Cyber Threat Intelligence- What is the Impact of Information Disclosures on an Adversary’s Operations?

This project investigated the effects of information disclosures on the operations of cyber adversaries, and the implications of those observed effects for the U.S. Department of Defense’s cyber strategy of persistent engagement and forward defense. The Capstone team examined the impact of disclosures on nine APT groups from five different contexts: APT 1 and APT 10 (China), Cobalt Group (Criminal) APT 33 and 34 (Iran), APT 38 (North Korea), APT 28 and APT 29 (Russia).  

The research found that public disclosures generally failed to stop cyber actors’ operations or cause long-term disruption, but that they do often impose at least short-term friction. The team found that the disruptive effect varies significantly based on a number of factors, including the scope of the disclosure and the disclosing actor. However, disclosures may in fact also lead cyberthreats to become more resilient and creative because they need to retool, rebuild their infrastructure, or change their TTPs. The exceptions to this observation are China’s APT1 and APT10, both of whom ultimately ceased operations following highly public disclosures and U.S. Department of Justice indictments.  

Given these findings, disclosures are somewhat useful in achieving the objectives of persistent engagement by imposing costs and increasing the resiliency of networks. However, the level of cost imposed by disclosure events is simply not high enough to significantly change the decision calculus of most adversaries conducting cyber activity. Disclosures must be carefully targeted and used in combination with other elements of power. Lastly, private cybersecurity vendors hoping to use information disclosure offensively should consider the geostrategic context in which they operate, and they should target disclosures more effectively to counter individual groups.