A Threat is not a Threat Actor!

In this article, we will discuss how the concept of ‘threat’ is conceptualized in cybersecurity. We will present criticisms of the classical approach, pointing out its inconsistencies with the parameters of the cyber world. Following this, we will suggest a more pragmatic definition of threat.

In the discipline of cybersecurity, there exists a common formula for ‘threat’. As is widely known, this formula is:

Threat = Intent x Capability

It would not surprise anyone to say that this concept is borrowed from classical security disciplines. As an extension of the same concept, the definition of ‘threat’ has been almost entirely equated with the ‘threat actor’, particularly in the subfield of cyber threat intelligence. This is because according to this approach, an element that isn’t an actor cannot show intent and, therefore, cannot constitute a threat. But under what conditions was this concept born? And does it meet the unique conditions of the cyber world?

Comparison of threats in the kinetic and cyber world

In dominant schools within war studies, intelligence, and international relations, the primary units of analysis have traditionally been nation-states. This is quite normal given the conditions of the time when these disciplines emerged as academic fields. Until after World War II, the greatest threat to states was other states. Almost all wars were conducted conventionally, so when planning military defense (or attack), the intent and capabilities of the opposing state were taken into account.

During the Cold War and subsequent periods, due to the risk of nuclear war, interstate conflict took on the form of unconventional warfare. This changed the perception of adversaries from being solely nation-states to also including asymmetric threats. At this stage, even though asymmetric threats don’t have clearly defined borders like a nation-state, they still can be organized, meaning they retain their ‘actor’ characteristic. Hence, the Intent x Capability equation can still be applied to asymmetric threats, though it’s more challenging.

Consider a basic military defense example: Country A and Country B have known hostile relations. The air force of Country A consistently violates the airspace of Country B, ignoring engagement rules. Here, the fighter jets in Country A’s inventory meet the Capability criterion, and the continuous violation of Country B’s airspace demonstrates Intent, thus constituting a threat to Country B. In response, Country B can deploy ground-to-air defense systems to counter this threat. Even if this doesn’t completely eliminate the threat from Country A’s air force, it will certainly reduce it. Country A, in turn, might acquire anti-radiation missiles in response. As seen in this simple example, adversaries (i.e., actors) in such defense/attack scenarios are entities whose capabilities and intents can be observed. Therefore, the Capability x Intent equation is suitable for planning against these types of threats.

On the other hand, the nature of cyber threats is very different from the kinetic world. Firstly, in the cyber realm, there isn’t a clearly identifiable ‘actor’. This primarily stems from the long-debated attribution problem in cyberspace. Secondly, contrary to the kinetic world, a cyber attack doesn’t require organized movement. A single individual can develop the necessary skills and execute a cyber attack, making the identification and tracking of such non-organized activities much more challenging. From this perspective, the nature of cyber threats resembles the ‘lone wolf terrorism’ in security studies, where neither identity nor intent and capabilities can be observed.

Another significant difference arises concerning capability. In the kinetic world, especially in the military domain, developing capabilities is both challenging and costly. For a country to conduct air operations, it must add fighter jets and supporting equipment to its inventory. It also requires trained pilots, engineers, technicians, and a command structure to plan and conduct air operations. Furthermore, there’ll be a need for airbases and fueling stations. Even if all these conditions are met, pilots and commanders still need real life operation experience. As one can imagine, this entire process will be both time-consuming and costly for the concerned country.

Looking again from a defense planning perspective, if Country B doesn’t currently have air combat capabilities, hostile Country A naturally won’t expect Country B to develop this capability overnight. Hence, when Country A is planning its defense, it doesn’t need to be concerned about an air attack from Country B. If Country B ever decides to develop this capability, it would be a long process, allowing Country A to detect the intent and start making preparations.

However, in the cyber world, the situation is quite the opposite. Developing a cyber attack capability (with few exceptions) is neither expensive nor time-consuming. Thus, the tools and techniques a cyber actor uses can change almost instantaneously. This suggests that a cyber actor’s capability inventory is almost limitless. Associating capability with the actor doesn’t make sense from a defense planning perspective in this context, because nearly every actor can use almost every capability (with the exception of very costly ones like zero-day exploits, advanced backdoors, and deep packet inspection).

