In my recent blog on the need for genuine board level education, not just awareness, I promised a guest blog from Lincoln Mattos on the thinking behind the presentation on the skills needed to run an intelligence led security operation that so impressed me.
But first a couple of jokes from the ISSA Christmas party at which Sir Kevin Tebbit gave the GCHQ definition of a security extrovert, “some-one who looks at the other persons shoes when briefing them”. After some very thoughtful discussion, on the consequences of the Snowden (from Sir Kevin), the need for a “robust but fun” approach to awareness (Martin Smith) and our parlous understanding of the security implications (both positive and negative) of Big Data and the SCADA world (from Peter Wood) I heard the second (much less funny) joke over drinks. “Who still assumes that the majority of serious attacks on the organisation are random one-offs?” Answer: the Compliance Officer.
Now to the serious part of this blog, for which I thank Lincoln:
Building a Threat Intelligence Operation
Around 2009, the cyber security firm Tempest Security Intelligence started changing how it dealt with responding to cyber security. Based in Brazil where online banking is strong, the number one source of operational loss stemmed from cyber crime. By focusing on acquiring intelligence on the actors behind the loss, the banks have been successful in reducing this operational loss. The same is possible for many different industries. In the UK, Tempest has notably been working with companies in the media and broadcasting sector. The type of threat is naturally different from the one experienced by the banking industry, but many commonalities on how to run an intelligence operation and what skillsets are required can be similarly fleshed out.
The new paradigm around threat intelligence has brought a lot of hype and media attention. This article seeks to explore what this attention is about. More specifically, the security paradigm shifted from building a strong perimeter around an organisation’s assets to accepting that the organisation will suffer attacks. This raises a couple of questions: why has the previous model of building perimeters been ineffective? What is the current landscape of threats? And why this new shift towards intelligence driven security has happened?
Intelligence driven security takes into account the threat component of risk. Previously, cyber security model stressed the vulnerability aspect of risk. System administrators would strive to identify vulnerabilities before attackers could find and use them. On the other hand, threat intelligence requires knowledge of the intentions and activities of the specific threat actors.
The article is divided into three parts. Firstly, it looks at the evolution of the threat landscape. Secondly, it delves into the details of a threat-based approach to cyber security. Lastly, it covers the skills requirements for running a threat intelligence operation.
The Evolution of the Threat Landscape
Everyday, more and more news emerge about cyber attackers using their capabilities as a vector for their operation, either for hacktivism, for cyber crime, or even for states to further foreign policy objectives. One of the reasons behind this increasing used lie behind a basic characteristic of cyberspace and communication technologies: they offer a strategic advantage for the offence over the defence. In this domain, recognised by the US as such since 2011, the offensive side needs to only find one way to get into a system; the defence needs, however, to be functional against all possible ways. The offensive side also benefits from three other aspects: many tools allow attackers to remain anonymous (e.g., the structure of the Internet, Tor), especially if they are cautious and have sharp technical skills; it is relatively easy to buy effective attacking tools; and the increasing number of connected devices make it more likely to find a vulnerable device. Meanwhile, due to the very nature of cyberspace, organisations have to consider that they can be subject to attacks originating from anywhere in the world. UK companies cannot be worried only about criminals within the jurisdiction anymore, but about criminals from China and Brazil as well, for instance.
An example of this globalisation of crime comes from a recent incident. In May 2013, a group of attackers from Eastern European and Middle Eastern countries successfully launched a heist worth $45 million by raising the limits on prepaid debit cards and withdrawing the cash at various ATMs in 27 countries scattered around the globe. The rapidity of the attacks can also be a difficult factor to heed in: it can be difficult to justify spending five days reacting to an attack when it occurred only over the course of four hours. This has put the security industry under much pressure to optimise their reaction time.
Concerning the ease of propagation of techniques, it is noteworthy that attackers do no longer require to have spent years investing in researching and developing attack techniques: by going into an underground market, they have easily buy ready-to-use attacks for anything between $100 and $1,000.
In Brazil, it is common to see some financial fraudsters using attack tools produced in Eastern Europe and having basic coding skills themselves. Highlighting this trend is the reaction in underground criminal networks to the news about Flame, a highly sophisticated piece of malware allegedly designed by the US government. Within a week of the news, heated discussions about criminals could use modules of the malware to use against banks and other organisations. This collateral effect of complex, nation state developed malware fuels the ease of reusing malware increases the scale of threats organisations now face.
Any malware developed once can be useful for many different attacks. Within the underground market, the professionalisation of attack techniques has led to the outsourcing of parts of steps required to carry out an attack (e.g., one produces the malware, another tries to find victim by sending phishing emails, a third one host the malevolent platform so it evades law enforcement), and to the emergence of services such as guarantees. In one instance, criminals guaranteed that their malware would evade most commonly used anti-virus. Any update by any anti-virus to detect the malware results in the malware author working to further evade these new protective measures.
The increase in the number of connected devices also makes it easier for attackers to find vulnerable devices. In technical parlance, this is called the increase of the ‘attack surface’. The attack surface constantly increases with new devices, increased bandwidth, social media, and bring-your-own-device issues. This is also partly why the current model does not work: the attack surface increases at a much higher rate than organisations are able to find and fix all the problems. The trend is unlikely to change soon.
