This post is co-authored by the Predictive Defense and Natto Thoughts.

Since the start of his second term in January 2025, the Trump administration has conducted military actions or strikes in seven countries. The ouster of Venezuelan president Nicolas Maduro in January 2026 and the ongoing US-Israeli joint military operation against Iran makes it feel as if the threshold for war has been lowered. Leaders across the globe are likely drawing their own conclusions. Bill Bishop, a China expert at Sinocism, remarked, “Maduro and now Ayatollah Ali Khamenei in two months. Would love to know what Xi really thinks about this,” referring to Chinese President Xi Jinping. Indeed, what does Xi think about these developments? In particular, how do they shape Xi’s views on Taiwan “reunification”? Have US military actions in seven countries influenced Xi’s perspective on using military force to achieve China’s goal of “reunification”—which he considers a “historical inevitability”?

A potential conflict between China and Taiwan would represent a globally significant inflection point. Drawing from the Center for Strategic and International Studies (CSIS) 2023 report The First Battle of the Next War: Wargaming a Chinese Invasion of Taiwan, this piece aims to conduct a reality check on a likely scenario of China-Taiwan conflict presented in the CSIS report, and examines the challenges and possible cyber implications of such a scenario and how organizations across sectors could be exposed, whether directly or indirectly.

Based on war games involving a simulated invasion, the CSIS study provides insights under clearly defined assumptions, including participating actors and their roles, mobilization timelines, ammunition availability and the type of operations conducted. While no single study can predict outcomes, its transparent methodology and multi-scenario approach provide a useful analytical foundation.

Four Potential Winning Conditions and Challenges That Could Create Openings for China

The CSIS study analyzes 24 iterations of a large-scale war game simulating a Chinese amphibious invasion of Taiwan. It focuses primarily on conventional military variables such as force posture, logistics, attrition, alliance coordination, and operational timelines under varying assumptions. Across most scenarios, Taiwan avoids defeat only with active US intervention and access to Japanese bases. Even then the cost is severe for all sides: heavy naval and air losses, high casualties, and significant economic disruption. Cyber operations are not treated as a decisive variable in the simulations, but the report remains valuable for understanding the conditions that are crucial for Taiwan’s defense.

The CSIS study identifies the critical conditions required for Taiwan and its partners to prevail. From an adversary’s perspective, these conditions highlight the pressure points China would likely attempt to disrupt before or during a conflict, with cyber operations serving as one of the enabling tools. We will examine four key conditions for success identified in the CSIS report and apply adversarial perspectives to consider challenges to these winning conditions that could provide openings for China. This does not imply that China will pursue these actions, nor that cyber capabilities would be the primary means. Rather, the exercise helps frame where cyber-enabled activity could plausibly emerge.

1. The Need for Taiwanese Ground Forces to Contain the Landing

The CSIS report emphasizes that Taiwan’s ground forces are decisive in preventing a successful lodgment and breakout. However, these forces exhibit structural weaknesses, particularly in manpower and readiness.

Sustained ground defense is fundamentally a numbers and endurance challenge. Based on our assessment, two key pressure points emerge:

• Conscription and force generation: The ability to mobilize, train and rotate sufficient personnel over time is critical to maintaining front-line effectiveness and replacing losses in a prolonged conflict.

• Ammunition stockpiles and production capacity: Having adequate reserves and the industrial capability to restock munitions at a rate that matches battlefield consumption.

Challenges: As the CSIS report points out, Taiwan’s ground forces have faced difficulties in filling positions, resulting in a reduction of the army’s size from 200,000 in 2011 to 94,000 in 2022. To boost manpower, at the end of 2022 former President Tsai Ing-wen announced a plan to realign Taiwan’s military force structure, including extending the conscription period from four months to a full year beginning in 2024. However, an April 2025 report from The Diplomat, a Washington, D.C.-based Indo-Pacific region-focused online news magazine, indicates that “with understocked equipment, lackluster recruitment, and budget fights in the legislature, full implementation of Taiwan’s new mandatory military service plan remains difficult.”

2. The Need for Pre-Supplied Weapons from the US and Allies

Taiwan’s ability to resist depends heavily on weapons being delivered before conflict begins. This requirement hinges on:

• Financing and procurement mechanisms: The availability of funding and the efficiency of acquisition processes to secure and deliver needed systems in a timely manner.

• Political willingness in the United States and allied countries: The readiness of governments to approve, prioritize and sustain arms transfers despite competing domestic and strategic considerations.

US risk tolerance for escalation is a decisive variable, as efforts to pre-position or accelerate weapons deliveries before a conflict could themselves be perceived as escalatory. This affects how far the US is willing to go in advancing support timelines, given the risk of provoking a response or raising tensions prior to the outbreak of hostilities.

Challenges: Since 2020, as China has increased military provocations against Taiwan, Taiwan has strengthened its defense by expanding its weapons stockpiles with a special military budget in 2021 and meeting its missile production goals two years ahead of schedule. However, Taiwan’s current production rate—about 1,000 precision missiles per year—is not sufficient to stop a full-scale Chinese invasion, and its stockpile could be depleted in just a few days, as reported by Asia Times, a Hong Kong-based news outlet, in August 2025.

Although the United States is Taiwan’s closest arms provider, US arms sales have often been delayed due to competing geopolitical priorities. Taiwan is also seeking to co-produce munitions and weapon systems with the US, but this effort remains in the planning stages.

3. The Need for Japanese Base Access

US access to its military bases in Japan is a critical operational requirement. This is a legal and political decision for Tokyo, as it depends on Japan’s willingness to authorize the use of its territory for combat operations and accept the associated risks.

Challenges: As the CSIS report points out, Japan hosts more US bases and service members than any other state in the world. In 2025, approximately 55,000 US military personnel were stationed in Japan. The US State Department has described the security cooperation with Japan as “the cornerstone of peace, stability, and freedom in the Indo-Pacific region.” In any response to a Chinese invasion, the US would rely primarily on its bases located in Japan, due to “the proximity of these bases to Taiwan and the lack of nearby alternatives,” according to the CSIS report. Over the years, some political groups in Japan have protested against US bases but have carried little weight in government policy.

4. The Need for US Political Willingness to Sustain High Losses

Even if military conditions are favorable, US willingness to absorb heavy losses and continue fighting is a central determinant of outcome. Based on our assessment this depends on political leadership and public support holding firm as casualties mount, which can become increasingly difficult over time.

Challenges: The CSIS report concludes that US involvement in fighting a Chinese invasion of Taiwan would likely result in high losses, potentially damaging the US’s global position for many years. Although former US President Joe Biden promised to defend Taiwan against attack, implying a willingness to sustain such losses, the current US administration has sent mixed messages.

When these preconditions and potential countermeasures are viewed collectively, a coherent set of probable Chinese objectives emerges - objectives that China may pursue to facilitate its goal of “reunification”:

• Degrade Taiwan’s ability to sustain ground resistance by weakening manpower mobilization, ammunition availability, and battlefield communications.

• Erode US and allied pre-conflict preparation by reducing political willingness to arm Taiwan in advance.

• Fracture alliance cohesion by increasing political hesitation in Japan and other regional partners regarding direct involvement.

• Undermine domestic political will in the United States to sustain a prolonged, high-casualty conflict.

In essence, China’s objectives would be to shape the strategic environment so that Taiwan’s coalition cannot mobilize, coordinate, or sustain resistance at the required scale. Information operations1, – including cyber operations (also known as computer network operations) and influence operations (also known as psychological operations) – would likely serve as enabling instruments in support of these broader political and military goals.

The two critical roles that the US Cyber Command played in the most recent US-Israeli operations exemplify how cyber instruments could enable military goals. US General Dan Caine explained at a press conference on March 2, 2026, approximately 57 hours after the operations began, that along with US Space Command, US Cyber Command was among the “first movers” that were “layering non-kinetic effects, disrupting, degrading, and blinding Iran’s ability to see, communicate, and respond,” which “shaped the environment for the subsequent phases of the operation.” He further stated that US Space Command and US Cyber Command “have continuously layered effects to disrupt, disorient, and confuse the enemy.”

How China Will Likely Use Cyber Means to Facilitate its Strategic Goals

Over the years, China has been undertaking methodical, gradual steps aimed at shaping the strategic environment. This has become more overt since 2015. A significant turning point was the revelation in May 2023 that Chinese state threat group Volt Typhoon had targeted US critical infrastructure. Subsequently the US government officially reported on Volt Typhoon following the US Department of Justice (US DoJ)’s takedown of a botnet allegedly used by Volt Typhoon in January 2024. US officials pointed out that China’s “historical focus on stealing state secrets and espionage,” meaning cyber espionage for political and economic interests, has evolved into a more ominous intention to prepare for destructive attacks. As US officials said, Volt Typhoon campaigns show “a new interest in preparing and launching destructive cyberattacks against US electricity systems, water utilities, military organizations and other critical services,” and the intent is to “cause disruption and sow societal panic, especially in the event of a military conflict.”

If China, indeed, is preparing for and pre-positioning the country for any kind of military conflict using cyber means – such as if the US military helped Taiwan resist a potential Chinese attack – this makes us wonder what China’s next move will be. As we know, cyber activities for the purpose of pre-positioning can also be a form of deterrent, such as to make the US think twice about coming to the aid of Taiwan. Influencing the US policy-making process or stealing intellectual property through cyber espionage to further China’s strategic goals also likely remain on the regular Chinese threat activity agenda.

Therefore, examining possible scenarios of Chinese information operation activities in the following categories—both in preparation for and during a military conflict with Taiwan—may help us better understand how China would likely use cyber means to facilitate its strategic goals.

Cyber-enabled Influence operations

• Increased bot activity targeting social media platforms, messaging apps, online games as well as gaming forums with large Taiwanese or Japanese user bases, such as social media platform LINE

• Account takeover attempts, phishing or impersonation attempts targeting influencers in Japan and Taiwan who are vocally anti-China

• DDoS and other disruption attempts targeting online news websites that are vocally anti-China

These are typical activities associated with mass disinformation campaigns, the topic of a series of Natto Thoughts posts, including case studies of their use by China and Russia. Before and during a conflict, a huge volume of bot activity — often amplified with the help of Large Language Models — would likely be unleashed in an attempt to control the online narrative. As in the case of Russia, messages are likely to be disseminated not only on the social media giants, but also on more localized forums, blogs, games and messaging apps. An academic study about Russian propaganda on social media during the 2022 invasion of Ukraine written by several German scholars shows that the peak on March 2, 2022, coincides with the day the United Nations General Assembly adopted Resolution ES-11/1 deploring the invasion, likely intended to sway the votes of the UN delegates. (See chart below)

Hacktivist activities

• DDoS and other low-impact hacktivist activities, such as defacement attacks targeting government websites of the US, Japan and Taiwan and banking sectors

This is also typical with conflicts. Low-tier hacktivist groups want to grab the headlines and demonstrate their patriotism through attacks on government and banks of enemy countries. For example, the share of DDoS targets located in Germany rose from 5% to 70% after the US-Israel operation on Iran in late February 2026, according to data from VirusTotal, a US-based threat intelligence aggregator (see chart below). This shift likely reflects Germany’s public stance in support of Israel during the conflict, which may have increased its visibility as a target for hacktivist groups seeking symbolic or attention-grabbing targets rather than conducting coordinated disruption. While many of China’s first generation of patriotic “red hackers” or “honkers” have graduated from hacktivism to providing sophisticated cyber services for the state, further hacktivist activities in support of China against Taiwan cannot be excluded.

Cyber espionage operations

• Intrusion and data exfiltration attacks targeting survey and polling companies researching public opinion in Taiwan and Japan

• Intrusion attacks targeting government IT contractors in the US, Japan, and Taiwan, particularly those developing back-office software.

News reporters, think tanks and public opinion research companies are persistent targets for cyber espionage. However, during wartime these intrusions often become part of broader harassment campaigns aimed at shaping the narrative surrounding the war. For example, the Institute of Mass Information, a civil society organization based in Ukraine, reported in July 2024 that Russia committed 607 crimes against journalists and the media in Ukraine in the two years and five months since the start of the full-scale invasion. Government contractors are also persistent targets of cyber espionage given their broad access to government networks.

Offensive cyber operations

• Pre-conflict intrusion activity and potential disruptive cyberattacks during conflict targeting civilian energy and telecommunications providers supporting US bases in Japan

• Ransomware or pseudo-ransomware attacks targeting Tier-2 and Tier-3 industrial suppliers critical to defense production

• Ransomware attacks targeting Japanese automotive manufactures and major suppliers to signal economic pressure.

As the Natto Team has pointed out in the case of Russia, analysts have discerned a “playbook” combining disruptive and destructive operations with psychological operations. Indeed, evidence suggests that ransomware can serve as a form of hybrid warfare. In China, too, threat actors with some degree of relationship to the Chinese state have used ransomware to cause misattribution, distraction, disruption or even destruction and to provide financial gain, cover for espionage operations and the ability to remove the evidence. During the Russia-Ukraine conflict in 2022-2023 several cybersecurity firms observed disruptive campaigns against industrial and economic sectors, along with an evolution of toolsets better suited for disruptive operations. For example, US based cyber firm Mandiant, now part of Google Cloud, discovered that APT44 (a.k.a Sandworm) demonstrated tooling evolution during its wartime operation. VirusTotal also showed a spike of malware and Indicators of Compromise (IoC) submissions from December 2021 to May 2022, the months leading up to the full-scale Russian invasion of Ukraine. (See chart below)

Overall, these possible scenarios of using cyber means to facilitate China’s strategic goals in the China-Taiwan conflict are likely to evolve as geopolitical situations, the development of military technologies, and the understanding of military conflicts progress. As Nikita Shah, a senior fellow at the Center for Strategic & International Studies (CSIS), pointed out, in the ongoing US-Israel and Iran conflict in March 2026, cyber operations are “not a revolutionary edge in conflict,” but rather incremental. For China, “reunification” with Taiwan is seen as inevitable and “unstoppable”. Therefore, China is likely to act strategically, using cyber operations to achieve steady, incremental progress toward its objectives.

Analysts are focused on shortening investigation cycles, engineers care about improving automation and operational efficiency, while leaders need clarity on where to prioritize security investments. These are very different problems and they require very different forms of intelligence products. Consequently, a CTI analyst must deliberately tailor the output to match these role-specific needs.

This represents a departure from the still-common practice of distributing the same report, built on the same data, to every stakeholder. Modern threat intelligence demands a more targeted, consumer-driven approach rather than a one-size-fits-all delivery model.

You can read the first article in the series at the link below.

In this post, we’ll dive into yet another crucial part of CTI planning: how to prioritize effectively. As you know, defining Priority Intelligence Requirements is key for allocating time and resources. A common mistake in setting PIRs is overlooking the company’s business model, growth projections, and technology strategies.

When determining CTI priorities, the typical approach is to build a threat landscape based on the industry and geographical location of the company, focusing on the threat actors most relevant to that context. Then, prioritization is based on the level of damage these actors could inflict, with the highest-impact threats being addressed first.

Another common strategy involves using SWOT analyses or post-mortems to pinpoint weaknesses and develop a strategy to address them. In these cases, CTI often acts as a complementary layer of defense. For example, if a company’s EDR system isn’t detecting certain types of malware, CTI can be used to fill that gap.

While these approaches aren’t inherently wrong, they miss an important piece of the puzzle. The reality is that businesses don’t stay the same. They almost always grow and change over time. CTI programs that don’t align with the company’s growth plans struggle to stay proactive and fail to deliver long-term ROI. Over time, this makes it even harder to redirect investments where they’re needed most.

The Tale of Two Banks

When doing cyber security planning, the first thing you should ask yourself is: How does the company actually make money? Even if two companies are in the same industry and appear to offer the same services, their revenue models can be drastically different. Let’s explore this with two fictional banks: ClassicBank and DigitalBank.

ClassicBank is a traditional bank with physical branches, offering standard banking services. It then uses the capital from its customers to make direct investments and private equity deals. Unlike typical banks that earn from fees or interest, ClassicBank profits from the returns on these investments. So, its growth strategy is all about attracting high-net-worth individuals (HNWI and UHNWI) to raise capital, and then using that capital to make better, more profitable investments. This means ClassicBank’s customer base won’t grow quickly or through consumer loans. It’s about finding a few high-value clients and expanding through capital investments. As a result, ClassicBank isn’t likely to focus on developing digital products. Its IT infrastructure will expand in line with its physical branch network, and its due diligence operations will be intensive because of the high-risk nature of its investments.

DigitalBank on the other hand, is a fully digital, branchless bank. It targets young professionals, especially those in the tech-savvy white-collar workforce. Its goal is to offer an exceptional user experience while making stock and crypto investments more accessible. DigitalBank earns primarily from consumer loans and transaction fees in the stock and crypto markets. Its growth strategy is centered on constantly increasing its customer base by improving digital products and user experiences. DigitalBank is continuously partnering with new stores and subscription services to offer discounts, cashback, and other benefits to attract customers. Because it has no physical branches, DigitalBank aims to rapidly scale its customer base through digital channels. This means the bank will likely invest heavily in software development and cloud-based infrastructure to keep up with its growing user load.

