Why You Should Understand Adversary Playbooks

When deploying prevention and detection controls, most network defenders are on a treadmill of sifting through thousands of indicators of compromise, trying to prioritize which ones they should tackle first. Typically, they know nothing about the context of the indicator, just that it is bad, and that it should be blocked somewhere in the environment. The problem is they never sift through them all, which makes them feel like they are always behind – which they are.

What the Cyber Threat Alliance and Unit 42, Palo Alto Networks threat intelligence team, have been advocating for the past five years is to flip the equation and embrace adversary playbooks.

The idea is that network defenders should be deploying prevention and detection controls at all locations on the intrusion kill chain, designed specifically for all known adversary campaigns. In other words, get off the treadmill and start deploying controls designed specifically to thwart all known adversaries. This is an important idea because the network defender community already comprehends much about how adversaries run their attack playbooks. For all the “new” adversaries out there making headlines, most of the techniques they use are not new. I estimate that we, collectively, understand approximately 99 percent of the playbooks that cyber adversaries run on any given day.

The challenge has been: how do we organize that information and share it with the world at large? It turns out, that is way more complicated than it sounds. After much debate within Unit 42 and the Cyber Threat Alliance, we agreed that this is what constitutes an adversary playbook:

  • One or more cyber adversaries
  • Who run one or more campaigns
  • Who use a variety of techniques to attack their victims down the intrusion kill chain
  • Who leave indicators of compromise in their wake when they do

Once we agreed to the general idea of what an adversary playbook was, we needed a way to

visualize it and built an open source playbook viewer earlier this year to do just that.

Read the rest of Rick Howard’s article on CSO Online.