&C) servers and build infrastructure that can be used to craft web pages, emails and domains that look legitimate to unsuspecting targets. Although threat actors typically operate in a stealthy manner, security teams can take steps to uncover and mitigate their actions.

Attackers often buy, register or gain illegal ownership of domains, servers, secure sockets layer (SSL) certificates, web service accounts and other network resources to orchestrate their campaigns. They then use their C&C network of servers and web resources to drop, execute, access and control the malware with which they infect their hosts.

During the setup process, attackers who mount malicious domains for their infrastructure’s communication schemes may use legitimate or typo-changed domains to fool target users into interacting with their sites or emails. Such email spoofing is often very subtle and can trick even the most observant users into clicking malicious links.

To mitigate this threat — and make it harder for attackers to typosquat domains — defenders can purchase all the likely typo-changed domains associated with their company name or monitor for suspicious domain registrations that resemble official domains.

Keep Social-Engineering Schemes at Bay With Education

Nevertheless, attackers do devise other traps. Depending on the target, attackers may use social-engineering schemes to make it seem like their activity is legitimate. For example, fraudsters can create more believable, personalized phishing messages by befriending targets online via fake online profiles.

To prevent these types of communications from succeeding, defenders should educate employees about the current trends in spam and spear phishing and describe the dangers of interacting with fraudulent online personas. Security teams should also establish proper governance to help employees respond and react appropriately when they fall victim to social-engineering schemes.

It’s also imperative to ensure that employees have positive experiences when reporting potential security incidents — and that security leaders do not punish or shame them for falling victim to phishing or social-engineering schemes.

To learn more, stay tuned for the next article in this series, which will examine the external reconnaissance and launch attack phases of the framework. The final two posts in this series will model the activities an attacker takes after compromising the network and while attempting to accomplish their mission objectives. That part of the attack is further explained in the X-Force IRIS Cyberattack Execution Framework.

You can also download the IBM white paper and listen to the podcast for more insights. Learn more about IBM Security X-Force’s threat intelligence and incident response services.

More from Advanced Threats

Black Hat 2022 Sneak Peek: How to Build a Threat Hunting Program

4 min read - You may recall my previous blog post about how our X-Force veteran threat hunter Neil Wyler (a.k.a “Grifter”) discovered nation-state attackers exfiltrating unencrypted, personally identifiable information (PII) from a company’s network, unbeknownst to the security team. The post highlighted why threat hunting should be a baseline activity in any environment. Before you can embark on a threat hunting exercise, however, it’s important to understand how to build, implement and mature a repeatable, internal threat hunting program. What are the components…

4 min read

Top-Ranking Banking Trojan Ramnit Out to Steal Payment Card Data

4 min read - Shopping online is an increasingly popular endeavor, and it has accelerated since the COVID-19 pandemic. Online sales during the 2021 holiday season rose nearly 9% to a record $204.5 billion. Mastercard says that shopping jumped 8.5% this year compared to 2020 and 61.4% compared to pre-pandemic levels. Cyber criminals are not missing this trend. The Ramnit Trojan, in particular, is out for a shopping spree that’s designed to take over people’s online accounts and steal their payment card data. IBM…

4 min read

Detections That Can Help You Identify Ransomware

12 min read - One of the benefits of being part of a global research-driven incident response firm like X-Force Incidence Response (IR) is that the team has the ability to take a step back and analyze incidents, identifying trends and commonalities that span geographies, industries and affiliations. Leveraging that access and knowledge against the ransomware threat has revealed tools, techniques and procedures that can often be detected through the default Windows event logs (WELs). In particular, the X-Force IR team has identified several…

12 min read

How to Report Scam Calls and Phishing Attacks

5 min read - With incidents such as the Colonial Pipeline infection and the Kaseya supply chain attack making so many headlines these days, it can be easy to forget that malicious actors are still preying on individual users. They're not using ransomware to do that so much anymore, though. Not since the rise of big game hunting, anyway. This term marks ransomware actors' shift away from attacks against individual users and towards operations targeting large enterprises, noted CNBC. But attacks like phishing and…

5 min read