www.recordedfuture.com Open in urlscan Pro
172.64.144.145  Public Scan

Form analysis
0 forms found in the DOM

Text Content

This website stores cookies on your computer. These cookies are used to improve
your website experience and provide more personalized services to you, both on
this website and through other media. To find out more about the cookies we use,
see our Privacy Policy.

Accept

 * Careers
 * Contact Us
 * Login
 * ENJPKO
   
   EN
   

 * Platform
 * Solutions
 * Products
 * Services
 * Research
 * Resources
 * Company

Get a demo

Book a demo



Blog


INTELLIGENCE PREPARATION OF THE BATTLEFIELD: WHAT IT IS AND HOW YOU CAN USE IT

Posted: 4th October 2018
By: Daniel Kropp


THREAT INTELLIGENCE BROWSER EXTENSION

Access instant threat intelligence and risk scores directly in any web app with
our one-click browser extension

Download for Free

Updated: November 28, 2022

A security team's success is often defined by its ability to operate efficiently
and effectively. One of the most critical aspects of this is defining the team's
operational space, which includes understanding the tools and information at
your disposal and the threats you face. In this blog post, we will discuss how
to define your team's operational space by defining Intelligence Preparation of
the Battlefield (IPB) and provide some tips on how to use it to stay ahead of
your threats.

A CONCEPTUAL FRAMEWORK FOR THREAT INTELLIGENCE

An intelligence preparation of the battlefield (IPB) is a method for defining
and understanding a specific operating environment in all battlespaces — a
conceptual framework to better understand how to apply your threat intelligence.
It has a been a staple tool to help military leadership make decisions, and when
the same methodology is applied to the cyber realm, the benefits can be
tremendous. By providing a broad overview for cybersecurity decision makers to
aid in strategy development, it helps answer the basic question, “What is my
current state of security?”

It can also provide a tactical understanding that helps decision makers
implement more effective mitigating controls. Everyone in cybersecurity
constantly seeks “actionable” threat intelligence, but it’s critical to realize
that what is considered actionable depends on the role of the person asking the
question. A well developed IPB provides a level of understanding that benefits
everyone from the C-suite to the Tier 1 SOC analyst.

In its simplest form, an IPB can be broken down into three steps:

 * What does my operating environment look like?
 * What does my enemy look like?
 * What are my actions on objective? In other words, what are the likely courses
   of action where those two parts intersect?

We’ll take a closer look at how these three steps are developed to see why
following the IPB method is an advantageous undertaking for any security
organization, helping determine exactly what the objectives should be for any
cycle of threat intelligence development, what steps to take when improving your
security posture, and what future investment decisions to make.

WHAT DOES MY OPERATING ENVIRONMENT LOOK LIKE?

The first step in developing the IPB is understanding your organization's own
operating environment, which encompasses not only IT relationships but other
critical relationships as well. Oftentimes cybersecurity organizations can be
siloed in their approach, remaining laser focused on just the technology aspects
of their business and ignoring other critical relationships in a way that
introduces opportunities for adversaries to take advantage of.

Having a clear picture of your IT security posture is still an essential aspect
of defining your operating environment, but it’s just one step in the process.
Basic threat intelligence programs often begin with gaining a better operational
awareness of their own environments — running internal network data through
SIEMs, subscribing to a few open source threat feeds, and so on — but actionable
threat intelligence encompasses far more than just a few feeds and alerts.

Taking a close look at all the relationships in your operating environment
allows you to uncover potentially unknown connections that raise concerns, and
it also allows for changes in the environment to happen without disrupting the
overview being developed.

From an IT perspective, for example, this means stepping back from a network map
and focusing on the workflow. Given a particular user, you can ask the following
questions to develop a clearer sense of their place within your organization:

 * What applications do they use?
 * What data do those applications process, and how is that data marked?
 * What infrastructure supports those applications, and where is that data being
   stored?

Defining these relationships agnostic of the specific technologies in play
creates an abstract conceptual framework that allows you to substitute different
particulars without a loss of understanding.



Specific details around the individual entities can then be added to provide
more granular context, such as:

 * Vulnerability scan history of the applications and infrastructure
 * Data tags of data being processed and stored
 * Shared infrastructure between applications, business units, data types, and
   so on

The accuracy and comprehensiveness of the data sources being used to build out
this view are the major limiting factors to how informative these details can
be. This can be the difference between knowing there may be around 2,000
machines within your environment vulnerable to a newly reported exploit in the
wild, and being able to state there are exactly X number of machines across four
business lines, 10 percent of which are business critical and need to be patched
immediately.

From a business perspective, we can also start from the user and work our way
out. Given a user, what lines of business or products do they support? Looking
at a product, who are the suppliers? Where are those suppliers located, and who
are the parent organizations? Is that owner a country or organization that would
benefit from my intellectual property?

If the answer is “yes,” now there is a lead to start an investigation into the
specifics around those relationships, like contract language, access and
authentication methods, network segmentation, and so on.

The larger the organization, the more beneficial this becomes, making
prioritization key to successfully reducing risk — the threat landscape simply
becomes far too large to protect all attack vectors, from all threats, at all
times. Because relationships with suppliers, vendors, and partners are a
necessary part of running any business, taking time to evaluate the risks
associated with those connections can pay big dividends in reducing the threat
from downstream attack vectors.



This may sound like a daunting task, but there is one starting point that all
organizations can do to kick-start the process: Taking the time to define the
aspects of the organization that are most critical to success and focusing on
them first. While intellectual property sounds like a logical starting point
since no one wants to lose the crown jewel, forgetting to include business
continuity and disaster recovery can leave big gaps in risk management plans.

