How the IBM X-Force IRIS Cyberattack Framework Helps Security Teams Reduce Risk at All Levels

This article is the first installment in a three-part series about cyberattack preparation and execution. Stay tuned to learn more.

Security teams need guidance to better understand, track and defend against patterns of malicious behavior, which will help them contend with today’s evolving — and increasingly sophisticated — threat landscape.

This is why IBM X-Force Incident Response and Intelligence Services (IRIS) developed a cyberattack framework to help organizations predict the steps an adversary might take to infiltrate corporate networks. The IBM X-Force IRIS cyberattack preparation and execution frameworks are designed to help security analysts understand malicious actors’ objectives, track threat data and communicate security intelligence more clearly.

Defenders can further dissect the threat model to preemptively build defenses and tracking capabilities to help identify and protect against attacks before they occur.

Break Down the X-Force IRIS Cyberattack Preparation Framework

While many of the phases described in the preparation framework are undetectable to targets and defenders, the early stages of a cyberattack offer opportunities to increase visibility into cybercriminal operations. Often, these measures can be undertaken relatively cheaply and with little to no reduction in operations.

The IRIS framework includes two key phases: The first phase is the point in time when threat actors determine their objectives. The second phase is when threat actors prepare their attack infrastructure.

IBM X-Force Cyberattack Preparation Framework

IRIS Cyberattack Preparation Framework — Schematic View

Read the white paper: IBM X-Force IRIS Cyberattack Preparation and Execution Frameworks

Phase One: Know Your Enemy

In the first phase of the framework, the attacker determines the target and defines initial mission objectives. On the defenders’ side, analysts can take steps to safeguard the assets attackers are likely to target, such as determining what and where their most valuable data is and whether cybercriminals are actively pursuing the organization.

Security teams should also integrate threat intelligence into the organization’s cybersecurity program. By building a threat profile of adversarial actors who are likely to target the company, security teams can focus on the most relevant cybercriminal groups instead of applying generic coverage to the entire pool of active cybergangs. This strategy is also in line with best practices suggested by the National Institute of Standards and Technology (NIST)’s framework for improving critical infrastructure cybersecurity.

Threat profiles help provide the contextual background for these malicious actors, such as their capabilities and tactics, which defenders can use to prioritize their responses.

To establish a threat profile, security analysts must answer the following questions:

Have Threat Actors Targeted the Organization?

Determine whether cybercriminals have breached the network in the past. If not, are there any indications that they may be interested in your company?

For example, has senior management received any spear-phishing emails? These clues can provide valuable insight into the type of actors that may be targeting the organization. Unusual network traffic on the company’s internet-facing ports is another clue. Large amounts of traffic originating from countries that your company doesn’t operate in could also indicate potentially malicious activity.

What Type of Attacker Might Go After Your Crown Jewels?

By understanding past attacks against companies in the same industry, security teams can assess the types of actors that are likely to target the organization and profile familiar capabilities and modus operandi.

For example, do these threat groups have the means and technical knowledge to perform an advanced intrusion? Do they typically compromise networks by exploiting known vulnerabilities? The best way for analysts to prioritize the most impactful areas for security investments is to anticipate the adversary’s entry path.

Where Are These Threat Groups Located?

Security teams can gain insight into cybercriminals’ motives, mission and tactics by understanding contextual information about potential threat actors, such as where they are located. This data can help analysts determine which vectors pose the most significant threat to the organization.

What Are the Attackers’ Goals?

Understanding what threat groups are after can help organizations protect digital assets and data. Attackers target a variety of data — from financial information, which can be sold on the darknet, to intellectual property, which can be sold for profit or used in corporate espionage. Some threat actors may seek to destroy data or harm critical infrastructure.

Understanding the organization’s key assets and predicting which ones are most appealing to cybercriminals can help security teams determine governance, controls and best practices to help protect and secure their digital environments.

Phase Two: Prepare the Attack Infrastructure

During the preparation of the attack infrastructure phase, cybercriminals often establish command-and-control (C&C) servers and build infrastructure that can be used to craft web pages, emails and domains that look legitimate to unsuspecting targets. Although threat actors typically operate in a stealthy manner, security teams can take steps to uncover and mitigate their actions.

Attackers often buy, register or gain illegal ownership of domains, servers, secure sockets layer (SSL) certificates, web service accounts and other network resources to orchestrate their campaigns. They then use their C&C network of servers and web resources to drop, execute, access and control the malware with which they infect their hosts.

During the setup process, attackers who mount malicious domains for their infrastructure’s communication schemes may use legitimate or typo-changed domains to fool target users into interacting with their sites or emails. Such email spoofing is often very subtle and can trick even the most observant users into clicking malicious links.

To mitigate this threat — and make it harder for attackers to typosquat domains — defenders can purchase all the likely typo-changed domains associated with their company name or monitor for suspicious domain registrations that resemble official domains.

Cyberattack preparation concept

Keep Social-Engineering Schemes at Bay With Education

Of course, threat actors have more tricks up their sleeves. Depending on the target, attackers may use social-engineering schemes to make it seem like activity is legitimate. For example, fraudsters can create more believable, personalized phishing messages by befriending targets online via fake online profiles.

To prevent these types of communications from succeeding, defenders should educate employees about the current trends in spam and spear phishing and describe the dangers of interacting with fraudulent online personas. Security teams should also establish proper governance to help employees respond and react appropriately when they fall victim to social-engineering schemes.

It’s also imperative to ensure that employees have positive experiences when reporting potential security incidents — and that security leaders do not punish or shame them for falling victim to phishing or social-engineering schemes.

To learn more, stay tuned for the next article in this series, which will examine the external reconnaissance and launch attack phases of the framework. You can also download the IBM white paper and listen to the podcast for more insights.

Read the complete white paper: IBM X-Force IRIS Cyberattack Preparation and Execution Frameworks