Adversary Persona Development
What are adversary personas and why do we use them? Context makes security complicated. Continent, country, region, state, locality, political union, political party, opposition or in-power, served audience, community, religion, demographics, labor, environment, elections, media, social media may direct how you control for risk. This is also true for adversaries, their capabilities, and motivations. Personas help describe the who (description), why (motivation/goals), and what (resources/capabilities) for an adversary of an organization. By borrowing some tools from product and user experience design, we can construct adversary personas to help us challenge common assumptions and fallacies about attackers while imagining other creative yet realistic possibilities.
- Enable students to think broadly and creatively about potential cybersecurity threats.
- Understand and build a realistic "who" behind security threats considering their identity, motivations, and resources.
- Identify common fallacies about adversaries.
- See Course Readings for "Adversary Personas"
Create Initial Adversary Personas: Create groups of 3-5 students based on their client or project. Tell each group to decided upon their top 3 adversaries. Each group will present the adversaries' identity, their motivation for attacking the client's assets, the resources they have at their disposal including any particular capabilities or tactics used.
- How do these inital personas incorporate the perspectives from the readings?
- Do any of these adversaries fall into Julian Cohen's categories of attacker fallacies (Resourced Attackers, Motivated Attackers, Intelligent Attackers, Inadequate Attackers)?
- What does your adversary's typical day look like? What would your adversary be doing when off from work or during their downtime?
Not only are adversaries impacted by context, they are also people. Each of the following adversary types are still people with motivations and needs not unlike our own (see Maslow's Heirarchy of Needs):
- Organized Crime
- Nation State
- Professional Hacker (Individual / Collective)
- Terrorism (Organized / Lone Wolf)
- Criminal (Scammer / Opportunist)
- Insiders (Intentional / Unintentional)
Realistic concepts of attackers have been a focus of Julian Cohen's work (see https://medium.com/@HockeyInJune/).
!!! quote "Julian Cohen on Playbook-based Testing" To achieve low-overhead and scalability, attackers create playbooks. Attackers that have multiple targets care about repeatability and scalability. Repeatability — The capability to change the target and have the attack still work with the same success rate. Scalability — The capability to launch the attack against multiple targets with minimal cost per additional target.
Resourced attackers (whether by size, amount of money, or skill) may still prefer low-sophistication but effective attacks such as phishing. This does not mean they are inadequate or unmotivated. See APT1.
Motivated attackers may have very strong incentives for attacking an organization, but still might only work during business hours. See APT28.
Intelligent attackers can still make mistakes or their methods may not be resistant to simple countermeasures.
Unsophisticated attacks should not be confused with inadequate attackers. Market efficiency drives the tactics used based on repeatability and scalability.
If attackers with multiple targets care about repeatability and scalability, then...
"All attackers are resource-constrained." - Dino A. Dai Zovi
"All attackers have a boss and a budget." - Phil Venables
Consider adversaries such as intimate partners or lazy employees. Do they also have resource constraints, bosses, and budgets?
Creating Adversary Personas.
Traditional "Threat Actor Profiles" may be found across the web for various threat groups (See https://oasis-open.github.io/cti-documentation/stix/intro). In accordance with standardized formats, these profiles include name, description, aliases, roles, goals, sophistication, resource level, and motivations (primary, secondary, and personal).
How might we avoid fallacies? Ground these profiles in reality (https://methods.18f.gov/decide/personas/).
- Gather research from earlier activities.
- Create a set of [adversary] archetypes based on how you believe the [adversary will threaten your partner]
- Analyze your records for patterns as they relate to [adversary] archetypes
- Pair recurring goals, behaviors, and pain points with archetypes. Give each archetype a name and a fictional account of their day.
- Link your persona to your research.
Adversary Personas (https://daylight.berkeley.edu/adversary-personas/) is an improvisational role-playing game designed to help teams think broadly and creatively about their cybersecurity threats. Developed by researchers from UC Berkeley's Daylight Security Research Lab (https://daylight.berkeley.edu/adversary-personas/), the game focuses on the who of security, by forcing players to ask: who might our adversaries be, what do they want, and what would they be willing to go through to get it? The game can be played by teams of employees in any organization. It is recommended for groups of between 2-10 people. Download the game here.
Follow the instructions listed here under "How to Play." The game could be played in groups by student team and their assigned client so that students can brainstorm about the adversaries for their current project. Alternatively, you can mix teams and get new perspectives on various security problems.
Have each group present their answers to "Step 4. Who are you most concerned about?." Reflect on how the discussion and the card game caused any changes from their initial personas from the Activity section. When they were role-playing or talking through motivations or tactics, did the adversaries seem like realistic threats or did their attacks require stretches of imagination?
Reiterate the reasons for understanding one's adversaries. Developing personas is a great technique for brainstorming and uncovering likely adversary strategies, tactics, and targets. In a future module, we will learn about constructing a threat scenarios to communicate potential actions of the adversaries in a meaningful way to our clients.
Have each team develop a set of adversary personas. These personas will be used to create effective threat scenarios.