When the team starts a new job, we always ask ourselves about various adversaries that may exist for the client - what is important to them, what are their motivations, what are their limitations, and how this makes them think and act. The team needs the ability to understand and tap into the mindset of the adversaries; this is what allows your team to adapt effectively and operate in various contexts and situations.
Adversaries can be broadly categorized into four main groups: criminals, corporate entities, state-sponsored, and ideologically motivated actors. Each of these adversaries has different motivations and objectives in carrying out attacks. Very broadly, the intentions of an adversary can be divided into two: obtaining information and disrupting information.
Obtaining information, for example, personal/financial data or sensitive information is likely to be carried out by state-sponsored, corporate entities, criminal, and ideologically motivated threat actors. Disruption, for example, denial of service attacks and website defacements, is more likely to be carried out by ideologically motivated threat actors.
Criminal actors are seeking access to information or resources that would benefit their illegal activities.
Corporate actors are seeking access to information or resources that would benefit their corporation.
State-sponsored actors are seeking access to information or resources that would benefit their sponsoring nation-state.
Ideologically motivated actors are seeking access to information or resources that would benefit their political or ideological views or disrupting those with opposing ideological viewpoints.
Which adversaries do you think are most active against your target? Why?
It is critical that your team understands how an adversary thinks, what information is valuable to them, what sort of considerations are important to them, what kind of resources they have access to, and what sort of tactics they are likely to employ. These elements allow you to start building an adversary profile that will act as a reference point throughout the operation.
Understanding an adversary’s motivations is paramount. It is essential to understand what is desirable and of value to an adversary. For example, is the most crucial thing in targeting an organization not getting caught, as may be the case with corporate entities? Does the adversary need to protect their reputation, such as often the case with state-sponsored? Is it getting a return on their investment such is often the case with organized crime? Is it just about doing damage regardless of other costs, e.g. ideologically motivated actors?
Understanding what is driving an adversary is going to help your team best be able to replicate their approach and consequently, how will your client most effectively defend against such attacks? This is the first place to start when building an adversary profile. I begin by creating adversary profiles in the context of the target organization, identifying which one or two types of adversaries are most likely to target the organization and why. What motivations are we dealing with?
I find understanding your adversary and their motivations will then allow your team to make some hypotheses about their behavior. This will let you and your team answer questions like: What is their threshold for risk? What are their likely resources? What is their possible capability?
I find answering these questions, in conjunction with an understanding of motivations, is going to allow your team to engage in a realistic simulation of adversaries, including tactics and what sorts of decisions they may make.
For example, a corporate adversary’s primary goal may be to obtain strategic intelligence from a company about their market positioning. The adversary has a low appetite for risk – they do not want to get found out and suffer reputational damage themselves. They have adequate resources and capability, although no ability to wiretap phones or issue warrants for online data. There is no need to pursue admin credentials and risk the attention this may bring, especially if such information can be sought from another source, such as from a strategy meeting attended by company executives. An adversary may, therefore, attempt to access the content of that meeting by obtaining tactical meeting information that may be found in a personal calendar, and then compromising the conference call system to covertly listen to the meeting and collect the information they need.
Always remember that adversaries have business objectives and must manage business risk too. Understanding this will significantly assist your team as you build a comprehensive adversary profile. When relying on your adversary profiles, I also ask my team and myself, what is their risk appetite? Resources? Capabilities? What sort of strategies are they likely to use? Social, Digital, Physical, or Supply Chain?