Threat actor profiling is a discipline found widely throughout the cybersecurity industry. Some would call it a science. Others would call it an art. It’s actually both. Successful profiling requires diligent, structured, scientific processes. But it also requires some intuition and creativity.
DarkOwl, a leading provider of darknet intelligence and threat actor profiling, describes the latter as the systematic collection, analysis, and interpretation of data pertaining to known threat actors and unknown cyber adversaries. The goal is always a better understanding.
Cybersecurity experts attempt to understand:
- Who the threat actors are
- What their motivations are
- Any intentions they have for future attacks
- Their capabilities and resources
- Their operational methods
Profiling is an excellent tool for aggregating threat intelligence data meaningfully that paints a fairly accurate picture of the threat actors security teams should worry most about.
The Science of Threat Actor Profiling
Effective threat actor profiling is built on gathering data and applying it correctly. The scientific nature of the exercise cannot be ignored. Otherwise, profiling is of little value. The big question is what goes into the science? Equally important is what comes out of it. Consider the following five things:
- Identification – The science begins with gathering baseline data for purposes of identifying threats. Data analysis looks at threat actor aliases, motivations, capabilities, and typical behaviors. It’s not unusual to look at archetypes as well, especially pertaining to political threats.
- Established Models – Security teams rely on established models, like the Diamond Model of Intrusion Analysis to create links between threat actors, their capabilities, infrastructure, and victims. Models create a structure that is ideal for further analysis.
- Data-driven Analysis – Successful analysis is driven by high-quality data gleaned through state-of-the-art intelligence platforms.
- Ongoing Monitoring – Since threat actors never stop innovating, ongoing monitoring is necessary to keep up. Around-the-clock dark web monitoring is non-negotiable.
- Risk Assessment – Data and its analysis give security teams the ability to assess potential risks and prioritize them accordingly. The most significant threats get more attention.
As with all scientific pursuits, the quality of the data matters to threat actor profiling. Poor data leads to inaccurate and incomplete profiles. High-quality data help security teams paint a fairly accurate and comprehensive picture.
The Art of Threat Actor Profiling
As powerful as data is to the profiling equation, everything from source to age to analytical bias can affect its quality. Therefore, the most successful profilers add a few things to the data. This is where the art of threat actor profiling comes in.
Profilers are very good at providing:
- Contextual Understanding – Experienced profilers can add context. For example, their domain knowledge can lead to a better understanding of things like geopolitical events and industry trends to identify emerging threats.
- Subtle Connections – Experienced profilers can make subtle connections between behaviors and threats, connections that automated tools often miss. Experience is irreplaceable in this regard.
- Hypotheses – Threat actor profiling requires forming theories and hypotheses regarding potential threat intentions. Human profilers can flesh out these hypotheses to test variable scenarios against observed data.
- Narratives – Once a threat detection profile is built, it needs a narrative. Only human profilers can construct clear, actionable narratives that provide the entire picture regarding a threat actor’s capabilities and intentions.
Threat actor profiling is part science and part art form. To deny either aspect is to settle for a lesser profile that does not meet its true potential. To make it all work, cybersecurity teams need both a threat intelligence platform and human profilers capable of providing the nuances automated tools lack.