Chapter 9. Researching Adversary Tradecraft

Cybersecurity transcends the binary notion of good versus evil or defense versus attack; it embodies a dynamic terrain of perpetual learning, comprehension, and adaptation. When traversing this landscape, it becomes imperative to proactively anticipate, defend against, and mitigate potential threats by understanding the intricate behaviors exhibited by adversaries within the cyber realm. In this chapter, I aim to guide you through the multifaceted process of researching and applying knowledge about adversary TTPs. You will embark on a journey that begins with studying adversary behavior, progresses to developing profiles, and culminates in the practical application of the ATT&CK framework for selecting TTPs for emulation.

To begin, you need to dive deep into the mindset and behavior of your adversaries. I will show you how to investigate the various techniques, strategies, and methodologies they employ in cyber operations. I will discuss how to discern their goals and motivations and understand their unique MO. This deep understanding will ultimately enable you to devise robust defense strategies that anticipate and counteract your adversaries’ actions.

Once you grasp the essence of your adversaries’ behavior, your next step is to create comprehensive profiles of them. I will introduce methodologies to help you aggregate this knowledge and transform raw data into a useful, easy-to-reference format. These profiles will serve as invaluable ...