How STIX Cyber Campaigns Provide Intel on Geopolitical and Cybersecurity Risks

< Back to Blog Home

In this second article of a three-part series, VerSprite discusses how independent consultants and organizations can learn about geopolitical and cybersecurity risks from cyber campaigns.

What are Cyber Campaigns?

As defined by the Structured Threat Intelligence eXpression data standard, or STIX, cyber campaigns are a series of cyber attacks conducted against an entity for a specific purpose.

How Can Organizations Learn About Cyber Campaigns?

Information on cyber campaigns can be found from both public and private sources. The first blog post in this series discussed multiple publicly accessible websites that offer information on cyber attacks and campaigns. Mentioned sources included news or threat intelligence reports and documents shared by both think-tanks and government agencies.

Threat intelligence platforms, or interactive interfaces, that present information about cyber attacks also provide information on cyber campaigns. Some threat intelligence platforms are accessible to the public and allow public users to access data organizations store on cyber attacks and campaigns.

VerSprite, for example, hosts Signas, a threat intelligence platform that allows organizations to upload and manage information on cyber attacks and campaigns in the STIX II data format. Signas allows users to either keep their data private, and only share data with VerSprite, or users can choose to share their data publicly. Publicly shared data allows all other Signas users to learn from data other users upload. Organizations or individuals interested in Signas can register to use the platform by emailing [email protected].

What are the Benefits of Structuring Information on Cyber Attacks and Campaigns in the STIX Data Format?

Two main reasons organizations benefit from structuring cyber attack data in the STIX format include:

• Interpretability – persons with or without cybersecurity industry experience can easily understand STIX formatted data. Organizations can therefore feature STIX data in organizational reports, hand-outs, and presentations which audiences can grasp.
• Transferability – STIX data can also be shared via TAXII servers, or digital data transferring mechanisms used to relay information about cyber attacks. Communicating information, especially on current trends such as hacktivism related to repeated instances of police brutality, is essential for organizations which analyze and learn from cyber attacks and campaigns.

Why Analyze Cyber Campaigns?

Cyber campaigns can provide risk management and security teams insights into cybersecurity and geopolitical risks. By definition, cyber campaigns feature information on more than one cyber attack. This means cyber campaigns:

1. provide multiple cyber attacks for researchers to analyze
2. can demonstrate how cyber attacking a target is meaningful to a threat actor
3. can provide multiple insights on the successes and failures of organizational cybersecurity policies, practices, and procedures

These three factors make cyber campaigns useful for security teams, intelligence agencies, and academic institutions to analyze.

Cyber Campaigns Offer Insights into Cybersecurity and Geopolitical Risk

Cyber campaigns offer deep insights into both cybersecurity and geopolitical risks for private sector companies. The Venn diagram below summarizes specific concepts related to both geopolitical and cybersecurity risks that cyber campaigns can provide information on:

As one of the only cybersecurity consulting firms with a geopolitical risk practice group, VerSprite understands how cyber campaigns reported around the world affect the security of multi-national organizations. VerSprite has the resources and expertise to mitigate potential geopolitical and cybersecurity risks that are top concerns for business leaders around the world.

What Can Cybersecurity Professionals Learn from Cyber Campaigns?

Third-party cybersecurity consultants, internal information security teams, information security team leaders, CISOs, and government counterintelligence agencies can use cyber campaigns to understand various dynamics of cybersecurity risks. By having a deeper understanding of these risks and how they are related, security professionals can strengthen organizational cybersecurity policies, practices, and procedures. In particular, cybersecurity professionals can learn about:

• Sources of risk, such as third parties, including industry affiliates, potential vulnerabilities, or malpractices of institutions.
• Information that helps resolve cyber attacks against industries, such as escalation techniques of threat actors; common uses of credentials collected by cybercriminals; or the tactics, techniques, and procedures (TTPs) of threat actors. This information can also be used to mitigate the damages of an active compromise.
• Characteristics of cyber risk that can help security teams assign priority levels in cybersecurity policies, practices, and procedures, such as incident response plans. Some characteristics of interest to information security teams include damages of common industry attacks, success rates of an attack technique, escalation capabilities of threat actors based on vulnerability exploited, attack techniques used by specific threat actors, and industry attack trends.

These various components of cyber risk can be used by third-party consultants to make more sophisticated service offerings. CISOs and security teams can use these insights to write policies that mitigate organization-specific cybersecurity risks based on cyber risk factors that cyber campaigns reveal. Organizations can also develop state of the art organizational threat models, or charts which depict how threat actors could compromise various applications, or data and process flows of an organization, based on cyber campaign data.

