# Adversary Intelligence [[Adversary Intelligence]] is an [[Adversary Research]] capability in Cybersecurity provides actionable Adversary Intelligence to the organization to help prioritize and make business decisions to stay ahead of adversaries. Adversary Intelligence can often contain highly sensitive information and should have rings of trust (Internal, External, Privileged) - **Internal** - information that should only be shared within your organization. (example: increase adversary activity on organizational assets) - **External** - information you want to share with the larger security community, for the greater good of the internet. (example: discovered zero day, security indicators) - **Privileged** - information that should only be shared with those who need to know. (example: Exposed or compromised employee credential) This includes things like dark web monitoring, compromised credential monitoring, and early vulnerability reporting and applied to organizational assets or context. **This statement is what made you off ## Map ``` mermaid <!-- element style="width:90%; height:auto" --> graph TD Top[[Cybersecurity]] --- A[[Adversary Research]] A --- A.1[[Persona Management]] A --- A.2[[Dwell Analytics]] A --- A.3[[Exploit Management]] A --- A.4[[Target Prediction]] A --- A.5[[Adversary Intelligence]] %% Class Definitions %% ===================== class Top,A,A.1,A.2,A.3,A.4,A.5,A.6,B,B.1,B.2,B.3,B.4,B.5,C,C.1,C.2,C.3,C.4,D,D.1,D.2,D.3,D.4,D.5,E,E.1,E.2,E.3,E.4,E.5,E.6 internal-link,font-color:white; class Top cssClassL0; classDef cssClassL0 fill:black,stroke:black,stroke-width:4px,font-size:15px,font-color:white; class A,B,C,D,E cssClassL1; classDef cssClassL1 fill:darkblue,stroke:darkblue,stroke-width:4px,font-size:15px,font-color:white; class A.1,A.2,A.3,A.4,A.5,A.6,B.1,B.2,B.3,B.4,B.5,C.1,C.2,C.3,C.4,D.1,D.2,D.3,D.4,D.5,E.1,E.2,E.3,E.4,E.5,E.6 cssClassL2; classDef cssClassL2 fill:blue,stroke:blue,stroke-width:4px,font-size:15px,font-color:white; class A.5 cssClassCurrent; classDef cssClassCurrent fill:#2f9503,stroke:#2f9503,stroke-width:4px,font-size:15px,font-color:white; ``` ## Definition >[!success] Definition >Adversary Intelligence takes in targets, threat intelligence, and produces adversary related intelligence helpful for the business to make decisions as part of its defensive strategy. ## Goals creating a feed for the org - the output of the "Adversary Research" Goals are currently the process - need to fix (what are you trying to achieve) >[!cm-goal] Goal 1 >**Organizational Intel Reports** - provide actionable reports that pairs threat intelligence to organizational security decisions for the entire organization. >[!cm-goal] Goal 2 >**Share Intel With Trusted Partners** - work with trusted security organizations to share threat intelligence with to disrupt adversaries on a global scale while masking the source of the reporting organization. >[!cm-goal] Goal 3 >**Discover Insider Adversary Intel** - gather and curated information from darkweb, botnets, and other adversarial sources to get ahead and stay ahead of adversarial activities. >[!cm-goal] Goal 4 >**Minimize Organizational Exposure** - leverage OSINT to discover and cleanup exposed public data about the organization, its attack surface, and employees that could be used to help an adversary. >[!cm-goal] Goal 5 >**Protect Organizational Branding** - Monitor social media, public repositories (github, hugginface, etc), and copycat products that could be used by an adversary to pose as your organization to attack customers or employees. Always best to own/control your brand on these platforms and where possible use takedowns to stop brand infringment. ## Scope The scope of Adversary Intelligence covers a wide range of Threat Intelligence sources, including and not limited to (OSINT, DarkWeb, Intel Providers, etc). That intel should be confirmed and mapped to any asset or application for the organization. ## Process ```mermaid flowchart LR A[1. Collect Threat<br />Intellegnce] --> B1[2. Filter Low<br />Fidelity Intel] B1 --> C[3. Correlate Intel<br />To Assets] B2[Organizational<br />Assets] --> C C --> D[4. Classify Intel<br />Findings] D --> E[5. Share Based On<br />Classification] ``` ## Metrics break down of personas >[!cm-metric] Metric: [[% of High Fidelity Intel vs All Intel]] >[!cm-metric] Metric: # of Externally Shared Intel >[!cm-metric] Metric: % Growth Actionable Findings YoY ## Inspiration & Resources + https://www.kaspersky.com/resource-center/definitions/threat-intelligence + https://www.gartner.com/en/conferences/hub/security-conferences/insights/threat-intelligence-security-monitoring-incident-response + https://services.google.com/fh/files/misc/intelligence-capability-development-ds-en.pdf + https://warnerchad.medium.com/learn-to-build-a-threat-intelligence-program-in-1-day-notes-5be9bcbc97ad ## [Cyber City Map](https://cybercitymap.com/) © 2023-2024 by [ThirdScore, Inc.](https://thirdscore.com/) All Rights Reserved.