So, while both ClassicBank and DigitalBank operate in the same industry, their business models and their growth strategies are completely different. ClassicBank focuses on attracting a few high-value customers and growing through capital investments, while DigitalBank expands by offering diverse digital products and targeting a large base of individual consumers.

Translating Growth Strategy to CTI Priorities

We’ll now dive deeper into the cyber security priorities (and by extension the CTI priorities) of these two fictional banks. But first, let’s quickly compare their key characteristics side by side.

Now that we've compared the two banks, let's delve into how their growth strategies translate into cybersecurity and threat intelligence priorities.

1. ClassicBank

ClassicBank’s security priorities primarily focus on protecting the high-net-worth individual client data. This data is not only critical to maintaining the bank’s reputation but also directly impacts high-risk investment decisions. Therefore, ensuring the security of this information is a key element of the bank’s overall strategy.

The second priority is securing the due diligence data of the companies ClassicBank is evaluating for potential investments. During the investment analysis process, safeguarding the trade secrets and financial information of these companies is crucial. A breach here could seriously threaten the bank’s financial interests, making this an area of high focus in their cybersecurity efforts.

Third, managing the cyber risks associated with the bank’s direct investments is important. These investments often involve high-risk financial assets, and protecting them from cyber threats is essential. ClassicBank must have measures in place to protect its investments from external threats like cyber attacks or data breaches.

A significant portion of the attack surface comes from the bank’s IT networks, employee devices, and identity management systems. As the bank’s digital infrastructure expands alongside its physical branches, the risk of vulnerabilities in these systems grows. Network security, endpoint protection, and identity authentication are therefore central to the bank’s cybersecurity strategy.

Additionally, the risk of insider threats is a critical concern for ClassicBank. Attacks or misuse originating from within the bank, whether intentional or accidental, can pose a severe risk to its operations. Therefore, ClassicBank must implement strong security monitoring systems that can detect both internal and external threats effectively.

2. DigitalBank

DigitalBank’s primary security priority is protecting customer accounts and transactional integrity at scale. Unlike ClassicBank, the risk is not concentrated in a small number of high-value clients, but distributed across a massive user base. Account takeovers, credential stuffing, phishing campaigns, and fraud directly threaten revenue, customer trust, and growth. CTI efforts must therefore focus heavily on monitoring threat actors and techniques targeting consumer-facing financial platforms.

The second major priority is securing the bank’s digital products and APIs. DigitalBank’s growth strategy relies on rapid feature development, frequent integrations with third-party services, and constant iteration of its mobile and web applications. This significantly increases the attack surface. Vulnerabilities in APIs, mobile apps, or partner integrations can be exploited at scale, making application-layer threats and software supply chain risks a critical focus for CTI.

Third, DigitalBank must closely monitor threats related to cloud infrastructure and DevOps pipelines. As the bank scales its user base, it will increasingly depend on cloud-native architectures, CI/CD pipelines, and infrastructure-as-code. Misconfigurations, leaked credentials, and attacks targeting cloud service providers or developer tooling represent systemic risks. CTI must therefore track emerging attack patterns targeting cloud environments and developer ecosystems.

Fraud and abuse also play a central role in DigitalBank’s threat landscape. Because the bank earns revenue from consumer loans and transaction fees, fraud directly impacts profitability. Intelligence related to fraud rings, mule networks, synthetic identities, and emerging social engineering techniques is essential.

Why This Matters for CTI Planning

ClassicBank and DigitalBank operate in the same industry, face many of the same regulatory requirements, and are targeted by overlapping threat actors. Yet their CTI priorities differ radically because their growth strategies, revenue models, and attack surfaces are fundamentally different.

CTI is only effective when it is scoped to real decision-making. Threat landscapes, incident history, and control gaps are useful inputs, but they are incomplete on their own. If CTI priorities are not informed by how the business operates and plans to scale, intelligence efforts will skew reactive and gradually lose relevance.

Anchoring CTI planning to business models and growth strategies helps identify where risk is likely to concentrate next, not just where it has appeared before. This makes prioritization more defensible, resource allocation clearer, and CTI outputs easier to operationalize.

In practice, effective CTI is role-specific, business-aware, and deliberately scoped. Anything else is just reporting.

In the first article of our Wargaming Insights series, we used a Markov Chain to model a simple attack scenario. We then compared two strategies Defense-in-Depth (preventive) and Detection & Response (reactive) and discussed their effectiveness.

Since our primary goal in that initial piece was to demonstrate the use of Markov processes, we intentionally over simplified the detection and incident response components of the model.

If you’d like to dive into the details of that simulation, you can check out the article below. It’s highly recommended for anyone looking to gain a solid understanding of the simulation approach we will use in this post.

One of the core assumptions in our initial simulation was this: once an incident response process is triggered after detecting an attack, it would always result in completely eradicating the attacker from the system. However, real-world incident response is far more complex than that.

Due to various factors that affect incident response such as limited visibility, access restrictions, poor planning, or miscommunication, remediation from an incident is not always 100% successful. For example, while a backdoor left by the attacker might be removed, the vulnerability that enabled the intrusion may remain unpatched or the passwords for compromised accounts may never be reset. In another scenario, during a spear-phishing campaign that infects multiple employees in the same organization the response team might fail to identify all victims and end up remediating only a single device.

In such cases, even if the threat is detected and an incident response process is initiated, the attacker may not be fully removed from the environment. And more often than not, this leaves systems vulnerable to being compromised again. Therefore there is always a chance of an incomplete response during a real incident. If this happens the attacker moves back to one of the previous steps.

If we model this dynamic with a Markov chain we need to draw arrows from each detection step back to the earlier steps. So the probabilities after the “detected” step follow the red path shown in the graphic below.

The full attack chain would look like the diagram below. After each detected step, there is an X% chance of complete remediation; otherwise the process randomly returns to one of the previous steps.

Modeling the Intrusion Chain

Now we will simulate our intrusion chain model using Python code. As you can see, since our new model includes backtrack connections, we can no longer perform a formal solution the way we did in the first article. Instead, we’ll run this model thousands of time in Python and observe the distribution of results. This method is also known as a Monte Carlo simulation.

As a first step, let’s define our intrusion chain. As an example, I selected the TTPs from one of the Lazarus Contagious Interview campaigns. The final stage of our attack is the ”Exfiltration over C2 Channel” step. In our simulation, an attacker who reaches this step will be considered successful.

# -----------------------------
# ATTACK CHAIN OF CONTAGIOUS INTERVIEW (Lazarus Group)
# -----------------------------
STATES = [
    “Initial Access – Phishing Attachment (T1566.001)”,
    “Execution – Mshta (T1170)”,
    “Persistence – Setup Folder (T1060)”,
    “Discovery - Process Discovery (T1057)”,
    “Collection – Data from Local System (T1005)”,
    “Exfiltration – Over C2 Channel (T1041)” # final state
]

When building the chain, an important point is to choose attack steps that can genuinely be treated as distinct from one another. Our simulation relies on the assumption that if an attacker is stopped at step N, they can fall back to step N–1. But if steps N and N–1 aren’t truly separate (if they operate together as part of the same activity) then the simulation becomes inaccurate.

For example, an attacker might use multiple techniques at once for C2 communication, such as Encrypted Channels and Non-Standard Port. Even though these are listed as separate MITRE ATT&CK techniques, in practice they are not independent steps. An attacker detected and pushed back at the “Non-Standard Port” stage wouldn’t realistically revert to an “Encrypted Channels” stage.

So these steps should be merged into a single consolidated phase (e.g: “Command and Control”) before constructing the chain.

Running the Monte Carlo Simulation

Below function will execute a single run of the Monte Carlo simulation. Conceptually, it works as follows:

• The attacker starts at the first step of the intrusion chain (state_index = 0).

• At each iteration, the model draws a random number to determine whether the attacker is detected or remains undetected.

• If the attacker is not detected, they simply advance to the next step in the chain.

• If the attacker is detected:

  • A second random draw decides whether the response leads to full remediation.

    • If yes, the simulation ends with a “Fully Remediated” result.

  • If remediation fails, the attacker is pushed back to a randomly selected earlier step.

    • The only exception is step 0: if detection happens there, we count it as full remediation.

• The simulation repeats this process until one of the following occurs:

  • The attacker reaches the final step → “Attack Successful”

  • A full remediation event is triggered → “Fully Remediated”

  • The loop hits the maximum step limit → “Timeout”

This structure lets the simulation capture the dynamics of a real intrusion where detection may push the attacker back rather than eliminate them outright.

# -----------------------------
# SIMULATION FUNCTION
# -----------------------------
def run_single_simulation(P_REMEDIATED, P_DETECTED, max_steps=2000):
    P_UNDETECTED = 1 - P_DETECTED
    state_index = 0
    steps = 0

    while steps < max_steps:
        steps += 1
        if state_index >= len(STATES) - 1:
            return “Attack Successful”

        rnd = np.random.rand()

        # 1) Undetected → move forward
        if rnd < P_UNDETECTED:
            state_index += 1
            continue
        else:
            # detected → full remediation or partial remediation
            rnd2 = np.random.rand()
            if rnd2 < P_REMEDIATED:
                return “Fully Remediated”
            else:
                if state_index == 0:
                    return “Fully Remediated”
                state_index = np.random.choice(np.arange(0, state_index))

    return “Timeout”

Let’s run our simulation using a baseline assumption of a 10% detection probability per step. In each simulation batch, we increase the incident response effectiveness by 1%, and we repeat this process until it reaches 100%. In other words, we’re trying to answer If I can detect 10% of all attack steps, how does improving incident response effectiveness affect the attacker’s overall success rate?

After running the simulation, we plot the results as shown below. As you can see, increasing incident response effectiveness reduces the attacker’s success rate from around 87% down to roughly 60%.

Simulating Various Detection Probabilities

How does the effectiveness of incident response influence attacker success across different detection probabilities? To explore this, we’ll run a series of simulations using the same model. This time, we’ll repeat the previous simulation multiple times, starting with a detection probability of 5% and increasing it by 5% in each iteration, continuing until we reach 50%.

A detection probability of 50% means that we can detect roughly one out of every two steps the attacker takes. In other words, if the entire intrusion chain consists of six steps, we would be able to detect about three of them. You can think of the detection probability as how many TTPs in the intrusion chain your detection rules are able to cover.

When we run the simulation repeatedly across this range of probabilities, we get the following results.

In each simulation, we represent the overall impact of incident response on attack success using the delta variable. For example in our first simulation (the dark purple line at the top), when the detection probability is 5%, increasing incident response effectiveness reduces the attacker’s chances of success by up to 16%. (Δ = 0.16)

When we test across different levels of detection coverage, we see that incident response effectiveness reduces the attacker’s success rate by an average of 22%. But more realistically, by somewhere between 25% and 35%.

A particularly interesting takeaway is that incident response effectiveness has relatively little impact on attack success at very low or very high detection rates (Δ = 0.16 and Δ = 0.06, respectively). In other words, incident response effectiveness becomes most critical when detection coverage is partial. This was a result I didn’t expect to see at the start of the analysis.

Conclusion

Our simulations yield the following key lessons for security leaders:

Prioritize improving detection coverage when it is very low.
If detection gaps are significant, enhancing coverage should be the first step, as improvements here provide the greatest reduction in attacker success.

Focus on incident response effectiveness when partial detection exists.
When planning against an intrusion chain with known detection gaps, prioritize improving the response playbook as it can significantly reduce the attacker’s chances of success. This may include automating key response actions to ensure timely and reliable mitigation.

Use simulations to guide strategy.
Monte Carlo-style simulations, as demonstrated here, provide a practical way to model the impact of different detection and response strategies. You may use these techniques to enable informed, data-driven decisions in complex security environments.

Limitations

The simulation presented in this article does not fully capture the dynamics of real-world incident response processes. In this sense, there are several important limitations to keep in mind:

1. Time-to-Respond is not modeled.
Our simulation assumes that as soon as a step of an attack is detected, the response can be executed immediately. In reality, detection, triage, investigation, and response can take days or even weeks to complete. This delay gives the attacker a critical window of opportunity to advance to subsequent steps. Therefore, when planning real-world incident response, the Time-to-Respond must be accounted for unless the response steps are fully automated.

2. Attacker adaptation is ignored.
The simulation assumes that if an attacker fails at a particular step, they will simply repeat the same actions as it did before. This overlooks the attacker’s ability to adapt. In reality, unless the attack itself is fully automated, attackers typically adjust their tactics when encountering failure and attempt alternative approaches. As a result, the detection probability assumed at the beginning of an intrusion gradually decreases as the attacker adapts. Addressing this limitation would require a more sophisticated modeling approach.

Ultimately, while simulations are very useful tools for decision-making, we must be aware of their limitations and continue refining our models to better capture real-world dynamics. Only then can we make truly informed and reliable security decisions.

In this post, the goal is to define these customer profiles and take a quick look at the types of problems each one deals with. For simplicity, I’ll group all cybersecurity roles (offensive or defensive) into three categories: Analysts, Engineers, and Leaders.

1) Analysts

SOC analysts, incident responders, forensic analysts, threat hunters, vulnerability analysts, pentesters…

Analysts deal with real threats and real vulnerabilities. Their job is to identify active attacks on the organization’s systems and uncover weaknesses that could enable those attacks. In other words, they carry the majority of the operational load. Their workflow typically follows: Validation → Risk Assessment → Response.

Their core challenge is reducing the time between validation and response. It’s simply not possible for them to thoroughly investigate the hundreds of potentially risky events that may appear throughout the day.

Below are the common questions analysts ask and how CTI can help answer them.

Q:
Is this alert actually malicious, or is it a false positive?

How CTI helps:
— Hash/IP/domain reputation checks
— Sandbox analysis
— Automated malicious/benign classification via context enrichment

Q:
I found malicious activity on a system. How serious is this? How deep should I investigate?

How CTI helps:
— Campaigns related to the artifact
— Adversary “actions on objective”
— Example cases showing real-world impact

Q:
I’m investigating an incident. What is the attacker’s next step likely to be? Where should I look?

How CTI helps:
— Campaign or threat actor TTPs
— Step-by-step breakdown through MITRE ATT&CK
— Suggested pivot points for investigation

Q:
I’m flooded with new CVEs every day. Which of these actually matter to me?

How CTI helps:
— CVE relevance filtering via asset inventory or ASM integration
— Automatic prioritization of organization-specific vulnerabilities

Q:
I found CVE-XYZ in my environment. How urgently do I need to patch this?

How CTI helps:
— Active exploitation information
— Campaigns leveraging the vulnerability
— Real-world impact examples and threat actor usage frequency

2) Engineers

DevSecOps engineers, cloud security engineers, network/IT security engineers…

Engineers don’t deal with threat investigation directly; their job is to build scalable systems that perform those detections and harden environments automatically. The keyword here is “scalable.” Engineers don’t solve problems case-by-case. For example, determining the sensitivity of a single hardcoded API key is an analyst’s job. But designing a system that can find that key across hundreds of repositories is the engineer’s responsibility.

They work on large scale challenges such as patch management, detection engineering, software supply chain security, and identity lifecycle management. And with large scale comes a major trade-off: the bigger the scale, the lower the accuracy.
Understanding the importance of a few CVEs on one server is easy; scaling that to tens of thousands of servers leaves you drowning in hundreds of thousands of CVEs.

For analysts, the goal of CTI was “maximum context.”
For engineers, it’s the opposite: clean, structured, machine-readable data.
Most of the time, it’s not a human consuming the CTI. It’s the system they built.

This is why the CTI strategy for engineers is built around enrichment: improving the quality and structure of the data their systems rely on.

Q:
My detections produce too many false positives. How do I reduce them?

How CTI helps:
— Automatic correlation with external reputation sources
— Normalized risk scoring
— Noise-reducing global allow/deny lists

Q:
Patch management at scale is overwhelming. How do I prioritize?

How CTI helps:
— Exploitation-in-the-wild intelligence
— Threat actor usage patterns
— Sector/region-specific CVE trends
— Alignment with CISA KEV or similar authoritative lists

Q:
How do I secure our software supply chain at scale?

How CTI helps:
— Compromise history of popular libraries
— Malicious package trends
— Version-level risk scoring
— SBOM enrichment and dependency insight

3) Leaders

Head of Security, Director, InfoSec Manager, CISO

Security leaders act as the bridge between the company’s executive management and the security team. In practice this means:

1. Answering questions and requests from the executive layer,

2. Identifying security needs and convincing leadership to invest in them.

They often use tools like risk catalogs, maturity frameworks, SWOT analyses, and industry benchmarks. Their biggest challenge is building a compelling narrative that justifies investment. A block of forensic output or malware analysis is useless to them unless it’s translated into business-level meaning.

This is why the CTI strategy for leaders is interpretation.
The value comes not from raw intel, but from connecting the dots into a coherent story.

Q:
A new attack/vulnerability is all over the news. Does it affect us? Do I need to notify the executives?

How CTI helps:
— Targeting patterns of the campaign
— Active exploitation status
— Business impact ready summaries
— Executive friendly briefing materials

Q:
A threat actor claims they have our data. Is the claim legitimate? Do I need to involve the data protection office?

How CTI helps:
— Verification of leaked data (samples, patterns, previews)
— Dark web/voucher analysis
— Actor motivation and credibility
— Regulatory impact assessment

Q:
We might be impacted by campaign XYZ. What is the typical impact on its victims?

