Adversary Axioms
The new principles of cybersecurity.
Constraints
Adversaries of all kinds — criminal enterprises, intelligence agencies, and lone wolves — have political, financial, and technical constraints just like conventional organizations have.
“Attackers are resource constrained” — Dino A. Dai Zovi (source)
“Attackers have bosses and budgets” — Phil Venables (source)
Operational Requirements
Adversaries determine the least costly and most valuable attacks based their operational requirements, which may include:
- The number of targets they have
- The complexity of their targets
- Their required success rate
- Their required speed of conversion
Playbooks
Adversaries want their attacks to be reusable and low-overhead.
Repeatability: The capability to change the target and have the attack still work with the same success rate.
Scalability: The capability to launch the attack against multiple targets with minimal cost per additional target.
Adversaries build repeatable and scalable playbooks that meet their operations requirements, so they can launch attacks efficiently against their targets.
Opportunism
Adversaries have many targets. Adversaries are opportunistic. Even targeted and sophisticated adversaries go after many targets to increase the likelihood that their repeatable and scalable playbooks will satisfy their operational requirements.
Economics
Adversaries try to minimize the cost of an attack or a playbook by taking into account cost factors like expertise, time, money, and politics and success factors like target ubiquity, probability, reliability, and access.
Rational adversaries will use the most cost-effective playbooks that allow them to meet their operational requirements.
Offensive Experience
Experience being an adversary is necessary to accurately understand different adversaries and defend against them.
Sophistication
Understanding levels of adversary sophistication and targeting is necessary to accurately understand different adversaries and defend against them.
Data
We must use data to understand adversaries and constantly reevaluate our threat intelligence. We must collect data from breaches and indictments and analyze data from threat intelligence reports and news articles.
Threat Intelligence
Data feeds and indicators of compromise are not threat intelligence. Actionable information about tactics, procedures, motivation, resourcing, and strategies is threat intelligence.
Threat intelligence organizations are responsible for collecting raw data and understanding adversaries and distilling that data into meaningful intelligence for defense teams.
Auditors are not Adversaries
Adversaries are not auditors. They have different goals, different constraints, and different tactics. Using an auditor or tester to discover vulnerabilities a different kind of adversary would discover or use will provide incorrect results.
This article is part 1 in my series on building security programs with adversary intelligence. Part 2 is Adversary-Based Threat Modeling and part 3 is Adversary-Based Risk Analysis.
