Mapping and leveraging cyber threat landscape to predict attacks
A well-mapped and continuously updated cyber threat landscape enables organizations to identify who might attack them—and how. Essentially, it shapes a company’s threat profile, which helps define the adversaries actually or potentially targeting it. Such a profile provides valuable insights into threat actors’ motivations, methods, and tools. This data can then be leveraged to strengthen an organization’s IT infrastructure security.
Mapping the landscape is the first step toward adopting a threat-centric approach. We delve into this topic in the previous article in this series. Now we are going to explore how understanding adversaries and their methods enables organizations to set clear priorities and significantly improve their defenses against real-world threats.
The answer to “who is the attacker” does not equal to "identify the attacker by IP"—that is a task for law enforcement. A cybersecurity team’s priority is protecting the infrastructure, so it is crucial for them to know who might infiltrate the organization and why. In other words, they are not dealing with an abstract intruder but with real adversaries, their motivations, and specific goals. Cyber intelligence helps determine the ultimate goals of those who have targeted or are currently targeting similar organizations within a specific region.
Groups and clusters
When talking about threat actors, cybersecurity professionals usually refer to groups or clusters rather than individual attackers. These terms encompass certain technical characteristics—for instance, particular infrastructure elements used by adversaries, along with their methods and tools. This is how threat intelligence specialists distinguish one cluster from another. In this sense, a group or cluster represents an ecosystem that comprises all related components, including malware, tools, behavioral markers, C2 server addresses, and other indicators of compromise (IoCs).
To differentiate between these entities, a naming system is required. This has led to the development of specialized taxonomies. For example, BI.ZONE Threat Intelligence names clusters according to their motivation: “wolves” are financially motivated (e.g., Red Wolf), “werewolves” focus on espionage (e.g., Silent Werewolf), and “hyenas” engage in hacktivism (e.g., Gambling Hyena).
Cluster heat map
With cluster knowledge, organizations can identify specific threats they are up against. As a result, they gain insight into adversaries' ultimate goals as well as their likely methods and tools. This makes it possible to create a heat map that visualizes the activity of various clusters in the context of an organization.
The map consists of a core and several layers:
- Clusters that have already targeted the organization. For example, when a company has previously suffered a cybersecurity incident or received phishing emails associated with a specific group’s campaign.
- Clusters that have already targeted the industry. Even if the organization has not yet detected the activity of certain clusters, it should take note of those known to have attacked its industry. This information can be obtained through threat intelligence sources or from adversaries themselves—sometimes they post announcements on underground resources to boast about successful attacks.
- Clusters that target related industries. Some region-centered groups may have a broader focus. For instance, unlike cyber spies, extortion-driven clusters often operate across multiple industries. The same goes for hacktivists, who may target a wide range of organizations. Therefore, in certain cases, it is worth shifting the focus from industry to geography.
Gathering up-to-date information about active clusters and groups focusing on a specific organization can be resource-intensive. However, specialized tools can streamline the process.
To effectively protect an infrastructure, it is not enough to know which groups are targeting an organization or what drives them. It is equally critical to understand what methods and tools adversaries use to achieve their objectives.
The most transparent and clear way to organize this information is through MITRE ATT&CK. It allows organizations to describe threat actors’ tactics, techniques, and procedures (TTPs). Such structured knowledge helps address a wide range of cybersecurity tasks, which we will discuss in detail in the next articles in this series.
An organization can collect this information independently—for instance, by analyzing public research, exchanging incident data with industry peers, or investigating mentions of methods and tools on underground resources.
Alternatively, commercial solutions can automate this process and provide heat maps visualizing the most relevant TTPs for the organization. Below is an example of such a map on the BI.ZONE Threat Intelligence portal.
Attacker methods can vary significantly, so MITRE ATT&CK also offers detailed procedure descriptions.
Mapping organizations’ cyber threat landscape involves two key components: attackers (groups and their motivations) and their modus operandi (TTPs). By analyzing heat maps of group activity and their tactics through MITRE ATT&CK, companies can develop targeted defenses instead of relying on generic protection measures.
Building a threat landscape is an ongoing process. Adversaries constantly evolve their methods and tools, and new activity clusters regularly emerge. Therefore, the landscape profile must be continuously and promptly updated. This approach transforms abstract risks into concrete security measures and ensures proactive prevention rather than reactive response.
To stay ahead of threat actors, organizations should keep track of both known threats and ongoing underground discussions about emerging methods. Read more about this in the next article in this series.