How CTI helps:
— Activities observed on other victims
— Potential business impacts (downtime, financial loss, exposure)
— Actor targeting criteria
— Executive-level narrative translation

Q:
We’re preparing a use case to procure a new security product. What are the sector/regional trends? What do the attackers targeting us look like?

How CTI helps:
— Sector-specific threat trend reports
— Benchmarking against similar organizations
— Threat landscape summaries
— Adversary motivation and sophistication profiles

Conclusion

A CTI program is only effective if it knows exactly who it serves. Analysts, engineers, and leaders consume intelligence in completely different ways, speak different languages, and expect different outputs. The goal is to deliver the right information to the right profile in the right format.

Analysts need speed.
Engineers need scale.
Leaders need narrative.

And the true value of threat intelligence lies in empowering the right decision maker at the right moment, with the right context.

The Nucor Incident: A Disruption of Critical Industry

In May 2025, Nucor Corporation, the largest steel producer in the U.S., fell victim to a cyberattack that led to a temporary halt in operations across several of its plants. [1] The breach, which appears to have been a ransomware attack, disrupted production lines and forced the company to take critical IT infrastructure offline to contain the damage.

As a foundational player in steel production, Nucor supports a wide range of downstream industries, including construction, automotive, and defense. Disrupting steel manufacturing has a cascade effect: not only does it delay supply chains, but it also impacts pricing and availability across national and global markets. In macroeconomic terms, even the perception of supply instability in materials as central as steel can lead to price fluctuations and broader market volatility.

The Thyssenkrupp Incident: A Parallel in Europe

In early 2024, German steel manufacturer Thyssenkrupp experienced a cyberattack that disrupted its automotive division, halting production at multiple facilities. [2] Although operational continuity was restored relatively quickly, the breach demonstrated similar systemic fragilities. As with Nucor, the attackers targeted a company that is central to its country's industrial capacity.

Thyssenkrupp’s role in Germany parallels that of Nucor in the U.S. Both firms represent critical nodes in their respective national economies. While there is no public attribution connecting these two incidents, their similar timing, scale, and strategic impact raise important questions. Particularly when examined within the context of ongoing geopolitical tensions.

Geopolitical Context: A Pattern Emerges

According to the Ukraine Support Tracker by the Kiel Institute, the United States and Germany are the top two contributors of military, financial, and humanitarian aid to Ukraine. [3] Germany, notably, is both the leading EU-level contributor and the largest individual contributor within the EU overall. The U.S. has also maintained the highest total level of assistance globally.

Concurrently, Kaspersky’s Q1 2024 ICS report shows that U.S. and German industries are the top two most-targeted globally in terms of industrial cybersecurity incidents. [4] This correlation between leading aid contributions and a surge in attacks on their industrial bases may not be coincidental.

While no direct attribution can be made, it is reasonable to assess the possibility that these attacks form part of a broader effort to exert economic and political pressure on the so-called "Red Allies": those nations seen as supporting Ukraine from the perspective of Russian strategic interest. Disrupting their domestic industries could serve to undermine public support, strain logistics, and signal a capability for retaliatory escalation.

OT-Centric Cyber Operations as Strategic Tools

Dragos' 2025 OT Cybersecurity report highlights the increased frequency of OT-centric cyber operations, particularly in countries involved in high-stakes geopolitical alignments. It notes that “KAMACITE and ELECTRUM continue to collaborate in support of Russian military objectives by targeting critical infrastructure in Ukraine.” [5]

Attacks on companies like Nucor and Thyssenkrupp fit this pattern. They do not aim for direct military advantage but seek instead to disrupt economic infrastructure as a potent form of coercion. Strategic OT disruptions can constrain infrastructure projects, and degrade economic resilience.

From a military operations perspective, these operations align well with the concept of countervalue targeting, where the objective is not battlefield dominance but the degradation of assets critical to national morale and function. [6] This contrasts with counterforce strategies that target military capabilities directly.

Moreover, analysis methods like ASCOPE/PMESII can help anticipate where such attacks might occur. The IPB/IPOE process emphasizes understanding the adversary's centers of gravity for the most economic use of force. [7] In this light, Nucor and Thyssenkrupp could be seen as predictable targets due to their central roles in national infrastructure.

These campaigns may aim not just to degrade supply chains but to control narrative. Causing domestic concern, triggering economic ripple effects, and ultimately deterring future alignment or support for Ukraine. If you’re interested in this type of analysis, feel free to check out our post below.

Curious About More? Join Our Workshop

I will be leading a specialized Geopolitical Cyber Threat Intelligence Workshop on 21–22 June 2025, designed for cybersecurity professionals, CTI analysts, and cyber risk teams looking to understand how geopolitical tensions translate into cyber threats.

This two-day, instructor-led workshop focuses on the role of cyber operations in advancing political, economic, and military objectives. Drawing on real-world conflicts and intelligence methodologies, the course offers a structured approach to geopolitical threat analysis, strategic foresight, and cyber risk forecasting.

Register Now

This story, taken from Wargaming for Leaders, illustrates how simulations can help to understand the impact of strategies on adversary decision-making. In the context of cyber security, wargaming can be used to simulate different threat scenarios and test how various defense strategies might influence the outcome of those attacks.

What is Wargaming?

Wargaming is a method of simulating attack and defense scenarios to evaluate how different strategies affect the outcome of an adversary’s actions.

By using wargaming, security teams can model cyber threat scenarios, apply different defense measures (like firewalls, endpoint protection, and SOCs), and observe how these defenses alter the attacker’s likelihood of success. This provides a better understanding of where resources should be allocated and how to improve defense measures.

In this post, we’ll use wargaming to evaluate whether investing in security detection and response capabilities is worthwhile. The approach involves modeling a simple cyber intrusion as a Markov Chain and adding a detection step to analyze how it affects the likelihood of a successful attack.

If you wonder what Markov Chains are, check out our previous blog post on this topic:

Strategy 1: Prevention Only

In this first Markov Chain model, we simulate a scenario where there are no detection or response capabilities, relying solely on preventive measures. Each step of the attack is represented by a probability of success, reflecting how likely the attacker is to complete each phase of the attack.

There are four layers of preventive controls:

1. Email filtering to block potentially malicious emails.

2. Security awareness training to reduce the click-through rate of phishing emails.

3. Malware protection to prevent the execution of malicious files.

4. Data loss prevention systems to block the exfiltration of sensitive data.

By measuring the false negative and true positive rates of each layer, we can calculate the probabilities of success. For example, phishing emails reported by employees would be considered false negatives for our email filtering control.

Here’s how the Markov chain looks like for this scenario:

To calculate the overall probability of success, we multiply the success probabilities at each step:

This means the attacker has a 48.96% probability of success against this defensive strategy.

Strategy 2: Detection & Response

In the second Markov Chain, we add detection as an additional control. For each attack step, there’s now a 10% chance of the attack being detected. Once detected, the attack has a 10% chance of triggering an incident response, which mitigates it. Here’s how the progression looks with detection in place:

Now, we calculate the combined success probability with detection and response by multiplying the success and detection survival rates at each step:

With detection & response procedures in place the attacker now has only a 26% probability of success.

Attempts Needed to Succeed

We can now compare how many attempts an attacker would need to succeed in both scenarios. This is done by calculating the expected number of attempts (1 divided by the success probability) for each condition:

Adding a 10% detection probability nearly doubles the difficulty for the attacker, from around 2 attempts to 3.84 attempts to succeed.

To better understand how different defensive strategies impact the attack outcome, we’ll compare two performance scale plots. Each plot highlights how detection capabilities and layered defenses scale differently in terms of difficulty for attackers to reach its goal.

Defense in Depth Performance

This plot shows how Difficulty increases in multiplies as more defense layers are added, with blocking success ranging from 10% to 50%.

How to interpret this plot:

• When layers individually block a higher percentage of attacks (e.g., 40–50%), difficulty multiplies sharply with each additional layer.

• With lower blocking rates (e.g., 10–20%), difficulty still increases, but at a slower rate.

• The shape of the curves depends strongly on the blocking effectiveness of each layer.

Insight:
This strategy scales more effectively with the quality of individual layers than with the number of layers themselves. Therefore, focusing solely on the number of defenses without considering the efficiency of each layer will lead to a suboptimal strategy.

Detection and Response Performance

This second plot shows the relationship between Detection Success (%) and the difficulty for an attacker to achieve its objective. This scenario assumes that the incident response will completely eradicate the threat. However in reality, this is less often the case due to inefficiencies in incident response procedures.

How to interpret this plot:

• As detection success improves, difficulty for the attacker increases polynomially.

• As detection success moves higher (e.g., 40% to 50%), the difficulty rises much more steeply.

Insight:
A detection and response strategy becomes more effective against attackers as it scales. The key idea is that the cost of implementing detection at all layers is lower than the cost of preventive controls at each layer. This allows the strategy to scale by improving detection efficiency, whereas a preventive strategy requires considering the cost of defense at each individual layer. But it's also important to note that the effectiveness of this strategy depends on efficient incident response, which must be factored in as well.

Let’s compare the two strategies:

• With three layers of preventive controls, each blocking 50% of attacks, the difficulty for the attacker increases by 8x. (Defense in Depth)

• To achieve the same effectiveness with the second strategy, only 30% detection success per step is needed. (Detection and Response)

Conclusion

Wargaming can be an effective way to test different cybersecurity strategies and understand their potential impact on an attack's success.

The precision of the numbers aren't important, nor are they particularly reliable.

Instead, what really matters is the directional insight: even limited detection capabilities can significantly disrupt intrusions, essentially showing that a SOC acts as a powerful force multiplier.

Predictive intelligence is emerging as a critical component of proactive defense strategies, as noted by authorities like MITRE, GARTNER, and others, offering the capability to anticipate, prepare for, and mitigate threats before they fully materialize. As with any emerging field, there is no agreed-upon definition of what predictive intelligence should look like. As a result, predictive threat intelligence reports in the industry vary widely, making it more difficult for consumers to operationalize them.

To address this issue, this post proposes four principles deemed essential for making high-quality predictions. These principles are encapsulated in the acronym PART: Probabilistic, Actionable, Responsive and Time-bound.

Now let’s break down these principles and explore how they should be implemented.

1. Probabilistic

When performing predictive analysis, we must evaluate the likelihood of each scenario that is being considered. A high-quality product must assign probabilities or confidence levels to those forecasts.

Probabilistic models can leverage statistical methods, machine learning, and historical data. Confidence levels in the end product can be quantitative (“There is a 70% chance of a ransomware attack”) as well as categorical (“High likelihood”) depending on the case. Through this, decision-makers will be able to allocate resources more effectively.

Take a look at the following example from the above post, notice the quantitative probability attached to it:

This insight was derived from observing a moderate correlation between events from two data sources: SIEM and identity intelligence.

Furthermore, you can watch the “Infostealer infections” section from one of our talks to learn how probabilistic and evaluable models can be developed. Pay attention to the defined metrics used to validate the model's effectiveness and how historical back-testing was done using the available data.

2. Actionable

Predictive analysis is a complex and resource-intensive process. Therefore, analyses should be done while keeping defensive capabilities in mind. There is no meaning in making predictions, if no defensive actions can be taken based on them. In your end product, pair each prediction with a set of tailored mitigation steps, such as patch recommendations, system configurations, or user awareness initiatives.

For example, take a look at the proactive countermeasures plan below:

You can check out the following post to learn what a Proactive Countermeasure Plan is.

3. Responsive

Forecasts often depend on specific conditions or triggers. A predictive intelligence product should articulate the conditions under which a prediction is valid and describe how changes in those conditions might alter the outcome. Decision-makers should have a clear view of the factors influencing an outcome and the reasoning behind the prediction. This way, our predictive models will be responsive to the changing circumstances.

As an example, take a look at the future scenarios outlined in the post above, which describe various policy changes Turkey could adopt during the Russia-Ukraine war, along with the implications of each scenario on cyber threats to Turkey.

4. Time-bound

A prediction without a temporal scope lacks utility. Predictive intelligence must specify when the threat is expected to materialize, whether in days, weeks, or longer. Use clear time frames in all outputs, and allow decision-makers to filter predictions by urgency to focus on imminent risks. For instance, a prediction about a potential attack during a high-profile event in the next 72 hours demands immediate attention and response.

Additionally, include success metrics and post-mortem analysis features to track prediction outcomes and refine models based on real-world results. This evaluability provides a feedback loop for continuous improvement and it also underscores the importance of ensuring predictions are data-driven rather than based on intuition or unverified reports.

Conclusion

The four principles outlined in this post intends to be a guideline to creating high-quality predictive intelligence reports. It is important to remember that predictive analysis is not a one-time effort but an ongoing process that requires continuous improvement.

Shortcomings of Reactive Defense

According to Mandiant's report[1], the time it takes for a vulnerability to be exploited has decreased to an average of five days. Yet, it’s widely known that many organizations still take 30 to 90 days to implement patches. This delay provides attackers with a significant window of opportunity. In ransomware attacks, for instance, attackers often deploy ransomware just six days after infiltrating a target network[2]. Such fast-paced operations shortens the window of opportunity for defenders to act.

Another issue is the long lead time required for cybersecurity investments to take effect. Implementing organization-wide changes is no easy task, and even the simplest controls can take months to deploy at scale. As a result, solutions designed for today’s threats may fall short at mitigating the risks by the time they are fully operational. If we can anticipate the threats we’ll face in advance, we can proactively develop the necessary measures to counter them.

Axes of Uncertainty: When, Where, and How?

To design an effective defense against cyberattacks, we must answer three fundamental questions: When will an attack occur? Where will it happen? How will it take place? Traditional methods focus on addressing the "how" and "where" through practices like penetration testing, threat hunting, and threat modeling, which helps identify the weakest points. However, the "when" has often been treated as unknowable. Risk assessments typically regard likelihood as a constant variable, whereas the probability of an attack is in fact dynamic and time-sensitive.

For example, an API key mistakenly uploaded to a public repository may be exploited by malicious actors within hours, whereas an SQL Injection vulnerability in a web application may remain unnoticed for months.

Predictive Defense tries to minimize this uncertainty, enabling organizations to perceive threats before they materalize.

Methods of Predictive Defense

Predictive Defense relies on various analysis techniques to anticipate future threats and risks. Key methods include:

Wargaming (How and Where):

• Wargaming involves simulating potential attack scenarios to explore how and where they might occur. For instance, it examines how an employee’s credentials might be stolen and the cascading impact this could have on critical systems. By analyzing each step of a potential attack, weaknesses are identified, and targeted defenses can be developed.

Monte Carlo Simulations (Where):

• This method evaluates the likelihood and impact of potential attacks across different scenarios. It repeatedly tests various attack paths (e.g., phishing attempts, brute-force attacks, or compromised credentials) against current defenses. By simulating thousands of scenarios, it estimates the probability of a successful attack within a given timeframe, helping prioritize risks and optimize resource allocation. This method is often used in conjunction with wargaming.

You can check out our blog post for more details about how to build probabilistic models.

Early Warning System (When):

• Early warning systems detect indicators of emerging threats, allowing organizations to prepare in advance. For example, an uptick in malware indicators might signal a malvertising campaign that has just started. These systems use data from past incidents and threat intelligence sources to predict the timing of potential threats, enabling ample preparation times.

You can watch the following talk for more details about how to construct Early Warning Systems!

Geopolitical Risk Analysis (When):

• Geopolitical risk analysis explores how factors like international relations, economic conditions, and regional conflicts can influence cyber threats. For instance, if a country faces sanctions, it may raise the likelihood of cyberattacks backed by that country. This analysis helps organizations better prepare for major risks, especially state-sponsored threats, by predicting how global events could trigger attacks. Common techniques used in this analysis include Indications & Warnings Analysis, Signposts of Change Analysis, and Alternative Futures Analysis.

You can find our book on this very topic, "Geopolitical Cyber Threat Intelligence," on Amazon!

Geopolitical Cyber Threat Intelligence — by Robin Dimyanoglu

Cone of Plausibility (Future Risks):

• This forecasting tool maps possible future scenarios based on current trends and predictable variables. By outlining expected events and deviations, it provides a framework for understanding and preparing for potential risks. For instance, it can be used to assess how attackers might evolve their strategies if current credential stuffing techniques are no longer effective.

You can check out our following posts for more details about how to use Cone of Plausibility for forecasting.

Conclusion

Predictive Defense represents a paradigm shift in cybersecurity, moving beyond reactive methods to anticipate and counter future threats. By addressing uncertainties around "when, where, and how," it aims to enable organizations to build more dynamic, rapid, and effective defense strategies. This forward-thinking approach can optimize cybersecurity investments and ensures preparedness against emerging risks in an increasingly complex threat landscape.

Introduction

Threat modeling is a method used to identify potential threats specific to a software's functionality during its design phase. By addressing these threats early, the software can be designed securely from the beginning, reducing the risk of overlooking security issues and aiming to launch with minimal vulnerabilities. Frameworks like STRIDE and OWASP Top 10 are often used in threat modeling.

However, this article isn't about those specific frameworks. While threat modeling is commonly linked to software development, its scope is much broader and can be applied to almost any area of cybersecurity. In this article, we'll explore how threat modeling, particularly probabilistic threat modeling, can complement risk management practices.