Information security teams, in particular, benefit from knowing third parties that threat actors are more likely to target based on patterns observable in cyber campaigns, such as data specific threat actors frequently target. Information security teams also benefit from basing red teaming exercises on previous campaigns conducted by cybercriminals, knowing attack techniques to prepare against, and basing security training exercises on incident analysis encompassing everything from packet captures (PCAPs) to indicators of compromise used by threat actors who target similar organizations.

What Can Business Executives and Geopolitical Risk Management Professionals Learn from Cyber Campaigns?

Political consultants, project managers, C-SUITES, organizational presidents, government intelligence agencies and branches, security policy writers, and public relations specialists can understand cyber campaigns to avoid specific risks associated with business expansion, location, and third-party vendors. There are also certain business practices that cyber campaigns can help business executives understand are riskier than others. A list of geopolitical insights cyber campaigns can inform professionals surveying geopolitical risks is below:

• Locations with heightened security risks, including locations with civil upheaval, locations at risk due to poor international relations, or countries with corrupt governments. Organizations may also face increased risks in defined spaces because of the presence of strategic assets, including high-value target data such as corporate secrets or military intelligence.
• Marketplace practices that present risks, such as adopting various technologies or following practices related to social, environmental, and health-related responsibilities, such as working remotely due to social distancing.
• Information on third-party risks, such as target data of interest, sector-specific attacks, or location-based risks.
• Risks predictable from the behaviors of threat actors, such as corporate espionage attempts, property destruction, or business disruptions.

Cyber campaigns provide intelligence that can help business executives and risk management specialists, avoid risks specific to various locations, create business models that address geopolitical and cyber-centric risks, make security policies that mitigate third party risks, and prepare for risks presented by nefarious actors, such as cybercriminals or nation-state backed threat actors.

Risk consulting firms, government intelligence community members, and public relation specialists, in particular, can relay more informed advisories and intelligence reports, design more detailed disaster recovery plans, and write business models that address geopolitical risks by examining cyber campaigns.

What Services Does VerSprite Offer Based on Cyber Campaigns?

Cyber campaigns are foundational for many of VerSprite’s services and deliverables. Beyond hosting Signas to organizations around the world, VerSprite also gathers intelligence on cyber campaigns from more private sources. These public and private sources provide information the Geopolitical Risk Team bases service offerings on, such as both geopolitical and cybersecurity risk assessments; market entry analyses; interactive simulations; on-demand consultations; merge, acquisition, and talent assessments; or third-party risk assessments.

VerSprite also specializes in providing threat intelligence services based on data from cyber campaigns. Our security consultants can provide organizations with threat intelligence reports that provide information on both threat actors and suspicious activities within computer networks or infrastructure. Information on threat actors helps security teams resolve active compromises quickly because organizations can more easily deduce which threat actors are likely conducting an attack.

Information on suspicious activities and threat actors also helps organizations in two additional ways. First, security teams can respond to active compromises quickly by knowing which threat actors target similar companies. Second, internal security teams which discover suspicious activities within organizational infrastructure can determine which data processes, flows, and applications to remediate based on the probability an attack may escalate or the extent of possible damages during threat and vulnerability lifecycle assessments; cyber campaigns provide information, which is grounded in reality, on the possibility of attack escalation and extent of possible damages.

Want to learn more about STIX or Geopolitical Risk?

VerSprite offers a library of articles, webinars, ebooks, and more that organizations and individuals can access to learn more about geopolitical risks. The ‘What is Geopolitical Risk & Why Do You Need It?’ blog post can help readers understand how geopolitics present risks to organizations regardless of size or location.

VerSprite also offers resources on application security testing and development, topics related to cybersecurity legal compliance, threat and vulnerability management, and other cybersecurity-centric topics.

VerSprite and Threat Intelligence Sharing

VerSprite is a cybersecurity consulting firm that specializes in providing businesses risk management solutions. Practice areas of VerSprite include application technology solutions, development interface specializations, governance and compliance measures, and more. VerSprite’s Geopolitical Risk (GPR) team focuses on mitigating cybersecurity risks foreshadowed by geopolitical occurrences. 

Organizations can learn about their threat environments by contacting VerSprite’s security experts. Traditional services of GPR include conducting due diligence investigations, vetting vendors and partners, preparing for businesses for expansion, and assessing the effectiveness of cybersecurity plans or strategies. Businesses working with partnering companies should also consider merger and acquisition and joint business services.