# Adversary Research [[Adversary Research]] is a top-level [[Cybersecurity]] capability which develops adversary intelligence for control owners in support of an organization's adversary-defensive strategy. Since organizations vary in approach, adversary research exists to collect information from the organization about its adversaries and the opportunities adversaries derive from an organization's strategy and/or its operational mistakes. Adversary research is intended to create and maintain an organization's adversary schema and collect information to provide insights that help security decision makers. Adversary research takes in asset details, incident data, adversary interest events, and provides adversary intelligence as an output. ## Map ``` mermaid <!-- element style="width:90%; height:auto" --> graph TD Top[[Cybersecurity]] --- A[[Adversary Research]] A --- A.1[[Persona Management]] A --- A.2[[Dwell Analytics]] A --- A.3[[Exploit Management]] A --- A.4[[Target Prediction]] A --- A.5[[Adversary Intelligence]] %% Class Definitions %% ===================== class Top,A,A.1,A.2,A.3,A.4,A.5,A.6,B,B.1,B.2,B.3,B.4,B.5,C,C.1,C.2,C.3,C.4,D,D.1,D.2,D.3,D.4,D.5,E,E.1,E.2,E.3,E.4,E.5,E.6 internal-link,font-color:white; class Top cssClassL0; classDef cssClassL0 fill:black,stroke:black,stroke-width:4px,font-size:15px,font-color:white; class B,C,D,E cssClassL1; classDef cssClassL1 fill:darkblue,stroke:darkblue,stroke-width:4px,font-size:15px,font-color:white; class A.1,A.2,A.3,A.4,A.5,A.6,B.1,B.2,B.3,B.4,B.5,C.1,C.2,C.3,C.4,D.1,D.2,D.3,D.4,D.5,E.1,E.2,E.3,E.4,E.5,E.6 cssClassL2; classDef cssClassL2 fill:blue,stroke:blue,stroke-width:4px,font-size:15px,font-color:white; class A cssClassCurrent; classDef cssClassCurrent fill:#2f9503,stroke:#2f9503,stroke-width:4px,font-size:15px,font-color:white; ``` ## Definition >[!cm-definition] Definition > Adversary research identifies and categorize adversaries, interprets opportunities and threats, and shares adversary intelligence with the organization as a center of excellence for adversary insights. ## Goals >[!cm-goal] Goal 1 >**Organization-wide Intelligence** - Adversary information, threats, and abusive behaviors are collected and tracked to provide insights organization-wide. >[!cm-goal] Goal 2 > **Adversary Perspective** - Increase precision of defensive strategies and controls employed by an organization by including an adversary perspective to elevate value and return on security investments. >[!cm-goal] Goal 3 >**Actionable Insights** - Use adversary intelligence to support better prioritization and to optimize defensive controls. ## Scope The scope of Adversary Research covers all assets that may be interesting to an adversary and for asset owners that require adversary intelligence to make key decisions. ## Process Adversary research is performed by collecting information about the organization and aligning adversary motivations to create an organization's adversary intelligence feed. When the organization kicks-off its processes to buy or build digital capabilities, assets are enumerated with adversary personas and threats enumerated and tracked to aid in decision making. ```mermaid flowchart LR A[Business <br /> Strategy as Input] --> B[1. Identify Adversary <br /> Personas] B --> C[2. Analyze <br /> Dwell] C --> D[3. Predict <br /> Targets] D --> E[4. Manage <br /> Exploits] E --> F[5. Share <br /> Intelligence] F -.->|Informs| A F --> Stakeholders ``` ## Metrics >[!cm-metric] Metric: [[% of Total Traffic that is Blocked]] >[!cm-metric] Metric: [[% of Adversary Categories that are Active]] >[!cm-metric] Metric: [[Average Adversary Dwell by Category]] >[!cm-metric] Metric: [[% of Applicable Exploits that have been Researched]] >[!cm-metric] Metric: [[% of Assets that are Exploitable]] ## Inspiration & Resources + https://www.sciencedirect.com/topics/computer-science/cyber-adversary + https://www.crowdstrike.com/adversaries/ + https://daylight.berkeley.edu/adversary-personas/ + https://medium.com/@brannondorsey/threat-classes-attacker-personas-96a27ab2a235 + https://open-security-summit.org/sessions/2020/summits/may/training/week-1/social/drinks-and-persona-building-creating-adversary-trading/ + https://www.researchgate.net/figure/Categories-of-adversarial-attacks_fig2_347966224 + https://securitycards.cs.washington.edu/index.html + https://www2.deloitte.com/us/en/insights/industry/public-sector/government-deter-cybersecurity-adversary.html + https://www.mitre.org/sites/default/files/2022-04/11-strategies-of-a-world-class-cybersecurity-operations-center.pdf + https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-150.pdf + https://www.circl.lu/doc/misp/book.pdf + https://www.crowdstrike.com/cybersecurity-101/threat-intelligence/ ## Release Notes + [[Q4 2023 Release#Document L1 for Adversary Research]] ## [Cyber City Map](https://cybercitymap.com/) © 2023-2024 by [ThirdScore, Inc.](https://thirdscore.com/) All Rights Reserved.