Intelligence, in the context of information security, is defined as the analysis of current, previous, and potential malicious actors and their attributes. As such intelligence gathering is a critical aspect of delivering industry leading security products and services. Today, the market is primarily focused on developing these capabilities by leveraging so-called “big data analytics”. While the benefits of these efforts are high, they are less useful when the analytics are not enriched by contextual information. This contextual information comes directly from defined research processes and procedures.
The application of intelligence to information security strategies comes in the form of the ability to anticipate upcoming attacks, define more as well as fully understand attacks as they occur. Today, threat research within security organizations is primarily contingent on gathering news published by external sources in combination with independent research typically defined by the researcher without specific business requirements (nor defined processes or reporting). The result is unreliable intelligence that is quite often not useful to daily operations.
However, with the introduction of proper processes, security teams can provide high quality threat research that reaches these goals. This can be achieved by implementing a standard intelligence cycle that allows for business stakeholders to define areas of research pertinent to customers and product capabilities. Specifically this can be accomplished by developing actionable information from the analysis of all internal and external data available. The actionable information will be reported in order to provide insight that assists to better predict and prevent successful attacks from threat attackers.
Introduction to Threat Intelligence
The idea of threat intelligence is to enable clients and internal security operations with a clear picture of what they are up against. This is accomplished by disseminating information identifying actors, their skill sets, their motivations, their targets, and finally methodologies. Information in these realms covers the primary pillars of “The Motivational Model of Cybercrime Classification.” (Ngafeeson, 2008) While it is well outside of the purview of a private entity to produce a known malicious actor list that identifies threat actors for closed-source or lawful monitoring, private entities can and should leverage OSINT in combination with HUMINT to better cultivate information from SIGINT.
Identification of Actors
Creating these capabilities begins by first identifying who the actors are within the threat theater. In common terms, this is often referred to as, “who is attacking.” While from the outset creating a list of attackers may seem as simple as following blogs such as, “Krebs On Security” and ThreatPost to learn who the attackers are, creating high-value operational intelligence requires far more effort.
While leveraging information from these sources is useful, it is not indicative of an organization attempting to get “ahead of the threat.” Imagine, if for example, the US Government identified potential threats by reading about who was attacked in the Wall Street Journal. Instead those identifying actors should make every attempt to develop proactive information.
This intelligence can be derived by the analysis of collaborative information developed from external non-media Open-Source Intelligence (OSINT) assessments, internal forensics data, external group collaboration (HTCIA, FIRST, Infragard, etc), internal Signal Intelligence (SIGINT) and of course media analysis. Particulars should be set within the requirements phase of the Intelligence Cycle but should most often be inclusive of actor aliases and known affiliations, such as groups.
As actors, groups, and affiliations are identified, they should be classified based on their motivation, skill set, and level of sophistication. Unfortunately, due to the anonymity of the Internet, it is highly likely where situations will exist where researchers are unable to identify particular aliases of attackers. In these situations researchers will instead be forced to identify attackers based on their classification rather than alias. The team responsible for research should define classifications for cyber criminals however; a sample table from the academic community can be seen here which classifies groups based on their motivations. (Furnell, 2001)
Identification of Targets
Sadly, the attack environment is highly active and broad reaching. As a direct result, organizations conducting unorganized threat assessments, without delegated resources are likely to become inundated with irrelevant information. It is therefore essential that once attackers have been identified to determine who they are attacking or who they will likely attack. This process will narrow the audience for intelligence dissemination to those most in need of any particular intelligence reports. General classification of targets includes verticals, organizations, people and/or the technology used throughout. Identification of targets is particularly useful for better proactive security protections based on external threats.
Identification of Attack Methodologies
Once the base information of who is attacking and what they are attacking has been discovered, it is then imperative to determine how they are attacking. In fact identifying attack methodologies may be the single most important aspect of intelligence gathering within the purview of IBM. Understanding and granularly classifying attack methodologies utilized by diverse attackers within the threat environment is invaluable from a defense perspective.
