Operational Implications of the Cyber Security Threat Stack 'Glider', the unofficial hacker emblem

Operational Implications of the Cyber Security Threat Stack

Security teams have to start preparing for attacks that rate as ‘advanced’ now in order to deal with them tomorrow, and they have to start automating incident response. Using a threat stack as a tool allows the time to do just that.

Looking back on 2014, one can say that 2014 has been the year of the hacker. The world over, cyber security agencies, and cyber security companies, are reporting an increase in the number and the complexity of cyber-attacks. In University of Auckland's IT Security Team in 2014, we have had to deal with more, and with more complex, attacks than before.

Such developments place significant demands on cyber security teams. If one thing stands out about cyber attacks, it is that they do not come in one variety. Another thing that can be said is that a single cyber attack is lonely: many incidents now consist of multiple ‘attacks’ using a variety of tools.For people in business, universities, government and as individuals, the question then arises how we prepare for yet another increase in the number and complexity of cyber security incidents. One particular tool that we use in our team is the threat stack. Used with some caution, the threat stack allows forward planning of our defences against the sort of attacks that we can expect in the next 12 months.

The threat stack is a categorisation of attacks indexed by likely actor and motivation. As shown in the table, it indexes cyber threats from fairly innocuous experimentation, primarily by researchers, to advanced cyber crime and advanced persistent threat. In 2013, Richard Stiennon extended it by adding surveillance to it. At its simplest level, the threat stack can be interpreted as a measure of the motivation and sophistication of a particular group of attackers. It is also possible to attach an approximate timeline to the threats, indicating when these threats were most prominent, and the maturity level of the threat.

Threat Primary Motivation Timeline of prominence
Experimentation Curiosity Late 1970s - now
Vandalism Web graffiti Destructive Show off 1997 -
Hacktivism Political Activism Activism aimed at private business 2005 -
Cyber Crime Financial 2003 -
Cyber Espionage Intellectual Property theft Political 1995 -
Information Warfare (state sponsored or private) Disruption in Manufacturing, Infrastructure, Financial Overall Nation State disruption Military disruption 2007 -
‘Advanced Persistent Threat’ State sponsored Well-funded private initiative Economic and Military Power 2010 -
Surveillance Political Control 2013 -

The threat stack is a powerful aid in setting security strategy for an operational security team because it evolves in a predictable way: tools and techniques tend to move ‘up’ the stack from the very advanced level to the less skilled levels – this is what it is behind Kaspersky’s observation that cybercrime and advanced persistent threats will merge in 2015. In that sense, what counts as an advanced persistent threat today will be a common and likely attack vector tomorrow. Another aspect of the threat stack helps in its use as a planning tool – most of the day to day incidents for organisations come from somewhere in the middle of the stack, and are performed by a predictable group of actors: your ‘usual suspects’. Thus it is at the middle that we must build highly efficient incident response processes so as to leave time for investigation of the less common, but more complex incidents.

The strategic lesson is therefore twofold: security teams have to start preparing for attacks that rate as ‘advanced’ now in order to be able to deal with them when they become routine tomorrow, and they have to start automating incident response for attacks that are common today so that they do not take up too much time in the future. The good news is that using the threat stack as a tool allows the time to do just that.