Probabilistic threat models can help clarify the "Likelihood" parameter, which often remains uncertain in risk analysis. Unfortunately, because threat models are often used in a superficial and qualitative way within risk management, this potential is not fully realized. In this article, we'll develop probabilistic models that allow us to directly calculate how anticipated changes within a company (such as hiring) might impact cyber risk.

The Unknown in the Risk Equation: Likelihood

In risk analysis, there's a commonly used equation: Risk = Impact x Likelihood. This equation helps compare different types of risks with each other. For instance, you can compare the risk of a DDOS attack with the risk of an SQL injection attack to determine where to invest more in protection. Although this equation seems simple in theory, it's more complex in practice. Some impacts are easier to quantify than others. For example, you can estimate the number of new customers lost and the financial cost to the company if a site goes down for X minutes due to a DDOS attack. However, calculating the impact of a personal data leak from an SQL injection isn't as straightforward.

Many companies address this by assigning categorical values (High, Medium, Low) to Impact. Fortunately, the industry is evolving. With the help of frameworks like FAIR and annual reports from organizations like the Cyentia Institute's IRIS and IBM's Cost of Data Breach, we can now use industry benchmarks to quantify Impact. This shift allows us to move beyond categorical values and perform risk calculations with greater accuracy.

The situation with the Likelihood parameter is even more challenging. Unfortunately, there are no industry benchmarks available to quantify the likelihood of an event, and it's unlikely that such benchmarks will be developed anytime soon. While efforts like EPSS try to address this issue within a narrow scope, they don't provide results that can be directly used in risk analysis. As a result, companies traditionally assign categorical values to likelihood. However, in this article, we'll explore how to assign probabilistic values to the Likelihood parameter, moving beyond the limitations of categorical values.

Introducing Markov Chain

Every event in life often depends on what happened just before it. For example, before you can enter your house, you need to unlock the door. But to unlock the door, you first need to find your key. Each of these steps is connected, and the chances of moving from one step to the next are based on probabilities. For instance, even if you find your key, there's no guarantee you’ll be able to unlock the door—maybe the lock is broken, or the key could get stuck. Similarly, you might not find the key at all; perhaps you left it in the car or misplaced it. This chain of events, where each step depends on the one before it, can be modeled using something called a Markov chain.

When you think about it, a cyber incident is really just a series of steps executed in sequence. We even have models like the Cyber Kill Chain that describe this exact process. However, these models often lack the probabilities needed to complete the Markov chain. In this section, we’ll explore how to easily assign these probabilities based on the information we have and build our own probabilistic models.

To make this clearer, imagine a company with the following scenario: It’s a typical software development firm that hosts its software in the cloud. The development environment is straightforward, including CI/CD elements. The company’s workforce is as follows:

• 1 DevOps engineer

• 8 Developers

• 2 IT engineers

• 89 Non-IT employees

In our scenario, the asset we want to protect is the "source code." Now, let's assume that the likelihood of a "compromised identity" has occurred. Regardless of the method used—whether phishing, brute force, or an info-stealer—a compromised identity could belong to one of the following groups, with the following probabilities:

• 89% chance it’s a Non-IT employee

• 2% chance it’s an IT engineer

• 8% chance it’s a Developer

• 1% chance it’s a DevOps engineer

Based on the diagram, there appear to be three possible ways for an attacker with a compromised identity to access the source code:

1. If they’ve compromised a Developer’s identity, they can directly access the source code.

2. If they’ve compromised a DevOps engineer’s identity, they can access the deployment environment to steal the source code.

3. If they’ve compromised an IT engineer’s identity, they can remotely access the Developer’s computer to steal the source code.

Now, let's begin by adding these probabilities to our model.

Now that we know one of the key steps to stealing the source code is compromising an identity, let's look at the possible methods for achieving this. Here are a few scenarios that come to mind:

• Brute-forcing a Username and Password

• Employee Credentials Being Sold on the Dark Web

• A Spear Phishing Attack Targeting Employees

• Malware Infection While Employees Browse the Internet

Let's break down the controls in place for each scenario and the relevant information we have. (Note: The figures below are hypothetical.)

1. Brute-forcing a Username and Password

• Control: We have a lockout policy that triggers after three failed login attempts.

• Likelihood: 0% (due to the lockout policy)

2. Employee Credentials Sold on the Dark Web

• Control: Over the past year, our identity intelligence service detected that 15 employees had their credentials sold on the dark web.

• Additional Info: 60% of our employees have MFA enabled on their corporate accounts, so even if credentials are compromised, access cannot be gained without MFA.

3. Spear Phishing Attack

• Control: Our email security gateway blocked 1,700 phishing emails last year.

• Additional Info:

  • Employees manually reported 21 phishing emails that slipped through the gateway.

  • Based on previous phishing simulations, we know that employees report about 3% of suspicious emails. This suggests there were roughly 700 phishing emails that bypassed the gateway, giving it a detection rate of 70%.

  • On average, our employees click on phishing emails 13% of the time, according to past simulations.

  • Additionally, 60% of employees have MFA enabled on their accounts, so compromised credentials alone won’t grant access.

4. Malware Infection Through Malvertising

• Control: Based on insights from purple team simulations and post-mortem analyses, we estimate our EDR (Endpoint Detection and Response) system has an 85% success rate in detecting malware.

• Additional Info: Last year, our EDR blocked 130 infections. Given the detection success rate, we estimate the total number of infections was likely around 150.

These insights provide a clearer understanding of the controls and probabilities for each scenario, helping us further refine our threat model.

As you can see, by analyzing data like the number of blocked malware and phishing attempts, the number of leaked credentials detected by our intelligence services, the success and click-through rates observed in simulations, and the False Negative rates of our security products, we've been able to calculate the success probability of each attack vector as a percentage.

• Brute-forcing a Username and Password: 0% success probability

• Credentials Sold on the Dark Web: 40% (proportion of accounts without MFA)

• Spear Phishing Attack: 30% (False Negative rate of our email security gateway) * 13% (phishing click-through rate) * 40% (proportion of accounts without MFA) = 1.5% success probability

• Malware Infection via Malvertising: 15% success probability

Next, we can apply these probabilities to the proportion of employees who have access to the source code, allowing us to calculate the overall success probability of each attack vector in achieving the goal of stealing the source code.

• Buying Credentials on the Dark Web -> Stealing Source Code: 40% * 11% (proportion of employees with access to the source code) = 4.4% success probability

• Spear Phishing -> Stealing Source Code: 1.5% * 11% = 0.17% success probability

• Malvertising -> Stealing Source Code: 15% * 11% = 1.6% success probability

If these calculations seem complex or lengthy, the following graphic will help clarify things. Notice how the attack chains are modeled as a Markov chain.

Calculating Likelihood from Probabilities

In the model we developed, we calculated the success rates of different attack vectors as probabilities. But how do we determine the likelihood, which is crucial for our risk analysis? To do this, we simply multiply these success probabilities by the frequency with which each attack occurs over a specific period. Let's continue with our example of source code theft and calculate the likelihood of this event occurring through each attack vector over a one-year period.

Likelihood of a Credential Leak on the Dark Web Leading to Source Code Theft:

• Calculation: Probability of success * Number of occurrences in a year

• Result: 4.4% * 15 = 66%

Likelihood of Spear Phishing Leading to Source Code Theft:

• Calculation: 0.17% * 2,400 = 4.7%

Likelihood of Malvertising Leading to Source Code Theft:

• Calculation: 1.6% * 150 = 240%

With these likelihoods calculated, we can now multiply them by the Impact value to complete our risk analysis. For instance, if the impact of source code theft is estimated at $1,000,000, then our annual risk exposure would amount to $3,170,000.

One important observation is that, while the credential leak on the dark web initially appeared to have the highest probability of success, when we account for the frequency of events, malvertising turns out to have the highest likelihood. According to these calculations, our source code is exposed to the risk of theft from malvertising about 2.4 times per year.

This doesn’t mean our source code will be stolen every year—malvertising attacks often aim at simpler targets, like Bitcoin mining. However, a probabilistic threat model is an effective tool for understanding the factors that increase or decrease our risk exposure.

Getting Predictive Value from your Threat Model

Probabilistic threat models are incredibly useful for risk analysis, evaluating investment decisions, and comparing the effectiveness of different security controls. For instance, look at the graph below and imagine you're about to implement a new security control. Consider the various controls that come to mind and estimate how much each one could reduce risk exposure. Which controls have the most significant impact? And how much should one invest in the most effective one? As you can see, once you have a model like this in place, making these kinds of assessments becomes much easier.

But their value doesn’t stop there—they can also help forecast future risks by incorporating predictions. Let’s consider a few scenarios:

1. Your company plans to expand the software team next year, increasing the number of developers to 20.

2. A major news event (like M-pox) leads you to believe attackers might launch more phishing attacks.

3. Your early warning system detects a 40% increase in activity from malware families that have affected your company before.

Each of these scenarios offers predictions with different levels of certainty. With probabilistic models in place, you can easily calculate the risks if these predictions come true.

• Increasing the Software Team to 20 People: This would increase the percentage of employees with access to the source code from 11% to 20%. As a result, the likelihood of success for all identity-compromise-based attacks—and the associated risk exposure—would double, bringing the total risk exposure to $6.34 million.

• Anticipating an Increase in Phishing Attacks: We can estimate how much phishing attacks might increase by looking at similar past events (like the early days of COVID). Suppose we assume a 20% rise in phishing attacks. This would impact only one attack vector, increasing its likelihood of success from 4.7% to 5.64%, leading to a mere $9,400 increase in risk exposure.

• Surge in Malware Activity: A 40% increase in malware activity would mostly affect one attack vector. The likelihood of a successful malvertising attack would rise from 240% to 336%, temporarily increasing the total risk exposure by $960,000.

These examples show how probabilistic threat modeling can effectively assess the impact of company changes, respond to early warning signals, and make informed decisions based on future predictions.

Conclusion

Probabilistic threat modeling is a powerful tool that goes beyond traditional risk analysis. It allows organizations to not only assess current risks and the effectiveness of security controls but also to anticipate and prepare for future threats. By incorporating predictions—whether they stem from internal changes, emerging trends, or early warning signals—companies can make more informed decisions and better allocate resources to mitigate potential risks. As demonstrated, understanding how different factors influence risk exposure enables organizations to stay ahead of threats and protect their critical assets more effectively.

If you found this work insightful, consider supporting my efforts by purchasing a copy of my book, Geopolitical Cyber Threat Intelligence. I hope you'll like that as well!

Thank you for reading so far!

Introduction

Hello everyone,

In this blog post, we'll use the "Alternative Futures Analysis" technique to explore the future of cyber norms in light of events from 2022-2023. Our goal is to discuss the history and current state of international norms, analyse how the ongoing Russia-Ukraine war affects cyber norms, and evaluate the impact of each scenario on civilian sectors to aid strategic security planning.

What is a norm?

A "norm" in international relations refers to shared expectations among states about appropriate behavior. Some norms develop from longstanding practices, while others are solidified through international treaties, like the European Convention on Human Rights, which safeguards rights such as the prohibition against torture and the right to life.

Realist theory in international relations views state interactions as inherently anarchic and is skeptical about international norms. Conversely, liberal theory advocates that norms can be enforced through international organizations like the United Nations. This view has predominated globally, especially in the West since World War I.

History of cyber norms

Communication technologies have influenced international relations by offering both opportunities and security risks. Cyber norm discussions began with the United Nations' first working group in 2004 but have not yet concluded due to the states' inability to come to a consensus [1]. Currently, there is no international cyber norms treaty. However, it is widely accepted in the West that existing armed conflict laws, like the Geneva Conventions, also apply to cyber conflicts. For example, in theory, a cyberattack on a NATO ally could trigger a military response under NATO's Article 5. However, such responses have not been triggered yet because cyberattacks are usually seen as below the threshold of war. Adapting armed conflict criteria—like 'weapon,' 'border,' and 'force'—to cyberspace complicates the evaluation of cyber operations.

Various states have expressed their expectations for rules in cyberspace, like the US has done regarding intellectual property theft, election security, and critical infrastructure. These diplomatic efforts are essential parts of the push to establish cyber norms.

• Obama Tells China President Hacking Must Stop [2]

• Barack Obama ordered 'cyber bombs' for Russian network after hacking: report [3]

State of International Norms

With the global economic center shifting from the West to Asia, countries like China and Russia have started transforming their economic wealth into political influence. This shift has led to policies that challenge the US-led international system during the transition to a multipolar world. Meanwhile, global adherence to norms on issues like women’s rights and gun control has declined. [4] Challenges to norms in the battle for global hegemony have naturally impacted the still-developing cyber norms. While China has used cyber operations to steal intellectual property, Russia and Iran have repeatedly breached norms with destructive attacks on critical infrastructure and election interference.

We are at a turning point for cyber norms. In 2022, Russia significantly increased its use of destructive cyberattacks due to its war against Ukraine. Likely under sanctions, Russia now appears more willing to accept the political risks of cyberattacks. This critical period's events are crucial for the future of cyber conflicts. If the US and Western countries cannot impose effective sanctions against these norm-violating cyberattacks, it suggests that cyberattacks will become more frequent in the future. This would mean that critical infrastructure and civilian sectors are likely to face more frequent and severe cyberattacks.

In the next section, we will use the Alternative Futures Analysis technique to explore possible scenarios.

Alternative Futures Analysis

Alternative Futures Analysis is designed for strategic planning in uncertain and complex situations. It involves exploring how different factors (economic, technological, social, political, etc.) might interact in the future. For example, how might a technological innovation lead to social change, or how could an economic crisis impact political stability?

The scenario matrix is a central tool in this analysis, taking two main uncertain factors and creating four different scenarios based on their possible combinations. Each factor is considered at its extremes (e.g., high growth/low growth or high technology adoption/low technology adoption). These factors form the axes of the matrix, with each combination generating a different future scenario.

In our analysis, we will examine the following parameters:

• Adherence to Norms: Reflects the presence of cyber norms and other states' adherence to these norms.

• Sanction Deterrence: Represents the effectiveness of sanctions applied against cyberattacks, regardless of consensus on norms.

Let’s now explore our scenarios based on these combinations.

1 - Normative Zone

In this scenario, there is an international consensus on cyber norms. International collaborations detect deviations and apply effective sanctions, ensuring general compliance among states. States commit to limited use of cyber operations, reducing risks to critical infrastructure and civilian sectors. This stability decreases the private sector's sensitivity to geopolitical developments.

2 - Lawfare Zone

Here, a legal framework for cyber norms exists, but enforcing sanctions for deviations is challenging or the sanctions are not deterrent enough. States may occasionally deviate from norms even as they generally try to adhere to them. Cyber norms become legal tools that states use to gain advantages over each other (Lawfare), undermining their intended purpose. Civil sectors overall become more susceptible to cyber conflicts in this scenario.

3 - Cult of the Offensive

In this dangerous scenario, there are no agreed norms or effective sanctions. This creates a fertile ground for the "Cult of the offensive," [5] where states believe that the best defense is a good offense. Trust in defensive strategies is low, and initiating attacks is seen as crucial. The frequency of destructive cyberattacks increases, along with a wider variety of targets in civilian sectors, significantly heightening their geopolitical sensitivity.

4 - Agreed Competition

In this scenario, the legal framework for cyber norms is either absent or vague. However, states begin to apply effective individual sanctions against cyberattacks. Each state’s response to a cyberattack varies, creating unique "red lines" instead of a common norm. This dynamic dictates the basic logic of cyber conflicts; each state crafts its own policy. The impact on civilian sectors largely depends on their respective country’s policies and enforcement capabilities. States with robust deterrent policies and enforcement capabilities better protect their civilian sectors, but cyber conflicts are expected to be more common than in the first two scenarios due to the anarchic nature of this setting.

What should organizations do?

The developments we've discussed affect not only state institutions but also private sector companies significantly. In an environment where civilian sectors are increasingly targeted, supply chains, for instance, become much more fragile, inevitably impacting operational processes. While data privacy remains a primary concern in private sector’s cyber security planning, the developments indicate a world where risks to business continuity are more pronounced, and resilience becomes crucial. Thus, it is essential for private sectors to monitor these developments as closely as states do and prepare for possible scenarios.

Signposts of Change

The emergence of the scenarios discussed in the previous section may be indicated by the following likely developments in the future:

• States effectively incorporate their own cyber engagement rules into their military and diplomatic frameworks.

• The application of deterrent sanctions against cyberattacks becomes more widespread. (e.g., Albania cuts diplomatic ties with Iran over a cyberattack [6])

• International collaborations in combating cybercrime strengthen.

• The number of states adopting an active cyber defense [7] strategy increases, and various state institutions' powers are expanded.

Resources

1. https://carnegieendowment.org/research/2021/05/the-un-struggles-to-make-progress-on-securing-cyberspace?lang=en

2. https://news.sky.com/story/obama-tells-china-president-hacking-must-stop-10345126

3. https://www.smh.com.au/world/barack-obama-ordered-cyber-bombs-for-russian-network-after-hacking-report-20170624-gwxo44.html

4. https://www.dni.gov/index.php/gt2040-home/gt2040-deeper-looks/future-of-international-norms

5. https://en.wikipedia.org/wiki/Cult_of_the_offensive

6. https://www.aljazeera.com/news/2022/9/7/albania-cuts-diplomatic-ties-with-iran-over-cyberattack

7. https://www.darpa.mil/program/active-cyber-defense

In today’s world, it is widely recognized that cyber operations has become a key component in the conduct of modern warfare. However, due to our limited understanding of armed conflict and geopolitics, we often find it difficult to interpret these events in terms of their implications for our threat landscapes.

