Stories‎ > ‎

Cyber Threat Heat-Mapping

posted Aug 25, 2017, 4:49 PM by James Caroland   [ updated Sep 11, 2017, 12:32 PM ]
By MAJ Joe Marty

DISCLAIMER: All content in this article is derived from ideas in the author’s head, based on his experiences and observations. None of the methods or ideas presented describe actual methodologies used by the U.S. Army or any service branch of the Department of Defense. All information disclosed is UNCLASSIFIED.

Most people in the information security field are familiar with the "Cyber Kill Chain," [1] and some are also familiar with its successor in threat-mapping, the more granular MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) matrix. [2] These models allow incident responders, cyber security defenders, and intelligence analysts to chronologically map the activities of intruders. Most threat activities can be categorized under one of the kill-chain stages, and under one of the tactics listed in the MITRE ATT&CK matrix.

Figure 1

    The benefit of modeling threat activities in these frameworks extends into both the past and the future. By identifying what a threat actor has already done, or recognizing what they have been known to do in other incidents/campaigns, incident responders can focus their clean-up and recovery efforts with targeted forensics. By identifying what the threat actor has done in other similar incidents, Cyber Security Service Providers (CSSPs) can focus their hardening efforts towards defense-in-depth strategies that will be effective at preventing the threat actor from succeeding in the next stages of the kill chain that have not yet been executed. 

    Each service branch in the Department of Defense (DoD) has drawn upon the proven methods of their respective domain (land, sea, air) and adapted their operations and apply them in the cyber domain. One classic method of developing intelligence in the tangible domains focused on nation-state threats. This method is sensible for conventional operations because, whether it is an offensive or defensive operation, our military expected to attack or defend against forces of a specific nation, nations, or non-state actors that often operated with similar capabilities and tactics. 

    Adapting this classic methodology to the cyber domain is still effective for offensive operations because targeted cyber effects would typically be directed towards a specific entity. However, the benefits of this classic methodology of developing intelligence to support defensive cyberspace operations (DCO) provide limited tactical benefit because defenders are expected to defend against all threat actors regardless of their origin. Although the classic methodology can provide strategic context and high-level overviews, the tactical activities in DCO are not enabled because the defenders cannot build comprehensive defense-in-depth from stove-piped information. One method that would develop actionable intelligence for DCO would be to use a "heat-map" of the cyber kill-chain or MITRE ATT&CK matrix. 

    Heat-maps traditionally indicate concentration of activity (or whatever is being measured) by a color scale, where a darker color indicates greater concentration. Over time, as more threat activity is mapped, the most common/popular activity will appear darkest on the heat-map. Generating a cyber-threat heat-map will help CSSPs prioritize their defense-in-depth efforts, and enable them to secure their organization by focusing on the most likely attack vectors. Thus, when an intruder encounters the roadblocks built by the CSSP, those seeking easy entry will move on, and the persistent threat actors will be forced to change their behavior to succeed in their campaign. At worst this will delay their activities; at best, it will deter adversaries from continuing their pursuit, encouraging them to move on to “lower-hanging fruit” or another vector with less resistance.

    Using this cyber-threat heat-mapping methodology, an organization could populate a database with documented activities. [3] The events they observe and record could be categorized by kill-chain stage and MITRE ATT&CK method, and then tagged by threat actor. This database would enable analysts to quickly respond to identified threats because, as soon as observed events are queried in the database, the analyst can easily spot what the intruder has most likely done so far, and what they are most likely to do next, based on their documented pattern of behavior.

    To maximize accessibility, the organization could build a simple interface to the database (e.g., web page front-end) that allows defenders to quickly identify the most popular/common attack vectors, enabling them to focus their efforts on where they will be most effective. The threat actor tags for each event allows for simple data correlation of queries with documented activities stored in the database. This enables quick identification of the APT that is most likely responsible for the observed activity based on the matching data points. This threat-hunting heat-map would enable intelligence analysts to provide actionable intelligence to defenders in cyberspace.

Figure 2

    Figure 2 (above) is an illustration of how activities during an observed campaign could be documented and tagged across the cyber kill-chain. Each row below the kill-chain stages indicates a separate (hypothetical) campaign. Each activity tagged for a specific APT indicates attribution of similar behavior based on analysis of past events. [Note: The activities and corresponding APTs are provided only to demonstrate how the interface might be used – the attribution is intentionally inaccurate, and the figure should not be used as a reference.]

    The benefit of using an interface like this should be clear – the more tags that appear across a row, the more likely it is that the corresponding APT is the culprit of the campaign. Depending on which stage of the kill-chain spun up the incident response team (IRT) into action, the analysts would be able to quickly identify what the intruder has already done, and they can advise the CSSP on where to implement the most effective countermeasures further down the kill-chain, both based on expected behavior supported by historical data in the database.

    Figure 3 below is a similar illustration using the MITRE ATT&CK matrix. Optimization of the interface becomes critical for this model because data can become confusing very quickly if not properly presented. This illustration presents another hypothetical example of a single campaign where each observed activity is documented, and the APT tag indicates which threat actor has demonstrated the behavior in past campaigns that have been analyzed. The dotted lines link activities observed by the same threat actor. [Again, attribution is intentionally wrong.]

Figure 3

    This example visually expresses which threat actor most likely conducted the campaign based on recorded behaviors. In this hypothetical example, the campaign is equally likely to have been prosecuted by APT 1 or APT 29, as three activities observed from each matched tagged entries in the database of recorded APT behaviors.

    The real value of following this methodology is the heat-map. Figure 4 below depicts how the heat map develops over time as more tagged data is recorded in the database. When an analyst displays ALL recorded threat activity, the darkest points indicate the most common tactics and methods used by APTs. 

    Once defensive countermeasures are identified for each tactic listed in the ATT&CK matrix, the ‘hot-spots’ in the heat map can quickly spotlight where a CSSP should prioritize its defense-in-depth efforts. In this example, the ‘hottest’ APT tactics that should be addressed are account enumeration, remote desktop protocol (RDP), and removable media. These observations might lead the CSSP to create fake accounts to detect account enumeration, implement multi-factor authentication for RDP access, and whitelist the removable media they use to prevent usage of unauthorized removable media.

Figure 4

    The classic, nation-centric development of threat intelligence may provide strategic context in support of DCO, but the usefulness is much more limited down at the tactical level. The use of a heat-map overlay on either the cyber kill-chain or ATT&CK matrix can enable responders to identify, contain, and recover from intruder activities (i.e., forensics). The cyber threat heat-map can also enable defenders to prioritize their efforts where they will be most effective (i.e., build defense-in-depth). Cyber threat heat-mapping provides actionable intelligence for the tactical defensive cyberspace operators, and it helps CSPs maximize their efficiency and effectiveness in defending their organization.

About the Author

Joe Marty leads a Cyber Protection Team (CPT) as a field-grade officer in the US Army Cyber Protection Brigade. He has experience conducting several incident response and proactive defensive cyberspace operations with his team in both Enterprise and Industrial Control Systems (ICS) environments. When he's not on the road leading his team, Joe enjoys writing, hacking, and traveling with his family.


James Caroland,
Aug 25, 2017, 4:53 PM