Attack methodologies can be broken down into a few simple areas, specifically what medium was utilized, any tools or services that were leveraged, and finally the process of how both were combined to attack.
Attackers are capable of leveraging a multitude of mediums to achieve theirs goals. These may include particular applications, telecommunications technologies, or even social interactions. As such it is imperative aspect of security intelligence to develop a full understanding of what mediums are being utilized by attackers to achieve their goals. These mediums have a key impact of the methodologies that will be utilized.
Identification of Software and Services Leveraged
In many attacks, externally acquired software packages and/or services are leveraged. Understanding these applications and services is imperative to understanding and addressing attacks in the most efficient way possible. Identification and classification of these applications and services will obviously be broken down between software and service and then into smaller categories based on focus of the tools and services. Identification of applications and services utilized by attackers is particularly useful for proactive monitoring as well as advanced defense technology research.
Motivations and Skillset Classification
Even without an advanced intelligence gathering process it is clear that attacker capabilities vary widely. In order to better shape and understanding for the variance in skillset, it is important to develop granular classification of attacker. In addition, it is also important to monitor the progress of any particular group of attackers to understand an increase or decrease in the sophistication of methodologies utilized by an individual group. Once capabilities are classified, it is important to understand and classify motivations.
The intelligence cycle is a simple process utilized by the vast majority of the US intelligence community. Although the cycle in its academic form does not represent the complexity of tasks necessary for gathering relevant, actionable information, it does serve as a model for implementing the cycle. Though, some cycles may consolidate specific tasks, in general the cycle consists of six phases (Requirements, Planning and Direction, Collection, Processing, Analysis, Dissemination). These phases can be broken down between existing MSS teams for integration.
Furthermore, if implemented properly this process could well serve as a foundation for everything we do in Security Services. The following are a brief explanation of the individual process areas.
Requirements. Intelligence requirements will be determined by decision makers such as team Leaders, Executives, or other decision maker. The definition of specific intelligence requirements will initiate the intelligence cycle.
Planning and Direction
During the collection phase of the intelligence cycle an Intelligence Collection Plan (ICP) will be created. The ICP is a systematic process where available resources will be tasked to gather and provide pertinent information within a defined time frame. The systematic process will define specific sources where intelligence will be collected. These sources may include but are not limited to:
- 1. Human intelligence (HUMINT) – The collection of intelligence via interpersonal contact or rather information provided directly from human sources.
- 2. Signal intelligence (SIGINT) – The term used to describe communications intelligence and electronic intelligence
- 3. Open-source intelligence (OSINT) – The collection of intelligence from publicly available information as well as other unclassified information that has limited public distribution or access.
- 4. Measurement and signature intelligence (MASINT) – The scientific and technical intelligence derived from analysis of data obtained from sensing instruments
*Definitions from the Nato glossary of terms and Definitions AAP-6 (2008)
During the collection phase, sources will be exploited for the actual collection of intelligence, this will include all sources identified in the planning and direction phase. However, the primary focus for IBM will be in the realm of SIGINT, OSINT, and MASINT as HUMINT will be opportunistic, or coincidental rather than specifically outline and sought out (clandestine operations is not within the purview of this intelligence cycle).
Within the processing phase, collected intelligence artifacts or raw intelligence materials are assessed for reliability and relevance. Finally, these intelligence artifacts are put into a standard in preparation for review. Intelligence artifacts in this format are said to be “vetted” meaning that it has been properly verified.
In the analysis phase of the intelligence cycle vetted intelligence is analyzed and reviewed in order to determine the potential impact of processed intelligence. Within the analysis phase collateral information and patterns are determined in an effort to determine the overall significance of the vetted intelligence.
Dissemination is the reporting phase of the cycle where intelligence consumers whose needs initiated the intelligence requirements are made aware of findings of the analysis phase.