Painting the Cyber Threat Landscape



As an aspiring landscape artist, getting out on location early in the evening with your easel, canvas, brushes and paints in tow is an exhilarating feeling. Even if my landscape kit consists of a tripod, camera body, lenses and SD cards, the feeling is the same.

I am there to:

  • Capture the light that illuminates and reveals the contours of the landscape in a way that pleases the eye.
  • Highlight details that a cursory glance would not dwell on.
  • Picture myself as the next Claude Monet, ready to create the new “Impression, soleil levant” – at least in my mind.

The truth however, is that the end result is often good enough but not necessarily the next Monet.

As an artist, I do understand that I tend to repeat the habits of capturing the scene in the way I and so many others have already done a million times over. Conformance does not inspire, yet rules must be broken in a way that recognizes their existence. What is art also depends on the viewer’s preference, disposition and idea of art as a medium.

What’s art got to do with it?

What does any of this have to do with describing cyber threats, you may ask?

Most landscape photographers, at least the beginners, tend to face the setting sun and capture the magnificent colors of the sky, the clouds and the foreground it illuminates head on. The more experienced photographers on the other hand, turn away from the obvious and capture the contours of the landscape the pleasing warm light has put on display.

Cyber threats are also depicted by the mainstream media and researchers in a way that awes and exhilarates. The center stage is given to the criminals and their toolkits pretty much in the same way as the red disk of the setting sun attracts the eye. The victim is just the frame in which TTPs are composed. In the case of ransomware for example, the victims are seen as the unfortunate, who have been attacked by advanced super villains holding their crown jewels for ransom.

My Canvas, the Data Harmonization Ontology

I have dedicated most of my professional life to trying to understand the ways in which cyber crime victims become victims in the first place. Even when I was working for the Finnish national police trying to put bad guys behind bars not serving drinks, I had a keen interest in crime prevention.

Ever since I moved over to the private sector, I have done just that. I have for example helped uncover unknown vulnerabilities in software through fuzzing. More importantly, however, I have tried to make sense of it all through a simple language model called the data harmonization ontology. It is focused on looking at the representation of cyber threats in different data sets with an analytic eye and picking up common denominators for different phenomena through a simple language represented as lexemes and their semantic descriptions.

The core of this approach is to:

… always call the same things by the same name and never call the different things by the same name.

Sounds simple, right?

Well, since I am a determined person, editing a single document for more than a decade has suited me just fine. Yet, I have not done it in a vacuum, rather I have consulted and discussed the topics with the experts in the field. Moreover, I have followed the principle that whatever is in the document must be based on actual observations in threat data.

Too often standards are made in an ivory tower by a committee that designs them for the SQL database implementation in mind rather than looking at the human who should be interpreting the data in a way that helps to eradicate the problem.

I Did it My Way or Build Your Own Standard

What the tirade above means in practice is that my life’s work has consisted of putting names and labels on bad things that befall cyber crime victims. More importantly, I have focused a lot of energy to name things that lead into people and organizations becoming victims. Lastly, I have put in words the things that criminals trade or barter with to victimize more people and organizations.

Below, I will sum up four categories of cyber threats with a focus on early warning.

Suspected Compromise

The traditional and most visible form of cyber crime deals with suspected compromise that on the client side is very tightly connected with malware infections. Nowadays of course, the most prominent and feared form of malware is ransomware, which has laid waste to fortune 500 companies, government networks or academic institutions.

In a sense, this form of cyber threat already represents the far end of the spectrum where the bad thing has already happened.

The other pieces of the puzzle for suspected compromise consist of:

  • malware distribution sites
  • command and control servers
  • phishing sites
  • brute-forcers
  • ddos bots
  • scanners
  • compromised servers and so on.

But here in my role as your tour guide, I would like you to take your gaze off the fiery fireball in the sky and direct it towards the landscape behind you. Rather than picturing each part of the scenery as malice which can be used to attribute the criminal, I would like you to visualize even the command and control server as a potential victim of cyber crime.

After all, the server can have been:

  • Compromised and abused for resources.
  • Paid for with a stolen credit card.
  • Financed with laundered money especially with so called crypto currencies.

My point of course in all of this is to work towards a goal where the Internet is a more difficult place for the criminals to conduct their business. If we take away the opportunity from the threat actor to be able to use a given piece of infrastructure, then it makes it more difficult for them to operate with impunity.

