The threat-intelligence researchers at Alphabet’s Chronicle have borrowed the apex predator concept from ecology to describe today’s multi-organizational, multinational threat actors — the evolution of which could provoke an overhaul of risk analysis and management. However, it’s important to keep things in perspective.
Ecologists describe food chains as linear links consisting of organisms that hunt and consume others. Such chains usually start with producer organisms (e.g., trees) and span to apex predators at the very top (bears, let’s say), that have no known natural predators (humans notwithstanding).
Chronicle postulates that such apex predators exist in the cyber-world too. The firm dubs them supra threat actors, or STAs, to connote their place “above” regular threat actors – and indeed, such actors are working at capabilities that exceed those of regular actors, thanks to the resources they have at their disposal. This is largely a result of the amount of new amounts of coordination currently seen among formerly disparate criminal and espionage groups.
It’s easy to think that STAs can quickly become your biggest cause for concern. Indeed, large-scale existential threats exist everywhere and can annihilate us with trivial effort. Should we be throwing everything we can at them? Let’s consider how this new class of adversary affects our risk posture.
Adjusting Risk Management for Frequency
In threat modeling, it’s important to consider which variables are important to measure when considering the path that a threat agent may take. For example, when building an attack tree, you might articulate all of the ways in which an STA might infiltrate the network.
Indeed, with an advanced, apex threat actor, those considerations may even become imaginative. Such flights of fancy are often minimized as “movie-plot threats,” as Bruce Schneier has often called them. However, with advanced operators like STAs, such possibilities can actually come to fruition.
That said, although it’s important to have a “greenfield” approach to understanding possible points of ingress or egress, risk management needs to make a distinction about which possibilities are probable. That is why many risk-management methodologies include the assessment of probability. It’s also important to be sure that any resultant computations are mathematically accurate, so frequency is an important metric too. Frequency matters because anything is probable over a long enough timeline; the real value is in adding a temporal bound to those events.
For any events that happen less than once a year, probability and frequency are equivalent. It’s only when you begin to measure events that happen more than once a year that probability implodes. By way of example, events that happen once every two years can reflect a probability of 0.5 (50 percent); however, events happening twice a year cannot be 200 percent probable.
As a result, the first major threat variable necessary for modeling STAs is the frequency of attempted attacks, or what is termed “threat event frequency” (TEF) in the Open Factor Analysis for Information Risk (FAIR) standard. It can sometimes be a difficult variable to determine, so the standard offers some contributing factors to consider when evaluating the rate of attack: Contact frequency and probability of attack. It’s at this level of analysis that considering the full strength and overwhelming capabilities of an STA can be more tailored to your organization.
Contact frequency asks organizations to look at whether the occurrence of attacks will be regular, randomized or intentional. When thinking about the way these apex threat actors have behaved in the past, from Stuxnet to Duqu, these are very intentional and targeted attacks. Generally, these have a lower frequency than “regular” (such as those done by insiders) or “random” (such as those precipitated by large-scale scanning) attacks.
For another interesting perspective on STAs we can turn to probability of attack. Here we need to consider the perceived value of a successful attack. If we assume targeted attacks, then we can assume that the value is evident to the STAs. The second variable at play is the level of effort necessary for a successful attack, which can be assumed to be a precursor to the formation of the STA; in other words, a considerable effort is necessary. The last is the level of risk (consequences) associated with failure (what return fire can your organization level against the attacker?). Against these variables you should weigh the attractiveness of your organization as a target.
Accounting for Capabilities and Targeting
The second major variable necessary for modeling STAs is what the Open FAIR standard calls “threat capability.” This is a measure of how skilled and resourced these attackers are in comparison with others. We can cut to the end on this one: As the apex predators, STAs are likely in the 99th percentile of attackers when it comes to capability (think of it like scoring exceptionally well on the SAT or ACT).
With these kinds of variables to aid in our threat modeling, we can see that absent an overwhelming defensive posture – also one in the 99th percentile – STAs are likely to break through any defenses you may have in place. However, that matters only if you think you are going to be targeted by them. That kind of firepower does not come cheap, and nation-state attackers or nation-state-funded criminals who can run that kind of outfit will use it to further their aims. As a result, threat- and risk-intelligence teams can keep vigil on the geopolitical zeitgeist to gain better insight into where targets are or may be acquired soon to determine who is in the line of fire.
Adversaries collaborating against us pose a substantial threat. However, their collaboration is not without cost, and that means they need to train their weaponry on targets commensurate with that cost. The escalation of these apex threat agents’ cyber-capabilities is simply a continuation of the cyber-arms race. It’s natural that with collaborative public and private-sector information-sharing regimes – such as VirusTotal, ISACs and the Five Eyes alliance – threat agents would also band together. With this new introduction of STAs, it’s fair to say the threat equation has changed, but it’s also important to note the nuances of where and how to ensure that you don’t over-allocate remediation efforts away from more probable loss scenarios.
Dr. Jack Freund is the director of Risk Science at the cyber-risk quantification firm RiskLens. With more than 20 years of experience in IT risk modeling, aggregation and communication, Freund previously worked for TIAA as director of Cyber Risk. He also holds a Ph.D. in Information Systems.