This blog post aims to offer a comprehensive analysis of cyber operations strategies, focusing on the typical targets and tactics employed by states during conflicts, drawing from historical observations. By studying these elements, we are going to have valuable insights for more accurate threat modelling, risk assessment, and forecasting in the realm of international cyber conflict.

Likely Targets During a Conflict

Before we begin, I strongly encourage everyone to view Lincoln Kaffenberger’s talk at the SANS CTI Summit. This presentation, which also served as an inspiration for this post, lays out a solid framework for analysing geopolitical cyber risks and offers some practical insights: Lincoln Kaffenberger’s Talk.

A notable point from the talk, which I’d like to highlight, pertains to the sectors frequently targeted in times of conflict. Below, I’ll list these common targets of cyber attacks during wartime. Following that, I will try to provide more context on military decision-making that result in this kind of targeting and discuss how this information can be integrated into our threat models.

Wartime Activities Overview

Ideally, the actions undertaken during or before a military operation should support at least one of these three purposes: 1. Achieving a tactical objective, 2. Gaining and sustaining a strategic advantage, and 3. Weakening the opponent’s war fighting capacity. Let’s explore a few examples:

Supporting a Tactical Objective: These activities aim to disrupt various aspects of the opposing force, enabling free movement of friendly forces during an operation. They are primarily tactical and are therefore carried out in coordination with the military operation aimed at achieving the specific objective. Such activities may include kinetic attacks targeting logistics, command and control systems, ammunition, and other supplies.

There is an increasing trend in militaries utilising cyber attacks for similar purposes. Particularly, disruptive cyber attacks against information systems have proven to be highly effective. Some very recent examples are:

• U.S. conducting cyberattack on suspected Iranian spy ship to inhibit the ship’s ability to share intelligence with Houthi militants in Yemen. [*]

• DDoS attacks at websites that provide critical information and alerts to civilians on rocket attacks twelve minutes after the Hamas attack on Israel. [*]

In both of these cases, the attacks were coordinated with a kinetic military operation, and intended to disrupt some aspects of the opposing force.

Gaining and Sustaining Strategic Advantage: The purpose of these actions is to indirectly affect the war fighting capabilities of the adversary, often by weakening their Centers of Gravity (COG). COGs are essentially the key strengths that enable a nation to maintain its war efforts. It’s common for nations to focus on undermining their enemy’s COGs during a conflict.

Potential COGs include:

• Advanced intelligence and situational awareness

• Superior mobility of military forces

• The quantity and/or quality of arms and personnel

• Funding for the war effort

• Domestic public support for the war

• Alliances and backing from the international community

The last three factors mentioned: funding, domestic, and international support for the war, play a significant role in influencing the war’s outcome. Therefore, parties engaged in a conflict actively seek to disrupt the financing, exert pressure on the economy, fracture alliances, hinder international support, and sway the public opinion of the opposing state through all available means.

It has been noted that cyber operations also play a significant role in this context. One common wartime activity is information operations (IO) targeting the citizens of the opposing nation and its allies. This heightened level of IO activity requires an increased effort in intelligence collection for use in disinformation campaigns. As a result, a rise in cyber espionage activities is often seen prior to or at the onset of a conflict. In some cases, these are accompanied by disruptive cyber attacks aimed at exerting pressure on media outlets or prominent individuals who publicly support the rival state. All these efforts can be viewed as strategies to achieve and maintain information dominance.

Disruptive cyber attacks targeting the key economic sectors of a rival state are often employed to exert economic strain. Additionally, these types of attacks can be used to apply diplomatic pressure on allies and neutral states, as outlined in my previous post: Geopolitical Cyber Risk: War and Coercive Diplomacy. One thing to note that a COG typically deteriorates over an extended period. Therefore, efforts targeting these are also likely to be sustained over the long term.

I highly recommend checking out the following post from SecAlliance, which, in my view, excellently demonstrates the application of COG analysis in assessing potential cyber threats: Factors Influencing the Likelihood of a Systemically Significant Cyber Attack on Western European Financial Services.

Weakening The Opponent’s War Fighting Capacity: The purpose of these actions is to undermine the material capabilities of the opposing state’s warfare. Cyber attacks aimed at disrupting key sectors such as manufacturing and energy can be seen in this light, depending on the targeted entity. For example, the aerospace, chemicals, automobiles, and parts organizations have all seen a significant rise in attacks. [*] These attacks often exploit the low tolerance for outages in the manufacturing sector, where IT service disruptions can halt production and lead to significant revenue losses. Another notable example of such activities includes the Stuxnet, Duqu, and Flame malware families. While these attacks were not conducted during wartime, their objective was to significantly hinder the nuclear capabilities of Iran and potentially the DPRK, targeting their nuclear warhead production infrastructure.

Hierarchy of Targets and Possible Course of Actions

As cyber defenders, our task is to realistically map out and prepare for various potential cyber threat scenarios that could arise in a conflict situation. This section is dedicated to outlining those scenarios, each defined by the nature of the potential target — opponent state, supportive states, or neutral states that might be drawn into the conflict. This process involves identifying the goals of potential adversaries (objectives), the conditions or events that could initiate their hostile actions (triggers), and the specific types of cyber operations they might employ at certain targets (actions).

Here’s a breakdown of how this mapping works:

Opponent state

For an opponent state, we can expect actions like persistent cyber intrusions targeting the government, military, and intelligence agencies for critical intelligence, as well as disruptive attacks aimed at key industries and communication channels. These are maneuvers aimed at gaining a strategic advantage and crippling the war fighting abilities of the opponent.

Triggers: Armed conflict

1. Objective: Gaining and sustaining strategic advantage

   1. Persistent cyber intrusions targeting gov/mil/intel agencies and their contractors, the defense industry, and think tanks for political, military and technological intelligence

   2. Persistent disruptive attacks targeting key economic sectors to exert economic strain (e.g: energy, banking and finance, tourism, manufacturing, large private companies)

   3. Persistent disruptive attacks targeting media outlets and communication systems to interrupt the flow of information

2. Objective: Weakening of war fighting capacity

   1. Persistent disruptive attacks targeting key industries to undermine the material production capability (e.g: chemicals, raw material, aerospace, energy, manufacturing and defense)

3. Objective: Supporting a tactical objective

   1. Coordinated disruptive attacks targeting communication and information networks in support of an ongoing military operation

States offering political, economic, or military support to the opponent

When considering states that provide support to the opponents of one party, we prepare for scenarios where these entities could face similar cyber intrusions and disruptive attacks. These are likely motivated by a desire to exert economic strain or to discourage their alignment with the opponent of that party.

Triggers: Providing political, economic, or military support to the opponent. Public statements or other signs of support to the opponent. Advocating or supporting hostile policies in favor of the opponent. (e.g: sanctions, embargo)

1. Objective: Gaining and sustaining strategic advantage

   1. Persistent cyber intrusions targeting gov/mil/intel agencies, the defense industry, and think tanks for political, military and technological intelligence

   2. Persistent disruptive attacks targeting primary industries to exert economic strain (e.g: energy, banking and finance, tourism, manufacturing, large private companies)

   3. Persistent disruptive attacks targeting media outlets and communication systems to interrupt the flow of information

2. Objective: Discourage alignment with the opposing state

   1. Disruptive attacks targeting key economic sectors or critical infrastructure in retaliation against any perceived political, economic or military support for the opponent state

3. Objective: Counteract the propaganda efforts of the opponent

   1. Disruptive attacks targeting media outlets, large private companies, and prominent individuals that publicly support the opponent state to discourage public support

Neutral states

Neutral states, often overlooked, can also be significant in the cyber conflict landscape. They could be subjected to cyber operations if they show any inclination towards supporting the opponent of either party. In these cases, the objective often shifts to gaining a strategic advantage or countering propaganda efforts.

Triggers: Providing political, economic, or military support to the opponent. Public statements or other signs of support to the opponent. Advocating or supporting hostile policies in favor of the opponent. (e.g: sanctions, embargo)

1. Objective: Gaining and sustaining strategic advantage

   1. Cyber intrusions targeting gov/mil/intel agencies, the defense industry, and think tanks for political, military and technological intelligence

2. Objective: Discourage alignment with the opposing state

   1. Disruptive attacks targeting key economic sectors or critical infrastructure in retaliation against any perceived political, economic or military support for the opponent state

3. Objective: Counteract the propaganda efforts of the opponent

   1. Disruptive attacks targeting media outlets, large private companies, and prominent individuals that publicly support the opponent state to discourage public support

Example: Russia-Ukraine Conflict

In the specific context of the Russia-Ukraine conflict, with Russia as the acting party, the following detailed cyber operations strategy can be outlined:

Opponent State (Ukraine)

1. Objective: Gaining and Sustaining Strategic Advantage

   1. Cyber intrusions into Ukrainian government, military, and intelligence networks, especially targeting communication channels and data repositories, to gather intelligence that could offer strategic advantages.

   2. Disruptive cyber attacks on Ukraine’s key economic sectors like energy, financial services, and manufacturing, aiming to weaken the national economy and disrupt daily life.

   3. Systematic attacks on Ukrainian media outlets and internet service providers to control the narrative and disrupt the flow of accurate information within Ukraine.

2. Objective: Weakening of War Fighting Capacity

   1. Targeting of Ukrainian defense manufacturing, including plants producing arms and ammunition, through cyber sabotage to hinder Ukraine’s military supply chain.

3. Objective: Supporting a Tactical Objective

   1. Coordinated cyber attacks on Ukrainian military communication networks during key ground offensives to impair coordination and response capabilities.

States Offering Support to Ukraine (e.g., NATO Member Countries, European Union)

1. Objective: Gaining and Sustaining Strategic Advantage

   1. Cyber espionage against governments and defense contractors in NATO and EU countries providing military aid to Ukraine, aiming to uncover future military plans and logistics.

   2. Persistent cyber attacks on the energy and banking sectors of these supporting nations, particularly those that have imposed sanctions on Russia, to create economic repercussions.

   3. Ongoing cyber operations against media and communication channels in these countries, aiming to disrupt pro-Ukraine propaganda and influence public opinion.

2. Objective: Discouraging Alignment with Ukraine

   1. Retaliatory cyber attacks targeting critical infrastructure in countries that have provided significant military support to Ukraine.

3. Objective: Counteracting Propaganda Efforts of Ukraine

   1. Cyber operations aimed at media outlets and prominent social figures in supporting states, particularly those vocally opposing Russian actions, to undermine public and international support for Ukraine.

Neutral States (e.g., Countries Not Actively Involved in the Conflict)

1. Objective: Gaining and Sustaining Strategic Advantage

   1. Cyber intrusions into political and military intelligence networks of neutral states, especially those considering humanitarian or diplomatic support for Ukraine.

2. Objective: Discouraging Alignment with Ukraine

   1. Disruptive cyber attacks on neutral states’ key economic sectors as a warning against siding with Ukraine or imposing sanctions on Russia.

3. Objective: Counteracting Propaganda Efforts of Ukraine

   1. Cyber campaigns targeting media and influential figures in neutral states to prevent the spread of pro-Ukraine sentiment and maintain a neutral or pro-Russia stance in the conflict.

This strategic outline should be further refined with insights derived from the observation of the acting party’s behaviours in past conflicts. The capability to conduct cyber operations does not guarantee their use in every scenario. States may choose to refrain from targeting critical infrastructure or key economic sectors due to potential political backlash or other considerations. Therefore, developing behavioural models based on historical patterns and tendencies of the involved parties is crucial. They can help in anticipating the moves of the adversary more accurately and in preparing more targeted and effective defensive strategies.

Conclusion

To conclude, the study of cyber operations during times of armed conflict presents a detailed understanding of the strategic objectives and methodologies employed by nations in the digital domain. This analysis is instrumental in enhancing threat modelling, risk analysis, and forecasting in the context of geopolitics. By identifying the hierarchy of targets and the diverse tactics used, from disrupting an adversary’s economic stability to manipulating public perception, we gain critical insights into the evolving nature of digital warfare. This post underscores the importance of envisioning potential future scenarios, especially during periods of tension and conflict. By doing so, we can assess their potential impact on our security, allowing for better preparedness and response. And the most critical lesson here is the need to integrate foresight into our cybersecurity practices.

I hope you liked this post. See you in the next one!

Hello everyone,

Today, we’re diving into an intriguing case of cyber risk in the world of international politics, focusing on a specific cyber attack that occurred during the Russia-Ukraine conflict. This post aims to unpack the complexities of cyber attacks in the realm of global politics and their impact on international relationships.

Our focus will be on a series of cyber attacks targeting Turkish airports, an event that’s particularly interesting given Turkey’s unique position in the ongoing conflict between Russia and Ukraine. Through this analysis, we’ll get a glimpse into how cyber operations are used in modern diplomacy and conflict, and what this means for countries involved.

We’ll try to explore why these attacks happened, what Turkey’s role in the larger Russia-Ukraine conflict might mean in this context, and how cyber tactics are becoming key tools in the arsenal of countries and groups looking to push their agendas on the world stage.

Lastly, we’ll extract insights and make forecasts which we can use to preposition our defenses against potential changes in the geopolitical landscape. Understanding these dynamics is crucial for anticipating future threats and strengthening our cyber security posture proactively.

So, let’s get started and unravel this intriguing story of cyber conflict, strategy, and the delicate dance of international politics.

The Incident

During the earlier stages of the Russia-Ukraine conflict, several Turkish airports were hit by intense DDoS attacks, thought to be carried out by Ukrainian hacktivists. During this attack, messages demanding the halt of flights to Russia were inserted into the HTTP packets, specifically stating “Stop flights to Russia” and “Cancel flights to Russia”. Notably, Turkey is not directly involved in the conflict between Russia and Ukraine.

In response to these cyber attacks, the airports took action by blocking the HTTP requests that contained the word “Russia”. Afterwards, the hackers did not adapt their attack against this measure. Also, no hacktivist group claimed responsibility for it afterwards.

Background and Turkey’s stance on the conflict:

Turkey holds significant geopolitical significance in the context of the Russia-Ukraine conflict due to several key factors:

• Turkey controls the Bosporus and Dardanelles straits, which are vital maritime routes connecting the Black Sea to the Mediterranean. This control gives Turkey substantial influence over Russian naval access, especially for Russia’s Black Sea Fleet based in Sevastopol, Crimea.

• Despite being a NATO member, Turkey has pursued an independent foreign policy that often includes cooperation with Russia. This includes purchasing the Russian S-400 missile defense system, which caused friction with NATO allies. Turkey’s ability to maintain relationships with both Western countries and Russia places it in a unique position to influence or mediate in the conflict.

• Turkey has provided significant military support to Ukraine, most notably the Bayraktar TB2 drones, which have been effectively used by Ukrainian forces. This military assistance enhances Ukraine’s defense capabilities against Russian aggression.

• Turkey is a key transit country for Russian oil and gas pipelines to Europe, notably the TurkStream pipeline. This role in energy transit gives Turkey leverage in the region’s energy dynamics, especially relevant given the conflict’s impact on global energy markets.

• Turkey has offered to mediate between Russia and Ukraine and has hosted diplomatic talks. Its unique position as a country with good relations with both Russia and Ukraine enhances its potential as a mediator.

• Turkey has significant trade relations with both Russia and Ukraine, including in the agricultural and energy sectors. The conflict has implications for Turkey’s trade dynamics, especially concerning grain and energy imports.

• Turkey is a popular destination for Russian tourists, and the Russian market is important for Turkey’s tourism industry. Economic ties between Turkey and Russia, including Russian investments in Turkey, add another layer to their complex relationship.

In summary, Turkey’s geopolitical significance in the Russia-Ukraine conflict stems from its strategic geographic location, its role in regional energy dynamics, its military capabilities, and its unique position in balancing relations with NATO, Russia, and Ukraine. Turkey’s actions and policies can significantly influence the conflict’s dynamics and the broader regional security landscape.

Making sense of the DDoS incident

DDoS and other disruptive cyber attacks have increasingly become tools of “coercive diplomacy”. In the past, various state and non-state actors have utilised these cyber tactics as a means to exert pressure, influence policy decisions, or retaliate against actions deemed contrary to their interests in a less confrontational way. In light of these precedents, let’s assume that the attack on Turkish airports is also an attempt at using cyber capabilities for coercive diplomacy, and try to explore possible objectives behind it. Without clear attribution, Turkey may find it challenging to respond diplomatically. The uncertainty could lead to heightened tensions and suspicions, not just towards Ukraine but potentially towards other nations or independent cyber groups.

In this brainstorming scenario, analysts can employ frameworks such as STEMPLES or DIMEFIL, along with SATs like Outside-in thinking and 1–2–4, to envision various scenarios and gain a comprehensive understanding of the factors at play in any given situation. Subsequently, these scenarios can be organised into broader hypotheses, followed by the application of contrarian techniques to question each hypothesis. Analysis of Competing Hypotheses can then be utilised to pinpoint the most probable scenarios.

