Intel’s Threat Agent Profiling Methodology Helps Prioritize Cybersecurity Resources.


Colonel Mustard did it in the library with the knife.


In the game of Clue, you always find out WHO did it, but never WHY. Was Colonel Mustard a jealous husband? Was he plotting to steal someone’s money? Did he get in a fight with spy? Or was it simply an accident?


Cybersecurity risk analysis has traditionally suffered from the same blind spot. The Federal Computer Week article, Cyberattacks: Too much how, not enough why, stated “Legislators, executive branch agencies and industry pay too much attention to the mechanics of cyberattacks and not enough to why the attacks occur.” Similarly, Ira Winkler observed in a Computerworld article about the Sony hack, “knowing who might attack you does matter.”

Developing a Better Organizational Understanding of Your Entire Risk Landscape

At Intel, we pay close attention to the types of attackers who might target our assets, areas where they are active, and trends and developments in their methods. This approach enables our designers and defenders to better allocate finite defensive resources in the most effective manner. We have developed a comprehensive threat taxonomy and Reference Threat Agent Library in use at not only Intel, but also numerous organizations such as the European Network and Information Security Agency (ENISA), The National Australia Bank, and the U.S. Department of Homeland Security.


Human threat-based risk management is a highly effective strategy to identify, assess, prioritize, and control cybersecurity risks. By defining threats concisely and consistently across the organization, we cut risk assessment time by as much as 60 percent.

Business-Security-Intelligence.jpgUnderstanding Who Wants Your Stuff and Why

“Know your enemy and know yourself and you can fight a hundred battles without disaster.” – Sun Tsu


Now we are adding an important update to our threat taxonomy I am very excited about. A new parameter, Motivation, describes what causes a threat agent archetype (such as mobster or nation-state cyberwarrior) to commit harmful acts. Heavily researched and developed over a year by our Threat Agent / Analysis Group, it is a significant maturation of the concept first proposed in our Threat Agent Risk Assessment (TARA) methodology. Understanding threat agent motivation helps indicate the nature of the expected harmful action.  We believe this is the best, most comprehensive set of motivational descriptors of adversaries available today.


We have identified 10 motivational elements: Accidental, Coercion, Disgruntlement, Dominance, Ideology, Notoriety, Organizational Gain, Personal Financial Gain, Personal Satisfaction, and Unpredictable. While our new white paper describes these elements in detail, two illustrations from recent headlines illustrate our work:


  • Our research indicates organized crime archetypes are primarily motivated by Organizational Gain. Consider the cyberattack at a hospital in Washington state, where an organized cybercriminal gang operating out of Russia and Ukraine heisted US $1.03 million from the unsuspecting healthcare institution. The article stated this gang had been active for at least five years and had “stolen many, many…millions from hundreds of victim organizations.”
  • The Sony breach, on the other hand, is a good example of the motivation behind nation-state cyberwarriors—Dominance. As Ira Winkler noted in his Computerworld article, “Sony can move forward on a fairly strong assumption that the guilty party was North Korea.” Unlike the Washington hospital attack, this hack was done for very different purposes and compromised a very different target.  Motivational analysis can identify those targets beforehand and help you shape your defenses proactively.


The addition of the Motivation parameter makes Intel’s Threat Agent Library significantly more meaningful to modern organizations—who may not even know they need it yet. Cyberattacks are on the rise and it’s impossible to close every vulnerability, so identifying your most likely threat vectors points directly to your most optimal security strategies.

Performing "Security Competitive Intelligence" to Meet Today’s Cyber Realities

By adding the WHY to the WHO and the HOW, Intel’s threat-based risk management methodology has become even more accurate, relevant, and understandable. Organizations using this methodology to conduct "security competitive intelligence” will see the same benefits as those that result from business competitive intelligence:

  • Understanding who you’re up against
  • Knowing their capabilities and weaknesses

So you can:

  • React quickly to changes in their strategy and methods


If you’d like more information about understanding threat motivations to improve your organization’s cyber defense, please read our white paper and let me know what you think here or at @timcaseycyber. I look forward to hearing from you!