Quoting Arthur Conan Doyle:

Do you know, Watson," said he, “that it is one of the curses of a mind with a turn like mine that I must look at everything with reference to my own special subject. You look at these scattered houses, and you are impressed by their beauty. I look at them, and the only thought which comes to me is a feeling of their isolation and of the impunity with which crime may be committed there.

So in other words, wherever most people see the attacker, I see a potential victim, since cyber criminals abuse whatever resources they can get their hands on and that is a crime in itself. I happily leave the behind bars thing to law enforcement who actually have a mandate to do something about it.

Known Vulnerabilities

Going away from the bad thing that already happened, we step into the realm of initial access. As I have stated earlier, Jussi Eronen has pointed out the pertinence of the CISA KEV catalog as one factor determining the urgency for patching a given vulnerability. The rationale is that if it is something that the criminals are actively exploiting, then that is not a good thing, now is it?

CVEs are the stock and barrel approach to naming vulnerable components in software or hardware by assessing the risk through a metric such as CVSS and giving the vulnerability a unique identifier. In this post I will not touch upon the deficiencies of this approach, but I want to direct your attention to the fact that organizations struggle to understand where their vulnerable systems are and which ones pose an imminent risk to their existence.

If you cannot patch or update all of your software all the time, you should at least prioritize your vulnerability management to the services exposed to the whole Internet. It is important to have a steady cadence, where the idea of a Patch Tuesday is your friend. Should you be affected by a critical vulnerability, it is a good idea to patch it post haste – lest you get ransomwared.

Public Exposure

Even if CVE stands for Common Vulnerabilities and Exposures, exposures are not something that are given identifiers in the same way vulnerabilities are. Mostly, this is due to the fact that the exposure is an environmental variable related to the deployment of a server or a service, rather than a context independent flaw that can be pinpointed via distinct variables such as software version or patch level.

Why Public Exposure is a problem stems from the fact that most organizations on the Internet do not know what their digital assets are, where they are hosted or which interfaces are exposed by a given IP.

Consequently, the patch to the latest version of the software approach does not address this issue at all, since the phenomenon is related to access control which is implemented through firewalls, switches, load balancers, reverse proxies etc.

What is also quite interesting in relation to public exposure in practice is the fact that the solutions deployed to address this issue can themselves expose additional attack surface through a management interface for example.

The only way to really address this issue, is to perform continuous attack surface discovery and assess how known vulnerabilities and exposures affect your organization. If you do not have the luxury of employing an in-house red team to do it for you, then third party validation will become a key aspect for this activity.

Since the number one target for ransomware operators are publicly exposed RDP interfaces, please make sure that you are not exposing one (or more) to the whole Internet.

Potential Threats

The last stop on our guided tour through the cyber threat landscape relates to indirect or residual risk that can still bite you in the ankle, if your security policies for access management and basic cyber hygiene are not implemented correctly.

The traditional and most visible aspect of potential threats is account compromise combined with password reuse. Third party data breaches pinpointed by services such as Troy Hunt’s have i been pwned, offer insight into the email addresses or phone numbers which have been leaked to the criminals.

These of course shouldn’t pose a problem to your in-house services, should you have MFA correctly implemented. This does not, however, help with stolen session credentials lifted off of users’ browsers through credential stealers such as redline for example.

Consequently, cyber criminals barter in initial access vectors such as RDP and VPN credentials and you will need to have this base covered to better understand your threat landscape. Alone, this information will not help you much, but if you have your basic attack surface assessed, this information can help you avoid the news as the next ransomware victim.


As your cyber threat landscape tour guide, I want to thank you for your attention today in examining some of the less obvious features of our rather dynamic and ever evolving scenery. I hope I have been able to provide you a new vantage point into our ongoing battle with the criminal elements of the Internet.

Even if watching the fireworks or riding into the sunset may seem appealing, it is less so when you are on the receiving end of a concerted cyber attack. Consequently, advanced persistent threats should only be part of your threat model after you have demonstrated the ability to deter the BPT, the Basic Persistent Threats.

If this write-up whetted your appetite for cyber threat landscaping, then feel free to peruse my life’s work on Github. It is TLP:CLEAR, so you can use it quite freely. If you find the ontology useful or have ideas for its improvement, then do invite me for a beer (for example at a conference) and we’ll discuss further.

Read Data Harmonization Ontology (on Github)

Give Us Feedback or Subscribe to Our Newsletter

If this post pushed your buttons one way or another, then please give us some feedback below. The easiest way to make sure that you will not miss a post is to subscribe to our monthly newsletter. We will not spam you with frivolous marketing messages either, nor share your contact details with nefarious marketing people. 😉

comments powered by Disqus