In our case, the majority of scenarios center around four possibilities, assuming that the hacktivist group is indeed acting in alignment with Ukraine’s interests (which may not be the case):

Hypothesis 2 appears less convincing because the attack was deliberately designed to have minimal disruptive effects. Similarly, Hypothesis 4 is not strong, as there was no immediate need for Ukraine to retaliate when the incident occurred. Additionally, the DDoS attack was not modified to sustain its disruptive impact, and the absence of any hacktivist group claiming responsibility further undermines Hypothesis 4.

This analysis primarily supports Hypotheses 1 and 3 as the most probable scenarios. Next, we will focus on translating these conclusions into forecasting models for enhancing cyber defense strategies.

Forecasting

We will now examine each scenario individually, assuming its validity, and attempt to identify the factors influencing decision-making in the context of cyber attacks for each case.

Disruption of Russia-Turkey Connectivity: Potential Impact on Other Nations

For this hypothesis, we assess that the targets should meet the following criteria:

• The country should be neutral or not actively supporting Ukraine in the conflict.

• The country should have significant economic ties with Russia, especially in commerce or tourism.

Countries that align with these criteria and may therefore be at risk in such attacks include:

• Egypt: A favoured destination for Russian tourists. Before the suspension of direct flights in 2015, Russian tourists represented about a third of all inbound tourists to Egypt. [*] Disrupting air travel could severely impact its tourism industry and harm economic ties with Russia.

• United Arab Emirates (UAE), particularly Dubai: As a global business hub with strong Russian connections [*], any disruption in air travel could affect not just Russian enterprises but also international businesses in the region.

Pressure on Neutrality: Potential Impact on Other Nations

For this hypothesis, we assess that the targets should meet the following criteria:

• The country should be neutral or not actively supporting Ukraine in the conflict.

• The country’s position should hold the potential to strategically affect the course of the conflict.

Countries that align with these criteria and may therefore be at risk in such attacks include:

Indications of Change: What actions in the future could trigger a similar disruptive cyber attack against Turkey?

While purely speculative, there are certain actions by Turkey that could hypothetically trigger a cyber-disruptive attack from either Russia or Ukraine, considering the complex dynamics of the Russia-Ukraine conflict. Here are some hypothetical scenarios:

It’s important to underline that these scenarios are speculative, formulated on the basis of historical patterns of cyber operations in international affairs. Nevertheless, devising these scenarios and monitoring substantial shifts in the geopolitical sphere can be immensely valuable for predictive defense. Armed with these insights, we can prepare for the most probable scenarios and their potential effects on our cyber security.

In a real-life application, it’s beneficial to have a behavioural model for each country’s cyber operations. This model would provide insights into the types of cyber operations a country might employ, the circumstances under which they would be used, and the potential targets. Such models can be developed by analysing historical data of cyber operations during times of war or diplomatic tension. This approach greatly aids in accurately predicting the type and targets of potential cyber attacks in a given scenario.

To track the unfolding of these scenarios, we could establish Google Alerts using keywords tailored to each specific scenario, thereby initiating our monitoring process.

Google Alert Keywords for “Military”:

• Scenario A: “Turkey UAV supply Ukraine”, “Bayraktar TB2 Ukraine”, “Turkey military support Ukraine”

• Scenario B: “Turkey military aid Ukraine”, “Turkey intelligence support Ukraine”

• Scenario C: “Turkey Bosporus straits NATO”, “Dardanelles straits military access”, “Turkey Black Sea NATO”

Google Alert Keywords for “Diplomatic”:

• Scenario A: “Turkey recognizes Russia annexed territories”, “Turkey opposes sanctions Russia”, “Turkey diplomatic shift Ukraine”

• Scenario B: “Turkey recognition political entities Russia”, “Turkey Russia diplomatic escalation”

Google Alert Keywords for “Economic”:

• Scenario A: “Turkey Ukraine grain export deal”, “Black Sea grain export disruption”, “Turkey Russia grain deal Ukraine”

• Scenario B: “Turkey economic sanctions Russia”, “Turkey energy sector sanctions”

Setting up alerts in languages other than English can be highly beneficial, as the volume of news related to a conflict often increases nearer to its source, leading to faster updates. For our purposes, adding Russian, Ukrainian, and Turkish keywords in the alerts, tailored to specific scenarios, would be good. Additionally, Twitter serves as a valuable resource for rapid updates, although it usually requires more effort to filter through irrelevant or less useful information.

Conclusion

As we’ve explored in this post, cyber operations have become integral to the strategies of nations and non-state actors alike, often blurring the lines in between. This case study highlights the importance of analysing geopolitical tensions and alignments to anticipate and mitigate the risks of changing security landscape.

In conclusion, by dissecting such incidents, we gain valuable insights into the tactics and motivations driving cyber conflicts. This understanding is vital for developing more effective security measures and strategies in response to the complex interplay of technology, politics, and international relations.

I hope you found this article useful.

See you in the next one!

When organizations assess threats relevant to them, they frequently try to pinpoint threat actors focusing on their industry and region. This method of limiting the research scope is typical. However, the question arises: are industry and region sufficient criteria for research scope? To comprehend this, a closer examination of intelligence requirements is necessary. We will explore this concept through a hypothetical example.

Disclaimer: The following example, designed to demonstrate intelligence planning, is purely fictional.

Located in Ukraine, TechNovelties is a firm that specializes in producing custom parts, catering to a wide range of clients in this area. It supplies a critical component for the UAVs of a Turkish defense industry client. Here is what is known about the relationship between these two companies:

• The company TechNovelties, based in Ukraine, is responsible for producing an essential part for the Armed Unmanned Aerial Vehicles (UAVs) that are made by the Turkish firm SkyDefend Innovations.

• A portion of these UAVs from SkyDefend is incorporated into the arsenal of the Turkish Armed Forces.

• Additionally, some of these UAVs are exported to Pakistan, where they are added to the Pakistani armed forces’ inventory.

• Pakistan aims to use these UAVs to counterbalance certain military threats posed by China.

Given this information, it is reasonable to assume that the Ukrainian firm TechNovelties would be a target of espionage efforts from numerous countries.

In the context of cyber defense planning, the immediate inclination might be to investigate cyber espionage groups that focus on European technology companies. Yet, if we reverse our perspective and ponder which nations could be intrigued by the information held by TechNovelties, we gain a different insight. This requires us to reflect on the medium and long-term foreign policy, economic, and military goals of these countries.

From this perspective, several possible scenarios emerge (note that this is not meant to be a comprehensive list):

• Given its hostile relations with Ukraine, Russia might be interested in TechNovelties, especially because it exports to defense industry companies, making it an attractive target for Russia.

• SkyDefend Innovations, a customer of TechNovelties, produces UAVs that are slated to be part of the Turkish Armed Forces’ (TSK) arsenal, presenting a potential threat to Turkey’s neighboring nations. The capability of these Turkish UAVs to shift the balance of power in the Aegean Sea is a known source of concern for Greece. In pursuit of insights into Turkey’s UAV production capabilities and the quantity of UAVs in the TSK’s arsenal, Greek intelligence might try to infiltrate TechNovelties to determine the annual volume of parts supplied to SkyDefend Innovations.

• The effective use of UAVs manufactured by SkyDefend Innovations by the Azerbaijani military in the recent Nagorno-Karabakh conflict is well-documented. Consequently, Armenian intelligence could be interested in acquiring the technical specifications of the components made by TechNovelties, aiming to devise electronic warfare strategies to counter the UAV capabilities of Azerbaijan.

• India, viewing the UAVs acquired by Pakistan as a potential threat, may consider infiltrating TechNovelties, paralleling Armenia’s approach.

• Targeting the Asian market, French companies are intent on selling their drones to Pakistan’s armed forces. To support this aim, French intelligence might attempt to penetrate TechNovelties to further leverage this entry point into SkyDefend Innovations’ systems, thereby uncovering the prices at which SkyDefend sells its UAVs to Pakistan.

• For several years, Taiwan has been aspiring to develop UAV production capabilities. As a result, any entity (along with their suppliers) involved in manufacturing this technology would naturally be of interest to Taiwanese intelligence.

It becomes evident that what is broadly termed ‘cyber espionage’ can actually serve a range of different intelligence requirements. In this example, which is far from being comprehensive, we identified espionage activities meeting roughly three specific intelligence needs:

1. In nations where UAV capabilities are posing a threat, there’s a need to determine the number of UAVs held by a rival country and to understand the technical characteristics of these UAV components (Military Intelligence).

2. In nations striving for dominance in the UAV market, there is a necessity to obtain the trade secrets and intellectual property of competing UAV manufacturers (Economic Intelligence).

3. In nations aspiring to develop UAV manufacturing abilities, there is a demand for detailed knowledge about this technology (Scientific & Technical Intelligence).

The type of threat landscape mentioned above is not actually something caused by the company itself, but rather a landscape arising from the customers to whom the company supplies its products. Therefore, every new customer, supplier, or market that a company enters introduces additional threats, influenced by the specific nature of its business activities.

Without a thorough understanding of intelligence planning and utilization of geopolitical analysis, relying exclusively on region and industry for your research will fall significantly short in pinpointing threats relevant to your organization. An effective threat model should determine whether anything an organization possesses concerns the political, economic, scientific, and military objectives of other countries, and it should also catalog the potential risks that arise from such alignments or conflicts.

I’ve formulated the following questions to assist organizations in creating this catalog as part of their risk assessment process. Please be aware that in the table below, “I” actually refers to the company.

Nation-state activities in cyber

Throughout their history, states have principally striven for three objectives in their conflicts: military superiority, diplomatic deterrence, and information dominance. The rise of the internet has expanded this struggle into the cyber realm, meanwhile significantly incorporating civilian elements in this conflict. Now civilian sectors can easily find themselves in the crosshairs of military objectives alongside the conventional military-defense targets. Therefore it is necessary to comprehend the dynamics of these inter-state struggle.

The nation-state use of cyber intrusions/attacks can be categorized into three broad types: espionage, denial, and coercion. This categorisation deliberately leaves out the use of cyber intrusions for propaganda or deception, as these activities are inherently covert and therefore extremely difficult to accurately pinpoint.

Cyber Espionage

As mentioned earlier, nation-states often engage in cyber espionage to meet a wide range of intelligence needs. Over time, intelligence gathering has branched into specialised sub-disciplines, each catering to the unique requirements of different fields. Your organization is likely to become a target for intelligence agencies if it concerns any of the domains illustrated below.

While many of these areas are quite specialised, three of them concerns a broad spectrum of organizations: political, military, and economic espionage. Hence, it is useful to examine one’s own activities through the lens of an intelligence agency, using a set of questions like the ones I have provided earlier.

Another key aspect is differentiating between strategic collection and tactical collection efforts. It’s widely known that intelligence collection is guided by specific needs, named as Intelligence Requirements. This principle stems from the traditional discipline of intelligence, so it’s reasonable to believe that intelligence agencies function in a similar manner. Some of these requirements aim to address immediate, short-term gaps, while others are meant to aid long-term policy goals. As a result, the focus and methods of intelligence collection can shift based on these differing needs.

1. If a target can provide information valuable for long-term goals, or can provide information the agency is in constant need, or can satisfy multiple intelligence requirements simultaneously, then it is likely to be a focus of strategic collection efforts. Such targets will likely face persistent intrusion attempts unless an alternative information source is found by the intelligence agency.

2. Conversely, if the intelligence need is immediate, (e.g: during diplomatic crises, internal security investigations, or active conflicts) or if the information is of a tactical nature, then the target is likely to be a focus of tactical collection efforts. Depending on the urgency and criticality of the information needed, advanced event-based capabilities[*] like zero-day exploits might be used. This is less common in strategic collection, as the need for information is long-term and can often be met from multiple sources.

Mapping it all together

Creating a map of your organization’s geopolitical cyber risks is challenging but extremely rewarding. It enables security leadership to better comprehend how certain business decisions might expose your organization to different cyber risks, allowing them to proactively prepare. Let’s now construct a map using the fictional example provided at the start of this post. It would look like something like this:

I trust you found this post helpful. It was focused on the espionage aspect of cyber intrusions. In the next post, I’ll delve into their military and diplomatic applications, further aiding our geopolitical risk assessments. See you in the next one!

Hi everyone,

In this article, we will examine how to do forecasts on financially motivated cyber crime with examples. If you haven’t read my previous article on this topic yet, I recommend reading it: Trend Forecasting - How to spot the next big thing in cyber crime?

Before delving into the methodology, let’s examine the basic dynamics of the cyber crime economy.

Understanding the profit dynamics

The methods through which criminals can profit can be classified into four main groups.

• Selling of commodities: Criminals may attempt to sell acquired goods such as customer databases, premium accounts, coupon codes, credit cards, bank accounts, or sensitive documents. This provides a quick way for attackers to make money with less risk, especially when there is high demand for the goods.

• Exploitation of computing resources: Sometimes, criminals can leverage the processing power of compromised systems. This can generate a reasonable income with a sufficiently large botnet. Examples include clicking on ads, generating fake video views/app downloads, creating website traffic, boosting social media followers, and the most notable, cryptocurrency mining.

• Extortion: Criminals may attempt to extort companies by launching DDoS attacks, encrypting files with ransomware, or threatening to release sensitive data that could lead to reputational damage, regulatory fines, and more.

• Providing services (tertiary sector): While a campaign itself may appear technically simple and straightforward, the process from preparation to cashing out can be lengthy and complex. Recognising this, some criminals offer services that facilitate various aspects of cyberattacks to other hackers. This is the most diverse market, with examples including advertising, malvertising, affiliate services, credit card checkers, cash-out and shipping services, cryptocurrency laundering, bulletproof hosting, encryptors, hash crackers, ready-to-use toolkits, DDoS-as-a-service, initial access brokers, and 2FA bypass services.

Changes in Market Conditions

Within the context of the profit-making methods we have listed above, consumer demand plays a pivotal role, and when demand can be met by at least one provider, it gives rise to a market. The driving force behind all markets is demand, and thus, meaningful changes in supply cannot be expected without significant changes in demand. Therefore, it is crucial to monitor changes in supply & demand and understand the factors influencing these changes. The factors we will list shortly are interrelated, and a change in one often triggers changes in several others.

Possible causes of change in supply & demand

Changes in consumer habits: Consumer habits sometimes change independently of the cybercrime ecosystem and can positively or negatively impact demand for a product. Particularly in markets targeting end-users, such as premium accounts and coupon codes, consumer habits directly influence the market’s size. For instance, the COVID-19 pandemic worldwide shifted consumers towards digital products and services independently of the cybercrime ecosystem. As a natural consequence, demand for products like premium accounts and coupon codes increased, triggering market growth. A future example could be, in case demand for NFTs continues to rise and NFT trading becomes a part of our daily lives, we can expect the emergence of a market for NFT art theft.

Changes in the value of commodities: The value of a commodity can increase or decrease independently of the cybercrime ecosystem, and this has ramifications in the cybercrime economy. A striking example is the significant increase in the value of cryptocurrencies when they entered our daily lives, leading to the emergence of cryptocurrency-related attacks such as cryptominer botnets and cryptojacking. If the value of cryptocurrencies were to drop to a level where these attacks are no longer financially viable, we might no longer see such attacks. Significant increases in commodity values often lead to an increase in supply as more individuals seek to profit from the higher profit margins they offer.

Expanding Target Range: The internet comprises a vast array of technological platforms, each of which presents potential opportunities for criminals. In their pursuit of increased profits, criminals expand their target base as far as their capabilities allow, often jumping onto different platforms. For example, the shift of various end-user applications, especially banking, to mobile platforms has naturally led attackers to target mobile platforms. This has been evident in the shift from traditional credit card fraud methods to mobile banking malware. The targeting of IoT devices by botnets and the extension of cryptominer attacks to cloud platforms are other examples. The desire of criminals to broaden their target range creates a natural demand for products and services in this direction. As the target range expands, the number of products entering the market, meaning the supply, increases.

Proliferation of capabilities: Some attack methods are not executable by everyone due to the technical knowledge they require. In case a way can be developed to decouple a technique’s execution from its user, it results in the proliferation of attack capabilities, making what was previously a complex attack chain accessible to a wider audience. This decoupling sometimes occurs through the development of automated tools. Examples include exploit kits, phishing kits, botnet panels, etc. Sometimes, multi-step or technically complex attack types are offered to consumers as “managed services”. Ransomware-as-a-service, scanning-as-a-service, malware distribution services, stresser services, and the like fall into this category. This scenario increases the number of players in a market, thereby increasing supply, but an excessive proliferation of capabilities can lead to market saturation.

Legal and technical measures: The increase in legal and technical measures against a particular type of cybercrime can both hinder its execution and reduce its profitability. For example, legal regulations developed against credit card fraud made banks responsible for customer protection and liable for compensating customers for losses due to fraud. Consequently, banks developed new technical measures against credit card fraud, making it more difficult to convert stolen credit card funds into cash. As a result, these technical measures made the task more costly and challenging for attackers. Such changes typically affect supply rather than demand since they increase the cost of executing the attack.

