Don’t Overlook Geopolitics in Threat Intelligence

Rarely does geopolitics play a prominent role in the data collection, analysis, and myriad other daily tasks carried out by many, if not most, commercial-sector threat intelligence teams. But it absolutely should—and we need look no further than a few recent cyber-attacks to see why: 

  • The Lazarus Group’s attempted heist at Chilean interbank network Redbanc in December 2018 is considered one of North Korea’s latest attempts to cope with international sanctions and a consequently stifled economy by using unconventional methods—namely, targeting financial institutions—to fund its regime. 
  • The uptick in Chinese-sponsored cyberattacks from groups such as APT10 against entities in the US and its allies in the second half of 2018 closely follows the US’s announcement of increased tariffs on Chinese goods. 
  • Russia’s interference in Western elections is widely believed to have been motivated, at least partially, by the perception that certain candidates, if elected, would be more likely to ease sanctions against the country and support Russian interests.

These attacks are among countless others that align with a clear trend: Geopolitically significant events impacting nation states—particularly ones with robust cyber capabilities—often precede malicious cyber activity emanating from those states.

In just the last few years, this trend has manifested in trade disputes, arms races, sanctions, major elections, and similar events that have ultimately served as precursors for a number of nation-state cyber-attacks.

For threat intelligence teams, the key takeaway here is straightforward. These teams should monitor the geopolitical landscape, keep track of relevant events, and use these observations to inform their intelligence requirements, collection strategy, and analysis with respect to nation-state activity. But relatively few teams do this; and there seem to be two primary reasons why.

First, most teams abide by conventional wisdom that an organization cannot fend off a determined adversary, such as a nation state, indefinitely. This wisdom is arguably true, with few exceptions, and is largely what motivates many teams to prioritize detection and response far ahead of proactive defense when it comes to nation-state threats. 

Because geopolitical context tends to be less valuable for detection and response, many threat intelligence analysts have few opportunities to be exposed to it. Once a nation-state (or any) actor has penetrated your network, understanding the actor’s geopolitical motivations is unlikely to be all that useful in kicking them out of the network and remediating the damages.

Even in the aftermath of an attack, identifying and blocking any indicators of compromise (IOCs), as well as finding and patching any vulnerabilities that facilitated the attack all take precedent, understandably, over evaluating the geopolitical factors involved. 

Second, even among threat intelligence teams that do allocate ample resources toward proactive defense in this area, geopolitics doesn’t always have a seat at the table. Defensive strategies geared toward nation-state threats tend to focus largely on the technical aspects of what an adversary might do—but not necessarily the bigger picture of what might motivate them to do that in the first place.

The Mitre ATT&CK framework, for example, is a focal point of many such strategies. This living compilation of tactics, techniques, and procedures (TTPs) observed from millions of attacks is designed to help defenders evaluate whether their systems would be able to withstand and/or detect adversaries’ TTPs.

The framework is rightfully lauded as a gold standard, but the geopolitical context it includes is generally limited to an adversary’s country of origin and industries, assets, and locations targeted previously. It does not provide insight into the extent that diplomatic disputes or arms races, for instance, have historically shaped an adversary’s actions. 

The best way to utilize insights from ATT&CK and related resources with respect to nation-state threats is to evaluate these insights in the context of geopolitical factors relevant to your company. A good starting point is to familiarize yourself with the TTPs and motivations of nation states’ cyber operations and identify areas of overlap with your company’s environment.

For example, let’s consider that China-backed advanced persistent threat (APT) groups have historically been more active in targeting intellectual property of manufacturers and technology companies in North America and Europe following events that have impaired China’s economy. If your company fits this description, your threat intelligence team could augment their collection strategy by monitoring for news of economic sanctions or tariffs on China. Should such news arise, the team would then recognize the potentially heightened risks facing the company’s assets, relay this information to the security operations center, and ensure appropriate precautions are taken.

This scenario raises an important reminder: geopolitical context isn’t all that different from the other types of context threat intelligence teams are already familiar with. Industry, size, and stakeholders, among other characteristics, have long played a role in the sorts of threats to which a company is susceptible. Geopolitics is just another piece of the puzzle.

What’s Hot on Infosecurity Magazine?