# Persona Management [[Persona Management]] is an [[Adversary Research]] capability in Cybersecurity that develops a catalog of known/potential adversaries with their objectives, motivations, and behaviors. Adversaries fall into three main adversary classes: 1) **Lucky:** uses off the shelf attacks, sprays endpoints with little or no knowledge, relatively easy to detect but challenging to differentiate lucky from good/pro due to high volume scanning across the internet. 2) **Good:** does proper reconnaissance, focused attacks for specific weaknesses, uses more advanced tooling and tactics, typically harder to detect as they are more aware of their actions. May commonly have understanding about a specific industry that makes their attacks better. 3) **Pro:** ability to build attacks, often uses zero day exploits, highly focused, highly skilled. Will often go undetected for sometime due to the use of unknown or undetectable attack vectors. Knows a lot about specific targets. Based the above characteristics you can further divide into adversary categories dependent on each industry and respective abuse opportunities which should be used in building attack maps of your organization. For this reason, tracking and updating personas for the business is useful to address when new business or business changes may open the organization to cyber attack. ## Map ``` mermaid <!-- element style="width:90%; height:auto" --> graph TD Top[[Cybersecurity]] --- A[[Adversary Research]] A --- A.1[[Persona Management]] A --- A.2[[Dwell Analytics]] A --- A.3[[Exploit Management]] A --- A.4[[Target Prediction]] A --- A.5[[Adversary Intelligence]] A.1 --- A.1.1[[Adversary Categorization]] A.1.1 --- A.1.2[[Perspective Assessment]] %% Class Definitions %% ===================== class Top,A,A.1,A.2,A.2,A.3,A.4,A.5,A.6,B,B.1,B.2,B.3,B.4,B.5,C,C.1,C.2,C.3,C.4,D,D.1,D.2,D.3,D.4,D.5,E,E.1,E.2,E.3,E.4,E.5,E.6 internal-link,font-color:white; class Top cssClassL0; classDef cssClassL0 fill:black,stroke:black,stroke-width:4px,font-size:15px,font-color:white; class A,B,C,D,E cssClassL1; classDef cssClassL1 fill:darkblue,stroke:darkblue,stroke-width:4px,font-size:15px,font-color:white; class A.2,A.3,A.4,A.5,A.6,B.1,B.2,B.3,B.4,B.5,C.1,C.2,C.3,C.4,D.1,D.2,D.3,D.4,D.5,E.1,E.2,E.3,E.4,E.5,E.6 cssClassL2; classDef cssClassL2 fill:blue,stroke:blue,stroke-width:4px,font-size:15px,font-color:white; class A.1 cssClassCurrent; classDef cssClassCurrent fill:#2f9503,stroke:#2f9503,stroke-width:4px,font-size:15px,font-color:white; ``` ## Definition >[!success] Definition > Persona Management is building a catalog of known/potential adversaries with their objectives, motivations, and behaviors to create a common index for the business to reduce unwanted or unauthorized access. As maturity increases this should also include adversary weaknesses that will inform the business how to slow or stop each persona. ## Goals >[!cm-goal] Goal 1 >**Organization-wide Adversary Catalog** - have a complete catalog of known/potential adversaries including their objectives, motivations, and behaviors. >[!cm-goal] Goal 2 >**Adversary Traffic Identification** - the ability to analyze logs, alerts, and activity across the attack surface and identify adversaries from customer/business traffic. At full maturity having AI models identify previously unknown patterns and adversary activity. >[!cm-goal] Goal 3 >**Persona Based Attack Maps** - building attack maps of the organization and its services and using the characteristics of personas to evaluate interest and abuse use cases. > >[!cm-goal] Goal 4 >**Persona Business Strategy** - the organization should no longer be dealing with adversaries in an individual manner but focusing on the persona as a whole. When defense strategies or investments are made it should focus affect many adversaries instead of one or two. ## Scope The scope of Persona Management covers any adversary that may be interested in your organizations assets or applications for abuse or malicious use cases. Your initial scope should start with current and known adversaries, you need be constantly evaluating for new or potential adversaries that may develop as technology and services evolve. ## Process ```mermaid flowchart LR A[1. Identify Abuse<br/>Cases] --> B[2. Understand An<br/>Adversary's Motivation] B --> C[3. What Is<br/>Their Objective] C --> D[4. Map Tactics<br/>and Techniques] D --> E[5. Identify<br/>Common Traits] E --> F[Publish Adversary<br/>Persona Catalog] E -.-> A ``` ## Metrics >[!cm-metric] Metric: [[% of Growth of Personas YoY]] >[!cm-metric] Metric: [[% of Reduction of Personas YoY]] > >[!cm-metric] Metric: [[% of security signal mapped to personas]] >[!cm-metric] Metric: [[% Completed Identifier Fields]] = (Completed Fields/Total Fields) ## Inspiration & Resources + https://www.fsisac.com/insights/adversarial-risk-management + https://www.crowdstrike.com/adversaries/ + https://www.darkreading.com/cyberattacks-data-breaches/how-to-identify-cyber-adversary-what-to-look-for + https://www.anomali.com/blog/focusing-on-your-adversary + https://www.exabeam.com/information-security/understanding-the-different-types-of-adversaries/ + [A New Security Accounting or How to Win Against a Formidable Adversary - Active Response](https://www.activeresponse.org/a-new-security-accounting-or-how-to-win-against-a-formidable-adversary/) ## Release Notes + [[Q2 2024 Release#Document Persona Management for Adversary Research]] ## [Cyber City Map](https://cybercitymap.com/) © 2023-2024 by [ThirdScore, Inc.](https://thirdscore.com/) All Rights Reserved.