Law enforcement pressure: At times, law enforcement agencies focus on specific types of crimes and prioritise capturing the individuals involved. This naturally creates pressure on those committing the targeted crimes. The aim here is to make the targeted crime riskier, thereby deterring criminals. Over time, law enforcement priorities can change, leading to varying degrees of pressure on different markets. Sometimes, law enforcement operations can shut down significant avenues of trade or disable a few major suppliers in a market, resulting in a temporary decrease in supply.

How does the market respond to changing market conditions?

Past experiences show that as a result of changing market conditions, there can be three types of outcomes: innovation, migration, consolidation and expansion.

Innovation

At times, while the demand for a product or service does not decrease, the market can shrink due to any pressure on supply. For example, supply might temporarily decrease because a technical measure makes an attack more difficult. In such cases, criminals first try to overcome whatever is causing the pressure on supply. Sometimes, criminals develop a new method to bypass existing technical measures, which is called technical innovation. At other times, criminals change the ways to make money from the same product, and this is referred to as market innovation. Features like the “pre-order” option introduced in some markets where Infostealer logs are sold, or dark web forums starting to sell forum messages through a paid API, are examples of market innovation.

Migration

If the demand for a product or service significantly decreases or disappears, we usually observe the actors serving in that market migrating to more profitable markets. In rarer cases, these actors can create new markets by developing a market innovation.

Consolidation

When the cost of an attack significantly increases or the attack becomes too risky, we see that the market consolidates in the hands of the major players. For example, as it became harder to convert stolen credit card information into cash, it necessitated the development of new methods. Following this, we observed that the credit card market consolidated into the hands of a minority group familiar with these new methods. This minority group, knowledgeable in cashing out the stolen credit cards, started to buy credit card data in bulk. This demand encouraged those who stole credit card data to sell their data in bulk to these actors instead of trying to cash them out on their own. As a result, the market consolidated.

Expansion

Changes causing an expanding target range and proliferation of capabilities can increase the profit margin of that type of attack. This situation leads to more actors entering the market, resulting in the market’s expansion.

How to do forecasting step-by-step

Step 1: Choose a market and conduct basic market research

Based on the types of threats relevant to your organization, identify markets of interest. Then, using the parameters mentioned above, conduct research to gain insights into the current state of the market. The following questions, which I’ve listed for basic market research, might help guide your inquiry.

Intelligence Requirements for Basic Market Research:

• How many successful trades have been conducted within a certain time frame, if applicable?

• What’s the estimated trade volume within a certain time frame, if applicable?

• Who are the regular suppliers, if relevant?

• Who are the primary buyers, if relevant?

• What is the nature of the relationship between these individuals, showcased in a relationship matrix?

As an example, let’s take a look at the market for selling premium accounts/coupon codes, which is closely related to credential stuffing attacks. The research doesn’t necessarily need to provide completely accurate results, especially regarding market volume and the number of transactions. What’s essential is to have insights into market distribution, operational methods, and the relationships among the actors.

Premium Account/Coupon Code Market Research

Step 2: Assess Possible Changes in Defined Conditions

List the market drivers we outlined in the earlier sections of the article for your target market. Then, considering the current situation, speculate on potential changes in any of these parameters.

Potential Changes in Premium Account/Coupon Code Market Conditions

Step 3: Brainstorm Scenarios for Potential Outcomes

In this third step, we’ll use a method called the ‘cone of plausibility’ to brainstorm how the market might respond to the changes we listed in the previous section. While brainstorming, we’ll also consider the patterns of innovation, consolidation, expansion, and migration that we discussed in earlier sections.

Scenarios in response to changing market conditions:

• Criminals will find a way to circumvent the CIAM and bot protections, and continue their attacks as usual. (innovation)

• The profit margin for attacks substantially increases due to decreased infostealer log prices, leading to more players entering the market. (expansion)

• With their source of income diminishing due to decreased customer demand, criminals migrate to other markets, such as initial access brokerage, where they can repurpose their skills. (migration)

• Due to the increasing difficulty of exploitation, the market will consolidate around a few players with high capabilities. (consolidation)

• Criminals will abandon the credential stuffing technique and shift their focus to exploiting application vulnerabilities for account takeover. (innovation)

Step 4: Determine Early Indicators to Monitor Scenario Emergence

In this final step, for every scenario we anticipate, we will hypothesise how we might observe its emergence and create a list of early signs to monitor. Our assumption is that changes observed in these indicators will reflect the transformations we expect in the market. For instance, in the case study we examined, we could use the indicators listed below as early signs.

However, it’s essential to note that these signs may not always support the assumed hypothesis. Therefore, testing these assumptions analytically and trying to validate or refute them using available data, wherever possible, is crucial.

For instance, in the chart below, coupon sales and initial access sales are compared. Observations indicate a trend that began in 2023 and reversed in April. However, this shift in trend does not necessarily imply that those involved in credential stuffing have migrated to the initial access market. After observing such a trend change, a more in-depth investigation should be conducted to determine whether the two events are genuinely related.

If it turns out that the two events are unrelated, then our assumption is incorrect, and this event can no longer be used as an indicator.

Ok.. so what? — Assess and prepare for impacts on your security strategy

Changes in cybercrime markets, as mentioned, could lead to outcomes such as certain types of attacks becoming more or less frequent in the future or the sophistication level of the techniques used in the attacks increasing. Incorporating these kinds of forecasts into defense planning can better position organizations against potential future threats. Companies can leverage these predictions to prioritize their security investments. Or, they can establish prerequisites to respond more effectively to anticipated threats (e.g., enhancing inter-departmental collaboration, developing incident response plans, conducting drills, etc.). Moreover, forecasting how the market might evolve can facilitate refining intelligence gathering objectives and pre-positioning them. By doing so, we can transition from a security approach that merely responds to the present to one that anticipates and positions itself for the future.

I hope you’ve enjoyed reading. Until next time!

In this blog post, we will discuss how to forecast the evolution of cyber crime landscape. We’ll first examine the underlying drivers of market, and discuss two powerful techniques for envisioning future scenarios. By understanding the forces at play and applying analytical methodologies, analysts can gain valuable insights into the market’s potential evolution.

Drivers for demand

There are four very common ways a cyber criminal can make money:

1. Extortion: Criminals can try to extort money from companies by launching DDoS attacks, encrypting their files with ransomware, or threatening to release sensitive data that will lead to loss of reputation, regulatory fines etc. for the company.

2. Selling of commodities: Criminals may try to sell the goods that they obtained such as customer databases, premium accounts, coupon codes, credit cards, bank accounts or sensitive documents. It is a quick way for attackers to make money with less risk if the commodity has a high demand.

3. Providing services to facilitate others: While a campaign itself may seem technically simple and straightforward, the process from preparing the attack to cashing out can be long and grueling. Knowing this, criminals can offer services to other hackers that will facilitate some part of their campaigns. This is the most diverse market in the true sense. Some examples; advertising, malvertising, affiliate services, cc checkers, cash out and drop shipping services, crypto laundering, bullet proof hosting, crypters, hash crackers, ready-to-use toolkits, ddos as a service, initial access brokers, 2fa bypass… and the list goes on and on :D

4. Utilization of computing resources: Criminals can sometimes utilize the processing power of the systems they have compromised. This can create a decent amount of income with a botnet large enough. Clicking on ads, inauthentic video views/app downloads, generating website traffic, increasing social media followers, and most famously crypto mining are some of the examples.

Once we understand the ways criminals make money, we need to focus on the underlying causes. Without demand, there is no supply. What is produced must be consumed. Let’s take a look at the types of consumers that underlie these markets, which are the true drivers of the demand.

Customers not willing to pay for products or services

It is well known that there are people who want to use products and services without paying for them. The more popular a product is, the more people want to use it for free. This creates a demand that will lead to the natural formation of a market. Think of the Netflix accounts, Amazon coupons, Steam gift codes, premium VPNs etc. that are being sold on the underground markets. Some markets even offer paying your bills with a stolen credit card for a low fee (e.g: 10% of the bill amount). This is by far the largest market in terms of quantity.

Companies engaging in illicit marketing practices

When you think of stolen customer data, first thing that comes to your mind might be identity theft. But the biggest consumers of such data are actually other companies that want to market their own products (and by extension, marketing firms). Instead of curating their own leads, they will take the shortcut and illegally purchase customer data of a company similar to them.

Criminals looking to facilitate their operations

As mentioned before, criminals may need help at some stages in the end-to-end execution of a campaign. They can purchase certain services to scale their campaigns more effectively. This creates a tertiary sector where cybercrime-related services abound. These services are often designed to supplement cybercriminals’ lack of expertise in certain areas.

Companies not willing to take responsibility for a breach

For companies, disclosing a breach is a financial decision as well as a technical one. Damaged reputation, loss of customers, drop in share prices, and regulatory penalties are some of the direct financial losses that may occur. Certain investments and preparations can significantly reduce this risk. Nevertheless, some companies that don’t take these steps may want to avoid the consequences when caught off guard.

How trends emerge?

Based on my observations, there are four ways in which a trend can emerge.

Market innovation

This is the market’s way of solving a bottleneck by developing new products or services. It can result in a new market or enhancement of an existing one. For example, the market has responded to law enforcement pressure on ransomware by developing the Ransomware-as-a-Service. Another example is the emergence of initial access brokerage and infostealer markets to assist others in scaling their campaigns.

As an analyst, watch out for developments that shrink a market significantly. Soon you can expect a market innovation to happen there. Because people(criminals) are less likely to give up on the ways they are used to for making money. Instead, they will seek ways to overcome the obstacles. If the pressure on a market is too much, sometimes you will find that the market begins to consolidate in the hands of the big players. This is simply what has happened to the stolen credit card market over the past few years.

Technological advancement

Whenever there is a technological breakthrough, attackers will look for ways to exploit it. For example, the introduction of bitcoin into our daily lives has given birth to cryptominer botnets and ransomware. Similarly, the increasing role of smartphones in our daily lives has led criminals to start targeting these platforms as well.

As an analyst, when you become aware of a new mainstream technology, adopt an adversarial mindset to identify the opportunities with it.

Changes in demand

Sometimes events occur that lead to a change in consumer behavior. Often the market follows this change in demand. For example, the demand for online products and services spiked during the Covid. This was due to people spending significantly more time at their homes. Cybercrime markets have followed suit, with an increase in credential stuffing attacks.

As an analyst, we have to keep an eye on the consumer habits, as they may have an influence in the cyber world as well.

Cross transference

Trends usually start in a single market and then spread to the others. For example, mobile malware was already used in the US market before it became a trend in the Turkish market. If you have visibility into cybercrime ecosystems around the world, you can keep a close eye on the trends you observe in one of them.

Thinking of possible futures

Having grasped the dynamics of market forces, I would like to discuss two techniques for envisioning future scenarios. Essentially, our objective is to make predictions about how the market may develop given specific factors.

1. User journey mapping to identify new market opportunities

User journey is a term borrowed from the field of UX research. It means a path a user may take to reach their goal when using a particular website. Once a user journey has been mapped, insights are gained for pain points and opportunities. These insights are then used to design the feature that will enable the user to achieve their goals more easily.

In our case, users are cybercriminals and the journey is the path they follow to achieve their goal of making money. To begin, select a user persona and try to list all the steps and methods they employ. Next, consider their potential pain points, as each one can reveal opportunities for a new market. By adopting this entrepreneurial approach, you can identify potential services that may emerge in the future.

2. Cone of plausibility to forecast impact of events

Before diving into the topic, I highly recommend you to read the following blog posts. They make great explanations of the concept with practical examples.

• Applying Cone of Plausibility to CTI

• Cone of Plausibility: Forecasting Ransomware Scenarios in 2022

Now quoting from the first article:

Cone of Plausibility is a structured analytic technique that can be used by intelligence analysts to generate possible threat actor scenarios based on known drivers and events.

By gaining a thorough understanding of the market drivers, it becomes easier to anticipate the impact that any change could have on that particular market. Here is an example that explores the consequences of legal and technical measures implemented to combat credit card theft within this market.

As you can see, the listed scenarios demonstrate realistic possibilities for the future trajectory of the market. As an analyst, we can try to observe the early signs of each scenario.

Cultivating the indicators

After engaging in extensive brainstorming regarding market opportunities and potential future scenarios, it is essential to consider the early signs that can be observed if a scenario were to materialize. After a scenario has been laid out clearly and concisely the early signs become apparent. When choosing our early indicators it is important to ensure that they are feasible to observe. There should also be distinctive indicators for different scenarios so that we can differentiate them.

Once we have identified the early signs, it is time to observe them and wait for our predictions to come true.

I hope you found this blog post useful.

See you in the next one!

Today I will share my thoughts on one of our industry’s favourite terms: Advanced Persistent Threats.

In the infosec circles, APT has been a buzzword for quite some time, usually pointing to cyber intrusions backed by nation-states. But in my opinion, this term is far from useful. For instance, what does “Advanced” mean exactly? We see lots of reports labelling attacks as “advanced” or “sophisticated” without really defining what that entails. The truth is, many of these so-called APT intrusions aren’t all that advanced. They’re often just good at adapting their tactics and being OPSEC aware.

Let’s take a look at the decision chart provided below, which presents the most detailed criteria for identifying APTs I have seen to date.

Note that many of the questions in the chart require assessments rather than straightforward facts to be answered. For example:

• Is the Group Nation-State Sponsored?

• Does the Group Engage in Long-Term Intelligence Gathering?

• Does the Group Exhibit a High Degree of Organisational Sophistication?

This complexity in classifying something as an ‘APT’ tends to make the process unnecessarily complex, without offering much add-value for those defending against these threats.

This blogpost will propose a more accurate way to talk about adversaries, which I call ADAPT. It stands for Advanced, Adaptive, Persistent, and Targeted. Let’s break it down.

1. Advanced

In our field, it is a tendency to slap the label “advanced” on nearly every cyber threat. But if everything is advanced, then really, nothing is. “Advanced” here should mean something specific: those really high-end, costly capabilities that only a few adversaries can get their hands on. We’re talking about less than 1% of all cyber attacks. Examples include:

• Commercial Spyware (e.g: Pegasus)

• Zero-day exploits

• ICS-tailored Malware

• Deep packet inspection and similar ISP-level attacks

So one may look at the capabilities employed in an intrusion set, and if either of the above capabilities are present, then we can speak about an Advanced adversary.

2. Adaptive

This trait reflects an adversary’s willingness to modify tactics in response to environmental changes. Adaptiveness often correlates with high-precision targeting. In targeted campaigns, adversaries typically engage in target-specific information gathering and tailor their tactics accordingly. Conversely, opportunistic campaigns tend to use a similar set of tools across numerous targets simultaneously. Adaptiveness is a spectrum rather than a binary value, and it can vary across different phases of an intrusion.

3. Persistent

Persistence is the adversary’s dedication to continue their attacks until achieving their objective. While sometimes related to adaptiveness or high-precision targeting, persistence can manifest independently as well. For example, the Leery Turtle[*] campaigns during the period of 2017–2020 exhibited high persistence but little tactical variation over time. Thus, it’s more useful to assess this trait separately, on a spectrum.

4. Targeted

As implied, this property indicates the specificity of targeted individuals or entities during an intrusion. According to ProofPoint, over 95% of APT campaigns target no more than five customers at a time. Despite challenges in assessment due to collection gaps, understanding the targeted nature of an attack can be insightful. This property should also be viewed as a spectrum, from low-precision to high-precision.

Mapping ADAPT to Defense Strategies

The ADAPT framework is very useful for cyber defense planning.

Using ADAPT with Adversary Persona Cards

We can integrate ADAPT properties into Adversary Persona Cards and assign ratings to each attribute to calculate an overall ADAPT Score. This allows ADAPT to be used as an additional factor in prioritising different types of adversaries, with a higher ADAPT Score signifying a more difficult adversary to defend against.

Strategising for High-End ADAPT Properties

ADAPT also allows tailored strategies for mitigating threats at the higher end of each property. Defense planners can ask the following questions to initiate a brainstorming:

• How can we defend ourselves against an adversary with advanced (0-day, DPI etc.) capabilities?

• How can we defend ourselves against an adversary who is highly adaptive to our environment?

• How can we defend ourselves against an adversary who is very persistent?

• How can we defend ourselves against an adversary who is very selective in its targets?

Assigning ADAPT to Threat Actor Profiles

Lastly, similar to the first approach, ADAPT can also be applied to threat actor profiles. It’s very straightforward to assign ADAPT values by examining the facts related to an intrusion set.

Let’s take the following example of HAFNIUM:

• ADVANCED: YES (4 pts) — MSTIC. (2021, March 2). HAFNIUM targeting Exchange Servers with 0-day exploits.

• ADAPTIVE: HIGH (4 pts) — Usage of 0days, targeted nature of the attacks, target-specific information gathering (T1592.004, T1589.002, T1590), and internal discovery (T1057, T1018, T1016, T1033)

• PERSISTENT: HIGH (4 pts) — Threat group is known to be operating since at least 2021 with a perceived objective of intelligence collection.

• TARGETED: MEDIUM-HIGH (3 pts) — HAFNIUM primarily targets entities in the US across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.

HAFNIUM’s ADAPT Score: 15 / 16

Another example of Leery Turtle:

• ADVANCED: NO (0 pts) — No observed usage of advanced capabilities.

• ADAPTIVE: MEDIUM (2 pts) — Change of tactics in response to public CTI reports.

