Embracing adversary‑centric approach to avoid impact
If you scroll through the news about the cyber threat landscape, it may look like an organization could be attacked in countless ways. Every year, thousands of new vulnerabilities and threat research reports are published, accompanied by millions of related indicators of compromise (IoCs). It is simply impossible to delve into every threat that appears in the public domain. This is why organizations have to prioritize—and that is where an adversary‑centric approach proves invaluable.
An adversary‑centric approach leverages cyber intelligence to gain insights on real attackers operating in an organization’s region, along with their methods and tools. This knowledge is then used to predict, prevent, detect, and respond to cyber threats. Ultimately, it enables companies to prevent potential damage.
Adversary‑centric approach
It is impossible to protect against something you neither know nor understand. Cyber threat intelligence provides specialists with insights into how attackers are operating right now. This allows organizations to allocate resources effectively and counter the most relevant threats.
To better illustrate the concept of an adversary‑centric approach, let us look at an example outside the realm of cybersecurity.
Imagine you decide to protect your home by installing a heavy iron door. Aware that burglars could enter through the windows, you even add bars there as well. However, a thief active in your neighborhood uses lockpicks—and despite your precautions, manages to break in and steal your valuables.
Meanwhile, your neighbor’s house remains untouched. Knowing that several recent burglaries in the area had involved lockpicks, he installed a high‑quality smart lock in advance.
Before organizations can effectively leverage cyber intelligence, it is important to explore the different types of data and ways to use them.
- Strategic intelligence. High-level insights into the threat landscape, intended for executives. This information highlights trends, reveals adversary motivations, and helps assess the associated risks.
- Operational intelligence. Detailed information about the current state of the threat landscape, intended for cybersecurity specialists. It allows them to understand attackers’ ongoing plans and methods.
- Tactical intelligence. In-depth description of threat actors’ tactics, techniques, and procedures (TTPs) as well as the tools they employ.
- Technical intelligence. Data intended for integration with security solutions (e.g., IoC streams).
In the following articles, we will analyze the elements of the adversary-centric approach in greater detail and with practical examples. For now, let us briefly outline its core components.
Prediction
High‑end cyber intelligence enables organizations to anticipate threats. For instance, by analyzing data obtained from underground resources, a company can identify what adversaries are currently focused on—what malware they intend to use or which vulnerabilities to exploit.
Cyber intelligence also forms a clear and structured view of an organization’s unique threat landscape. It reveals who is most likely to attack, how they might do it, and why. With these insights, organizations can list the clusters most expected to target them and determine the TTPs those actors are likely to employ. As a result, cybersecurity teams can better prepare for real‑world threats.
Prevention
Cyber intelligence can also help prevent attacks. For example, having information about an adversary’s infrastructure, an organization can restrict communication between its own network and the malicious systems.
The same applies to knowledge about threat actors’ tools—particularly legitimate ones. Limiting access to remote administration, tunneling, and password recovery solutions significantly reduces adversaries’ capabilities. This makes it much harder for them to progress through the key stages of the attack lifecycle and achieve their objectives.
Furthermore, knowing the latest threat actor methods, organizations can configure their systems to ensure the highest resilience to such malicious procedures.
Finally, by leveraging intelligence on the vulnerabilities actively exploited in real‑world attacks, organizations can prioritize patching and remediation efforts.
Detection
Cyber intelligence provides extensive opportunities for detecting threats. Thus, IoCs associated with the most relevant risks can help identify malicious activity that has evaded corporate security solutions.
Knowing attackers’ TTPs enables security teams to develop tailored detection content and formulate hypotheses for proactive threat hunting.
Up‑to‑date intelligence also allows organizations to assess the effectiveness of their security controls. This is particularly valuable when no in‑house detection content or threat hunting is in place, or when monitoring and response are outsourced. In such cases, organizations can test their defense capabilities through real‑world attack simulations and cyber trainings, making use of adversary tools, procedures, or entire profiles.
Response
Cyber intelligence often plays a crucial role in accurately identifying detected threats. It helps SOC teams correctly interpret alerts and determine the scope of an incident.
Integrating indicator streams with security solutions automatically provides additional context essential for risk identification. Also, TTP details available on most threat intelligence portals further enhance incident response.
An adversary‑centric approach to cybersecurity enables organizations to concentrate on the most critical risks. By leveraging cyber threat intelligence, companies can pinpoint the most likely adversaries, their methods and tools, and the vulnerabilities they exploit. This knowledge empowers security teams to build proactive defenses and prevent attacks before they cause damage.
In the upcoming articles, we will discuss in more detail how to put the adversary‑centric approach into practice.