WHAT THREAT ACTORS ARE TARGETING ME?

The first step to understanding your enemy is defining who they are. Is this a
persistent nation-state attacker? Is your organization a target of opportunity?
Is bad press emboldening hacktivists to react to recent events? Threats from
these groups are not mutually exclusive, but the distinction is an important
aspect of how risk is calculated.

Once you identify your attacker, you can align the risks they represent more
closely with the vulnerabilities you previously identified in your operating
environment during the first step of developing an IPB. Here are three specific
examples of risk:

 * Financial risk — through the theft of resources via illegal money transfers
   or the use of computing power from cryptomining
 * Operational risk — by the disruption of manufacturing using ransomware that
   halts production
 * Strategic risk — through the theft of your organization’s market
   differentiators or intellectual property

The motivations of an adversary can also be used to determine their objectives.
Placing yourself in the mindset of an attacker helps develop a more full picture
of what you need to defend. Listing out your adversary’s most likely targets and
aligning them with your critical business assets, for example, helps make the
intersection of adversary intention and business impact clearer.

Understanding the motivations and objectives of your adversaries should be done
not only at a strategic level, but at a tactical one. Document the actual
tactics, techniques, and procedures (TTPs) being used by known adversaries to
develop a complete profile. This is a framework suitable to understanding
adversaries of any size, from nation-state threat actors down to individual
hackers.

Documenting tactics also serves to gauge the capacity of an adversary to act on
their motivations. If you determine that a specific threat actor has displayed
the motivation and capacity to target your organization, prioritizing their TTPs
for mitigation and sweeping the network for known indicators is yet another way
to quantify risk reduction.

The ultimate goal is to be able to go through the following chain of reasoning
with some confidence:

 * Is this adversary motivated to target my organization?
 * If so, what are their objectives? What assets in my organization would they
   target?
 * Do they possess the technical acumen to achieve those objectives?


ACTION ON OBJECTIVE

Now that the operating environment and the adversary have been defined,
examining the intersection of these two components allows for defenders to begin
to formulate mitigations that are both proactive and predictive. Taking
proactive steps means asking yourself, “Based on what we currently know, are we
doing everything we need to defend ourselves?” And taking predictive steps means
asking, “Based on my understanding of the operating environment, can I decipher
the most likely courses of action for my adversary in order to mitigate events
before they have occurred?”

For most organizations, the starting point is proactive — after identifying
adversaries, their objectives, and their TTPs, they take immediate steps to
resolve any vulnerabilities present in their environment. The ability to take
immediate, concrete steps is key for threat intelligence — if it isn’t
contextual and actionable, it isn’t true threat intelligence.

After that step, it’s time to start thinking about how to be predictive. In the
case of a persistent threat, we know that new tactics will be developed to
continue to pursue the targets on their collection requirements as old TTPs are
discovered and shut down.

Since these objectives have already been defined in the second step of
developing an IPB, the defender is now a step ahead of the adversary. Taking
predictive steps to mitigate these threats means asking yourself what the most
likely courses of action your adversary will take are, and then identifying ways
to proactively monitor for new tactics or increase your controls to
prescriptively mitigate these threats.


TAKING ACTION ON THREAT INTELLIGENCE

If an organization can position themselves this way and develop a comprehensive
IPB, it can significantly decrease the advantage attackers have in the cyber
realm. A strong grasp of the operating environment can allow for defensive
actions such as manipulating what terrain the adversary encounters so that the
defender can dictate their movement within the network.

This also opens other possibilities for creative approaches to testing network
defenses. Red-team activities can now be enriched by focusing on the same
collection requirements as the adversary. Newly discovered TTPs can be simulated
for effectiveness against current network configurations and security controls.
As mentioned in the beginning, the development of an IPB has been standard
practice in the military to understand how terrain and environmental elements
impact how engagements could play out in a specific operating environment. Cyber
should be looked at with the same level of strategic understanding — but with
one big advantage to any of the other defined battlespaces.

This battlespace is digital and manmade, providing the ability to shift the
landscape as the engagement occurs. Security professionals that are able to gain
the insights and understanding discussed above will put themselves in a position
to finally get off their heels, flip the advantage in favor of the defender, and
take control full control over the systems they are tasked to defend.

Begin your IPB talk with us today, or learn more about how Recorded Future
supports building your intelligence needs.



RELATED BLOG

Blog

LEADING WITH INTELLIGENCE: WINNING AGAINST CREDENTIAL THEFT

Are security analytics the key to improving transparency and managing legal or
compliance risks?

View Blog
Blog

THREAT INTELLIGENCE IN AN ACTIVE CYBER DEFENSE (PART 2)

Threat intelligence can be used in a number of ways, especially as part of an
active cyber defense.

View Blog
Blog

INTELLIGENCE TO RISK

Threats become risks when reasonable controls are absent or lacking. In
business, the distinction between threats and risks may be clear, but there is
nuance in both the analysis and the final classification.

View Blog


ABOUT US

 * Intelligence Cloud
 * Services & Support
 * Research
 * Resources
 * Company

HELPFUL LINKS

 * Careers
 * Contact Us
 * Get a Demo
 * The Intelligence Graph

--------------------------------------------------------------------------------

JOIN US ONLINE

 * 
 * 
 * 
 * 
 * 

WANT TO LEARN MORE?

Contact us today

Copyright © 2023 Recorded Future, Inc.
 * Security FAQ
 * Cookies
 * Privacy Policy
 * Terms & Conditions