How Target bridges communication gaps between threat intel analysis, detection teams

Target wanted to address a common issue in cybersecurity: having too much intelligence and no means to analyze it or a direction to relay it. Information sharing across security domains is the main barrier WAVE is meant to break.

The retailer uses a Workflow for Adversary Verification & Evaluation matrix, dubbed WAVE, to predict, detect and assign attribution to tactics, techniques and procedures (TTPs) of threats, said Kelsey Helms, lead cyberthreat intelligence analyst at Target, during the SANS CTI Summit in January.

WAVE pulls parts of existing frameworks, including the Diamond Model for Intrusion Analysis, MITRE ATT&CK and Lockheed Martin's Cyber Kill Chain Model, to make a digestible and operational approach to threat intelligence.

Because WAVE is a product of other frameworks, although an improved version, it "shows to me that we are still at the crawl phase of making cyber threat intelligence a more robust capability," said Brian Kime, senior analyst in security & risk professionals at Forrester.

Stakeholders generally don't need to know the technical details of a threat group or their preferred TTPs. They do need to know if their company has enough visibility into the threats to prevent an incident that leads to regulatory and reputational damage.

"The board doesn't care about MITRE ATT&CK, and they shouldn't," said Kime. "No one cares about that other than people like in the SOC." But WAVE seems to borrow "the important parts of these frameworks, and directly contributes to operationalizing the intelligence in this case, creating new detections — so kudos to them," he said.

How WAVE works

A particular strain of ransomware does not define a threat group, though malicious actors do have preferences for what malicious tools to use. Understanding the TTPs and how they're circulated will help companies prevent attacks at large.

In order to provide ransomware and malware research to Helms' counterparts in threat detection, the framework was built to "thoroughly map out all the detection we had in place for what I was seeing," she said. "This made me realize that based on different team processes, some useful intel was falling into communication gaps."

WAVE created a common language for Target's security teams to reference across different workflows. The cyberthreat intelligence team uses the matrix for documenting TTPs while the protection team can request information for TTPs they're unfamiliar or unsure about, said Nate Icart, lead threat intelligence detection engineer at Target, during the summit.

The matrix filled communication voids between threat analysis and detection. The matrix "essentially takes a conglomerate of all the various kill chains that exist, and simplifies them into the important major stages of an attack that directors go through. No matter what type of actor it is," said Helms.

It made the analysts' work more actionable, said Icart. "We can detect ingress events in multiple ways; known attack signatures can be deployed to scan downloads and incoming phishing attachments." Egress traffic is also detectable including endpoint network logging.

There are two main ways that TTPs can show up, according to Helms:

Prevalence of TTP in a specific threat group's routine activity
The other way is TTP prevalence reused by multiple threat groups

The most common TTPs allow security teams to prioritize prevention and patching, and attributing a certain group's attack flow can help track further activity and affiliates.

Attack flows are used by incident responders either during an attack or in post-mortem investigations. The attack flow data can be compared across existing entries in the matrices to determine what unauthorized party was in a system.

Red teams can use TTPs for more broad scoping or testing detection solutions, said Icart. WAVE's cyclical nature, open to continuous feedback, "allows the output from hunts or red team operations to inform the creation or tuning of detection rules."

Haves and have nots

Since its 2013 data breach, Target has been mindful of "even minor additional data security incidents" bringing "greater scrutiny" because of the breach, the company said. The WAVE framework enables the retailer to get ahead of a potential incident.

"WAVE makes it easier to show the impact the detection enhancement will have against the newly identified TTPs," Jodie Kautt, VP of Cybersecurity at Target, told Cybersecurity Dive in an email. "We invest significantly in in-house technology and capabilities to build a holistic understanding of the threat landscape facing our organization and the retail industry at large."

For context, in FY 2019, Target's IT capital expenditure (which includes supply chain) was $811 million, an increase from $568 million in 2018, according to annual filings.

But not all companies will have a SOC as robust as Target's. The retailer has "probably one of the better resourced teams out there now," said Kimes.

Though WAVE integrates well with existing, widely used frameworks, the issue with most of them is scalability. The WAVE matrix is designed to be transferable to smaller teams with employees who cover multiple security domains across industries.

"Target regularly shares threat intelligence and learnings to help our industry peers – just like we have with the WAVE framework," said Kautt.