Lastly, what distinguishes kinetic threats from cyber threats are physical boundaries. For an actor to carry out a kinetic attack, they must physically transport their capability (often including themselves) to the location they intend to strike. This confines the threats posed by actors to certain physical limits. However, in the cyber world, such a limitation does not exist. As we know, almost anyone can launch a cyber attack on another country’s critical infrastructure systems from the comfort of their home. This situation significantly increases the quantity of threats a defense planner faces. Moreover, since these threats can originate from anywhere in the world, a defense planner doesn’t have the chance to observe each and every threat actor.

In the end, when we look at the threats a cyber defense planner faces:

• They are unidentifiable and thus cannot be neutralized.
• They cannot be observed, hence their intent cannot be anticipated.
• Their capabilities are unknown because the range of capabilities they could employ is virtually unlimited.

Given these conditions, it is clear that the actor-centric Capability x Intent approach is entirely ineffective for cyber defense planning. Because ultimately, the nature of threats in the kinetic world differs greatly from those in the cyber world. No defense planner can take action against a threat they cannot identify, cannot foresee its capability, and cannot observe its intent.

An Alternative Threat Concept

At this point, we can propose a much more functional threat definition for a cyber defense planner:

Threat — A method (techniques or tactics) an attacker (actor, agent, adversary) can possibly use to achieve or advance towards a particular goal.

In this concept, the link between the threat and the actor who executes it is completely decoupled. Threat is defined as the attack opportunities the terrain of the defender offers to the enemy. After all, a threat actor is almost entirely free in choosing how they will attack. Therefore, in such an environment, we cannot speak of capabilities specific to actors.

Threats are inherent in any terrain (IT infrastructure, software, process), regardless of the attacker’s capabilities or intent, and are not necessarily caused by a weakness (software flaw or vulnerability).

In this approach, the primary unit of analysis for the defense planner is not the actor but the attack methods themselves. The defense planner no longer concerns themselves with the intent and capabilities of actors but focuses entirely on their own terrain. They assess their attack surface using Red team analysis from various angles, uncovering all potential attack methods. They then base their defense plans on these identified attack scenarios.

Actually, this type of analytical approach is not entirely absent in cybersecurity. Projects like OWASP Top 10 and MITRE ATT&CK are primary examples of this kind of approach. The problem is that defense efforts are focused only on the subsets of these vectors that are “known to be used by actors”, due to the classic ‘threat actor’ concept. Going a step further, they are based on very specific signature-like information, such as IOCs and TTPs.

• OWASP Top Ten
• OWASP Top 10 CI/CD Security Risks
• MITRE ATT&CK Matrix

Prioritizing Threats

After threats are defined, another issue for the defense planner is to determine which threats are more relevant. I can suggest two methods in this regard:

4-Level Analysis for Threat Prioritization

This method, which I call the “Four-Level Analysis,” essentially relies on four data points for prioritizing threats: posture risk, incidents, vulnerabilities, and threat intelligence. By examining these four types of data conjunctively, we can get an idea of which threats concern our organization the most.

For more information on this topic, you can read my two articles below:

• 4-Level Analysis for Threat Prioritisation — Chapter I
• 4-Level Analysis for Threat Prioritisation — Chapter II

Motive — Intent — Enabler Model (Adversary Persona Cards)

This second method is inspired by the threat actor definition in a manner similar to the classic understanding. However, the aim here is not to define individual actors. The aim is to create general classifications, or personas, by categorizing actors based on common motivations, common intents, and common incentives. With these persona cards, the defense planner can get an idea of the attack vectors they need to prioritize.

Below you can find two example persona cards:

Persona card: Access Broker

Persona card: Ransomware Operator

Conclusion

Considering the unique dynamics of the cyber world, it is clear that the Capability x Intent equation, which has been borrowed from traditional security disciplines, doesn’t provide a comprehensive perspective on cyber threats. An actor-based approach to threats doesn’t hold water in a realm where actors are challenging to identify, and capabilities can be easily acquired and shifted.

The dynamism and unpredictability of the cyber world call for a redefinition of ‘threat’. This new definition needs to be more holistic and better suited to the parameters of the digital era. It is crucial for the cybersecurity community to reassess how threats are conceptualized and adapt to this constantly evolving landscape. The incorporation of structured prioritization methods like the 4-Level Analysis and the Motive — Intent — Enabler Model further aids in refining defense strategies. In a world where threats are increasingly borderless and digital, pivoting from traditional paradigms to more holistic and terrain-centric approaches will be crucial for robust cybersecurity defense planning.

Until next time!