• PERSISTENT: HIGH (4 pts) — Campaigns have been ongoing from at least 2017 up to the 2023.

• TARGETED: MEDIUM-HIGH (3 pts) — Cryptocurrency exchanges are targeted worldwide.

Leery Turtle’s ADAPT Score: 9 / 16

Conclusion

Using ADAPT gives us a clearer picture of cyber adversary behaviour. Understanding these four aspects — Advanced, Adaptive, Persistent, and Targeted — helps us better gauge the strength and strategies of our cyber defences. Ultimately, ADAPT is intended to provide a framework to guide cybersecurity efforts in a more targeted and effective manner.

I hope you found this article useful. See you in the next one!

In the previous posts, we’ve delved into the use of predictive analysis methods for anticipating cyber threats, focusing on the development of early warning systems and techniques for forecasting changes in threat landscape. I recently had the opportunity to speak on this very topic during the SANS Threat Analysis Rundown webcast, hosted by Katie Nickels. For those who haven’t yet seen it, I highly recommend watching the webcast here:

One critical aspect to understand about predictive analysis is that its outputs are inherently estimative, not definitive. In simpler terms, this method provides us with probabilistic outcomes, such as predicting a 60% likelihood of a spear-phishing attack within the next three weeks. This probabilistic nature can be challenging, especially for cyber defenders who are traditionally more accustomed to working with concrete facts, like Indicators of Compromise.

The question then arises: how do we effectively act on these probabilistic predictions from early warning systems? To address this, I’ll introduce what I’ve termed the “Proactive Countermeasures Framework” in this post. This framework is designed to complement Early Warning Systems, translating warnings into actionable steps by integrating pre-emptive and temporary security measures.

The Proactive Countermeasure Framework (PCF): An Overview

The PCF is structured around two types of security actions: Pre-emptive Measures (PMs) and Temporary Measures (TMs). PMs are safety-oriented actions taken regularly to mitigate risks proactively. Unlike static defenses, they are dynamic and adapt to evolving circumstances, but their deployment is considered safe and routine for the organization. TMs, on the other hand, are dynamic, implemented in response to heightened threat levels indicated by the early warning and forecasting systems.

Pre-emptive Measures (PMs)

PMs are essential to the PCF, tailored to respond to the patterns revealed through security analytics. For instance, analytics may indicate a cyclical compromise of employee credentials. Here’s how PMs would proactively address this:

Example of PM Implementation:

Let’s assume that we have detected a pattern of credential compromise every six weeks. Before the anticipated time of compromise we could take the following actions:

• User Risk Profiling: Every six weeks, security teams generate a list of high-risk user accounts by analysing login behaviours, such as date/time, location, failed attempts etc.

• Forced Password Reset: For the identified users, the system enforces a password reset. This measure, while dynamic, is safe as it’s limited to users assessed as high-risk based on objective telemetry, minimising operational disruption.

This dynamic approach to PMs ensures routine security actions remain both effective and unobtrusive.

Temporary Measures (TMs)

TMs are stricter controls temporarily applied in response to elevated threat levels. These are not meant to be permanent due to potential disruptions or resource intensity. They’re designed for short-term use to counter imminent threats and are usually lifted once the threat passes.

Example of TM Activation:

Upon receiving an early warning of an imminent spear phishing campaign targeting the finance department we could take the following actions:

• Access Control Tightening: Access to critical applications is immediately restricted to essential personnel only.

• Enhanced Authentication: Multi-factor authentication requirements are intensified for those with access to sensitive data.

• Monitoring Upscale: Email traffic is scrutinised with advanced filtering techniques to intercept phishing attempts.

Executing the Proactive Countermeasure Framework

Having introduced the concept let’s now explore its practical implementation. The implementation of PCF is achieved through a Proactive Countermeasure Plan (PCP), which is essentially a repertoire of pre-emptive and temporary measures tailored to correspond with different levels of confidence in our predictive analyses.

Creating a Proactive Countermeasure Plan (PCP) means setting up a careful plan that aligns with the varying degrees of confidence associated with potential threat scenarios. Here’s how to develop an effective PCP:

Define Threat Levels Based on Confidence:

• Establish clear threat levels that correspond to different confidence thresholds in your predictive analysis.

• These thresholds will serve as triggers for executing specific countermeasures. For instance, a low confidence threshold might initiate basic PMs, while a higher threshold could trigger more intensive TMs.

List Pre-emptive and Temporary Measures for Each Level:

• For each defined threat level, enumerate the specific PMs and TMs that will be implemented.

• This list should detail what actions are to be taken and under what circumstances, ensuring a tailored response that’s proportional to the assessed threat level.

Take a look at the more detailed example below. This PCP is specifically designed to respond to early warnings regarding imminent spear phishing attacks. Pay attention to how different threat levels are defined and the specific actions associated with each of these levels becoming increasingly stringent.

To implement the PCP effectively consider the following:

• Use predictive analytics to inform when PMs should be updated or when TMs should be activated.

• Establish protocols that clearly outline when and how TMs are to be deployed in response to threats.

• Ensure staff are well-versed in PM and TM protocols through regular training and simulated exercises.

• After any PM or TM activation, conduct debriefs to refine tactics, addressing any inefficiencies or oversights.

• Keep all relevant parties informed about current security postures and any changes to routines or access.

Conclusion

The Proactive Countermeasure Framework provides organizations with a methodology to proactively counteract potential cyber threats. By combining PMs and TMs, security teams can maintain responsive defense posture, adjusting swiftly to the threat landscape’s ebb and flow. As cyber threats continue to grow in complexity, such an adaptable, predictive approach to cybersecurity is not just recommended but required to protect our organisations effectively.

I hope you enjoyed this post! Feel free to reach out to let me know your thoughts.

See you in the next one.

Introduction

Predictive approach aims to organise cyber defense based on scenarios with probability to materialize in the future, unlike the traditional approach that relies on what has already happened. It utilizes predictive analysis methods and a red team perspective.

As a result of these efforts, two types of predictions are obtained: forecasts (long-term) and early warnings (short-term). Forecasts provide information about conditions that may occur in the long term (1+ year) and assist in shaping security strategy. Early warnings, on the other hand, provide us with information about impending attacks (ranging from a few weeks to one month in advance) and enable us to initiate preparatory activities early.

In this article, we will focus on the second type of prediction, which is early warning.

Research Methods for Early Warning System

In previous articles, we discussed that there are various approaches that can be used to create an early warning system. However, we can categorise all of these approaches into two groups:

1. Profile-driven research methods

2. Correlation-guided research methods

Profile-driven Research

The actor-centric method can be primarily defined as tracking the digital footprints of actors of interest. This can involve monitoring the patterned behaviours of actors in attack preparation or observing their activities on forums or similar platforms. This method requires an analyst to closely follow an actor or a series of cyber campaigns. While it demands more resources, it produces more reliable and actionable signals. This method is particularly useful when dealing with persistent actors targeting your organization.

Here is an example:

Leery Turtle — Tracking the Actor’s Attack Preparation Stages

When these attacks were investigated, some characteristics were discovered in the C2 servers used in the attack. The following signs were defined for the observed characteristics.

• Purchase of a new domain with the same pattern as Leery Turtle, containing at least two of the words google, drive, cloud, share, upload. (Sign 1: potential Leery Turtle domain)

• Having ports 80 and 8080 open at the same time on the server directed by the domain name. (Sign 2: potential Leery Turtle host)

• A domain/server was tagged as “Leery Turtle” when both of the conditions we defined met simultaneously.

Full report: Leery Turtle Threat Report

Correlation-guided Research

The second method is based on investigating correlations among various internal and external signals. If these correlations can be found, they can be used as probabilistic indicators of a cyber attack. This method can be implemented with lower costs but produces signals with lower reliability and are not generalisable.

Now, let’s take a brief look at an example of this correlation-based approach, which I discussed in the article “Early Warning Intelligence — How to predict cyber attacks?”

Collecting data

Disclaimer: The example I will discuss below is fictional and does not reflect the data of any real organization.

In the first step, data was collected from various internal and external sources related to various events and visualised on a time series. These events were randomly selected, and in the next step, it will be examined to see whether there is a correlation among them. The events that were selected was:

1. Darkweb mentions (source: intel vendor)

2. Exposed credential through infostealer (source: intel vendor)

3. Phishing/spam emails (source: user reports)

4. Coupon code sales (source: intel vendor)

5. DDoS attacks (source: WAF)

6. Web exploitation attempts (source: WAF)

7. Azure risky sign-ins (source: Azure)

Investigating for correlations

The second step was to filter out data sets with low variation among them. For example, an event that occurs almost every day renders any correlation with itself meaningless. Afterward, the binary combinations of these events were compared using the correlation function. This process was repeated by shifting one of the compared data sets forward in time. In other words, we’re attempting to find an answer to the question, ‘Is there a correlation between the event A from one week ago and the event B today?’

Then, something interesting surfaced. When the data was shifted by two weeks, a moderate inverse correlation between Infostealer and DDoS events was observed. What this data was telling us is that some of the DDoS attacks were happening in the midst of two Infostealer-related credential leakage events. Despite not giving a strong signal, lets investigate this intriguing occurrence further.

Going down the rabbit hole

Between the seemingly unrelated events of Infostealer infection and DDoS attack, two things needed to be investigated to uncover the connection:

1. What information was present in the Infostealer logs where credential leaks were detected, and what was the content of other logs published around the same time?

2. What were the scale, type, and impact of the DDoS attacks?

Upon examining the first case, everything seemed to be normal. The logs we identified were typical Infostealer logs containing passwords, some belonging to the customers and others to the employees. Actions had been taken for all the leaks, and there were no signs of exploitation for the leaked accounts.

However, upon a closer look to the DDoS incidents, something interesting came up. Some of the events classified as DDoS attacks were actually credential stuffing attacks! The attack’s execution involved making repeated requests to the system, and the WAF was categorising them as DDoS attacks. That’s when it hit me.

Constructing the hypothesis

Using threat intelligence sources, I conducted research on credential stuffing attacks. I learned that attackers commonly create custom username/password lists tailored to the platforms they target, using various sources, including data breaches and Infostealer logs. These public sources were easy pickings for the attackers!

The correlation we observed here was likely related to this. Attackers were using publicly shared Infostealer logs to generate new combolists and launching attacks a few days later. With this newfound information, I was able to formulate the following hypothesis:

If accounts belonging to our organization or our customers have been leaked in publicly shared Infostealer logs (and data breaches), there is a 40% probability that a DDoS/credential stuffing attack will occur within two weeks.

Building the Early Warning System

At this point, the system we are going to establish is very straightforward:

1. Identify and monitor sources where Infostealer logs and data breaches are publicly shared.

2. Detect compromised accounts belonging to our organization and customers.

3. Generate alerts if the number of these compromised accounts exceeds a certain threshold.

This series of actions, which can be easily automated, will essentially become our early warning system!

Ok.. so what?

This system, being based on correlation rather than intelligence, cannot produce alerts with absolute certainty. You may rightfully ask, ‘What can I do with information about an attack that may never happen?’ This situation actually highlights how static our current defense approach is. A defense structure that only acts on facts and consistently produces the same type of actions will never go beyond being reactive. That’s why I believe we need to shift our perspectives about cyber defense. While facts are undoubtedly important, we should also incorporate predictions into our defense planning. With more flexible and creative action plans, we can fully harness the benefits of predictions and truly achieve proactive defense.

At this point, I want to introduce a concept that I call temporary countermeasures. These are security controls that we cannot permanently implement for various reasons but could be temporarily useful in situations where the threat level is elevated.

Let’s take an example of an alert generated by the system we designed above. You are expecting a credential stuffing attack with a 40% probability within the next two weeks. In this case, temporarily implementing the following controls can help reduce its impact when the credential stuffing attack occurs.

1. Adjusting rate limits, bot scores etc. to be more restrictive

2. Configure k8s pods to use increased resources

3. Disable certain features temporarily to mitigate impact

If you noticed, these controls are not feasible to implement permanently, mainly due to their cost or the friction they might create for users. However, in high-risk and high-threat environments, the cost of temporarily implementing these controls can become tolerable. A striking example of this is a cryptocurrency exchange that, during an attack, temporarily subjects normally automated withdrawal processes to manual verification, preventing the theft of customer funds.

I hope you enjoyed my post. See you in the next one!

When you read any CTI report, you will often find that it answers more or less the same questions. How did the attacker get into the system? What were the steps following the initial compromise? And what is the impact?

But is it possible to predict a cyberattack? The methods used for that today are based on several assumptions. To explain simply; We assume that a threat actor will repeat the same post-compromise behaviour we observed. But in my opinion, we are focusing on the wrong part of the “kill chain”.

In this article, instead of focusing on post-exploit indicators, we will look at how to construct an early warning system by observing the preparation stages.

What is an Early Warning?

Let’s start by defining what we should expect from an “early warning”.

• Time period in which the attack is expected to occur

• Type of the attack (e.g: malspam, phishing, exploitation)

• Certainty / confidence (e.g: with 60% chance)

• Threat duration

• Observables (if available)

• Signals used to make the prediction

Sample memo:

A Closer Look at Initial Access Vectors

When we read through the CTI reports, we see that there are several initial access vectors that are frequently used by cybercriminals.

• Network service exploitation

• Malspam campaign

• Spear phishing

• Credential attacks (wordlist attacks)

• Buying access

This is also beautifully illustrated in the IAB Landscape chart prepared by the CuratedIntel community.

Since these are preparatory stages, we can assume that an attack of a certain type will only occur when the corresponding conditions are met.

The question we must now ask is: which of these stages can we observe from the outside? And how?

Identifying Observation Opportunities

If we can deduce patterns about the preparatory phases, we can use them as an opportunity for observation. For instance, the main goal of network service exploiters is to hijack as many devices as possible. Therefore, they generally target widely used network protocols such as Email, file sharing, VPN.

In addition, most actors who do this work do not have the skills to develop the exploit code themselves. Therefore, they use ready-made exploit modules published by companies such as Metasploit, Cobalt Strike, or other security researchers.

Using these patterns, we can develop the following signals to predict an NSE campaign.

• Signal 1: A new vulnerability of a widely used network service has been discovered.

  • Observe: NVD, CVE

• Signal 2: The exploit module for the given vulnerability has become available.

  • Observe: Rapid7, Exploit-db, Github, Cobalt Strike, Dark web

• Signal 3: A new exploit code has become available for a known vulnerability.

  • Observe: same as Signal 2

• Signal 4: An exploit kit has begun to be advertised in crime markets.

  • Observe: Dark web

• Signal 5: An exploit has been observed in the wild.

  • Observe: CISA, Greynoise

The same process can be done for other vectors too. Let’s take malspam as another example.

Malspam is another type of vector in which actors go after quantity and are very opportunistic. For that reason they’re often delivered through cracked software or ads.

Using these patterns, we can develop the following signals to predict a malspam campaign:

• Signal 1: A popular game or software has become available on torrent websites.

  • Observe: Popular torrent sharing websites

• Signal 2: A new season of a popular series has been released.

  • Observe: News, movie sharing websites

• Signal 3: There is an increase in the activity of a certain botnet/trojan family.

  • Observe: Malware bazaar, C2 feeds

• Signal 4: New distribution hosts are identified for a certain botnet/trojan family.

  • Observe: URLhaus, Virustotal

• Signal 5: Crack of a commercial RAT has been shared in the forums.

  • Observe: Dark web

• Signal 6: New crypter has been shared publicly.

  • Observe: Dark web, Github

Building the Early Warning System

If you have developed some observable signals with the above process, now it’s time to construct the early warning system.

This process is similar to creating a mathematical equation where each of the signals we defined is a boolean variable (0 or 1). We multiply each of our events by a weight value, add them together or combine them with logical operators, and generate an alert when it exceeds a predefined threshold.

EWS for network service exploitation:

if (S1*0.1 + S2*0.3 + S3*0.1 + S4*0.3 + S5*0.3) > 0.5

• Signal 1: A new vulnerability of a widely used network service has been discovered. (Weight = 0.1)

• Signal 2: The exploit module for the given vulnerability has become available. (Weight = 0.3)

• Signal 3: A new exploit code has become available for a known vulnerability. (Weight = 0.1)

• Signal 4: An exploit kit has begun to be advertised in crime markets. (Weight = 0.2)

• Signal 5: An exploit has been observed in the wild. (Weight = 0.3)

EWS for malspam campaigns:

if (S1*0.1 + S2*0.3 + S3*0.1 + S4*0.3 + S5*0.3 + S6*0.3 + S7*0.2) > 1.0

• Signal 1: A popular game or software has become available on torrent websites. (Weight = 0.4)

• Signal 2: A new season of a popular series has been released. (Weight = 0.1)

• Signal 3: There is an increase in the activity of a certain botnet/trojan family. (Weight = 0.3)

• Signal 4: New distribution hosts are identified for a certain botnet/trojan family. (Weight = 0.2)

• Signal 5: Crack of a commercial RAT has been shared in the forums. (Weight = 0.3)

• Signal 6: New crypter has been shared publicly. (Weight = 0.2)

Weights and thresholds are subjective to your organisation and type of attack. You may experiment and find out what works for you best.

I hope you liked this blog post. See you in the next one!