It’s Time to Get off the Treadmill: Why You Should Understand Adversary Playbooks

By 
Sep 10, 2018
2 minutes
15 views
CSO Perspective
Points of View
Secure the Enterprise
Adversary Playbooks
Cyber Threat Alliance

The excerpted article below originally appeared on CSO Online.

When deploying prevention and detection controls, most network defenders are on a treadmill of sifting through thousands of indicators of compromise, trying to prioritize which ones they should tackle first. Typically, they know nothing about the context of the indicator, just that it is bad, and that it should be blocked somewhere in the environment. The problem is they never sift through them all, which makes them feel like they are always behind – which they are.

What the Cyber Threat Alliance and Unit 42, Palo Alto Networks threat intelligence team, have been advocating for the past five years is to flip the equation and embrace adversary playbooks.

The idea is that network defenders should be deploying prevention and detection controls at all locations on the intrusion kill chain, designed specifically for all known adversary campaigns. In other words, get off the treadmill and start deploying controls designed specifically to thwart all known adversaries. This is an important idea because the network defender community already comprehends much about how adversaries run their attack playbooks. For all the “new” adversaries out there making headlines, most of the techniques they use are not new. I estimate that we, collectively, understand approximately 99 percent of the playbooks that cyber adversaries run on any given day.

The challenge has been: how do we organize that information and share it with the world at large? It turns out, that is way more complicated than it sounds. After much debate within Unit 42 and the Cyber Threat Alliance, we agreed that this is what constitutes an adversary playbook:

  • One or more cyber adversaries
  • Who run one or more campaigns
  • Who use a variety of techniques to attack their victims down the intrusion kill chain
  • Who leave indicators of compromise in their wake when they do

Once we agreed to the general idea of what an adversary playbook was, we needed a way to

visualize it and built an open source playbook viewer earlier this year to do just that.

Read the rest of Rick Howard’s article on CSO Online.

Related Blogs

Our library of online content is here to help you learn more, no matter what format you prefer or which topic interests you most.

CSO Perspective, Points of View, Secure the Enterprise

Effective Cybersecurity Is Not Easy, but It Is Achievable

Announcement, Must-Read Articles, Points of View

We Can’t Do It Alone: Sharing Threat Intelligence Makes Everyone Safer

Company & Culture, Points of View, Secure the Enterprise

What Kind of Cybersecurity Leader Are You? Advice for CSOs and Others

Points of View, Secure the Enterprise

10 Articles from Security Roundtable That You Shouldn’t Miss

Secure the Enterprise

A Few of Unit 42’s Greatest Contributions to Threat Intelligence Research

CSO Perspective, Government, Points of View, Public Sector

Ireland’s Commitment to Cybersecurity

Subscribe to the Newsletter!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.

By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement. Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.

Get the latest news, invites to events, and threat alerts

Popular Resources

Legal Notices

Popular Links