This blog post begins with a joke about two people in a forest and a bear.

A bear appears out of nowhere and starts to chase these two guys during their walk in the forest. Surprised, they both start running for their lives, but then one of them stops to put on his running shoes. His buddy says, “What are you doing? You can’t outrun a bear!” His buddy replies, “I don’t have to outrun the bear; I only have to outrun you!” 

I can’t tell you how many times I have heard this joke told when it comes to security. Most threat actors are just interested in a victim for resources and only some of them carefully target their victims. Unfortunately, for those companies that stand out among the rest, we have good and bad news: The good news is that you are awesome and an example of excellence among your peers; the bad news is that no matter how slow, fast, or how many other folks are in the forest, the bear wants you specifically.

When you are a victim of an attack, you don’t really know if you are being targeted or if the attacker is just sweeping through thousands or millions of victims just like you because you have no visibility to your peers who potentially are under the same attack. However, if you are a vendor who had visibility across those peer targets with a global analytics perspective, one can detect threat actor’s behavioral patterns by just aggregating customer telemetry and detecting common attack campaigns being run on a widespread basis. An example here is that the threat actors (or bear), has a new campaign which involves a process sequence of A,B,C,D,E,F (waypoints in the campaign that have to be successful to reach the mission objective, which could be ransomware, cryptomining, etc). In this scenario, stopping to put on your running shoes works well because you just need to ‘outrun’ the rest of the Internet as the bear is not targeting you; it just needs to eat.

But this does not work if you are the threat actor’s target. Lucky for you, we have a different plan: we will play the same game and target that bear like it has never been targeted before. I’m talking about knowing it so well we can predict its next move or even its next potential target. To do this, we must use machine learning to lower the operational costs and scale to all threat actors large and small.

When you use Cisco Stealthwatch with Cognitive Threat Analytics, you are making use of an analytics pipeline that includes a diverse set of machine learning techniques to target threat actors and model their activity and behaviors individually. Thousands of machine learning classifiers are hard at work mapping out any deterministic behavior or artifact that makes this threat actor stand apart from the rest. These traits may be how they go about naming systems, default values for variables, regularly used Autonomous System numbers, or how they check for Internet access. I could fill up this entire page with data features the machine learning finds useful but in the end, we model their behavior. We know them maybe even better than they know themselves, making us the bear targeting them.

I put together this blog post because recently I spoke to a financial institution who used this bear joke to explain that their problem was not one of the common victims but that they were special and had threat actors targeting them specifically. I told them that with the right telemetry, including global threat intelligence, combined with machine learning classifiers, we could target their attackers better than they target you. Two can play at this game!

If you want to learn more about how we accomplish this, read this whitepaper on security analytics, which delves into the various layers of analysis we use.


TK Keanini


Security Business Group