On the other side, from the defence perspective, the prevailing model is an out-dated fortress mentality, unadapted to almost everyone having a mini powerful computer in their pockets. The model essentially revolved around mass outbreak attacks, with the best example being viruses. The institution is not targeted directly and a simple up-to-date anti-virus offer protection against the malware. Yet nowadays, attackers use different attack vectors and pick-and-chose who the victims are; they adapt in function of their victim. Since 2006, the US military has used the specific term of ‘Advanced Persistent Threat’ (APT) to refer symbolically to these highly targeted attacks. The attackers will use known vulnerabilities that intrusion detection systems may react to, but they will also use a whole range of completely new zero-days vectors much harder to detect. In other words, the defence model looks into yesterday’s attacks, while today’s attack work to evade those, which is increasingly easy. What is merely needed is a talented person who understand the algorithm behind the virus detection software to work his way around it.
Hence, today’s attackers focus on the organisation as a target. If they fail, they will continue attacking, keep probing the network. These motivations are industry specific, different for an attacker targeting a bank or a media and broadcasting company. Understanding how these attackers work, and gaining intelligence about their modus operandi can be game changing for security. A lot of the work around threat intelligence revolves around understanding the tactics, techniques and procedures of your adversaries and calibrating your defences accordingly.
A Threat-based Perspective to Security
Threat intelligence works differently from the previous model, concerned with thickening the walls around the assets. It is based on the premise that just thickening walls cannot prevent future attacks.
A few of the variable in attacks do not vary. Banks will always have financial criminals threatening their online security. Similarly, broadcasting companies will always have to face the threat of hacktivism, because of the motivation of attackers to get exposure for their cause. Attackers will change their tools to reach their goals, but their motivation will stay the same. Also, attackers seek to be cost-efficient by investing a small amount and have as much return as possible. In order to be cost-efficient, they reuse tools and attacking infrastructure. Banks are under attacks from many various groups, but they can find commonalties between the attacks because attackers are using similar attacking strategies (e.g., with phishing emails). Knowing that different groups will reuse the tools can allow the building of stronger and different defences than merely thickening the walls. It is about understanding the adversaries, their motivations and capabilities. In the previous aforementioned example of the $45 million bank heist, roughly 300 people were involved. This required extensive planning and logistics that not all groups have. This extensive planning is part of their capabilities and must be heeded as a form of intelligence.
One of the common ways to define risk is in a three-fold way as the interaction between a threat, a vulnerability and its impact. The vulnerability is what the organisation exposes, what can the attackers use to beget a risk; the impact is the loss; and threat is the group or the actor instigating the attack. While the fortress mentality focused rather on vulnerability, the threat based perspective is about focusing more prominently on the threat component of risks. When moving the focus towards the threat, it is still important to not ignore the vulnerability aspect.
The threat can be broken down into the intent, the capabilities, and the opportunity. Firstly, the intent relates to the impact and is dependent upon the industry. For financial industries, the top threats are financial criminals and hacktivists; for the media industry, fraud should not be much of a concern while hacktivism still is; for governments, they face primarily threats from other governments and then from hacktivists. For any organisation seeking to implement a threat intelligence operation, it is very important to understand where the company falls in, to know which kind of attacks they will come under and which tools the attackers will use. Secondly, capabilities refer to what attackers can do, in terms of logistics, and access to tools.
A useful definition to reflect on the threat is the one produced by Carnegie-Mellon:
Cyber intelligence is the acquisition and analysis of information to identify, track, and predict cyber capabilities, intentions, and activities of offer courses of action that enhance decision making.
As the intelligence tracks the group, it can be used to predict where the group will hit next, its intentions, and its capabilities. The sought end result with such a model is to be a more effective in terms of security: to lessen the impact of attack, and hence to allow the business to operate better.
Moving to the threat aspects of security requires clearly defining what the business’ needs are, on a strategic, operational, and tactical level. The strategic aspect concerns the planning for the next two to five years and needs to decide how much resources will be invested. The operational level reflects specificities of incidents that happened within the organisation. The analysis of a specific incident should extract specific information about the adversary: what types of capabilities they have, what they managed to use (e.g., exploits used were cutting edge or they reused old known ones). At the very least, the analysis should aim at the same attack not being able to happen again. As adversaries re-use attack tools, the analysis should hence be sufficient to thwart further attacks reusing the same modus operandi. In addition, the tactical level focuses on determining what the patterns of attacks are, and what the attackers use. The time window is shorter, one month to a year, and should encompass a view of attacks as campaigns and their modus operandi. For instance, it can focus on finding the steps used by attackers for reconnaissance via social media or via sending innocuous looking emails. From this tactical information, it is possible to start constructing profile. For instance, the Syrian Electronic Army group is a hacking group known to target broadcasting companies with at least tacit support from the Syrian government. They are now getting more limited success, because they are still using the same tactics, and the media industry has learned from it and adapted to it. They usually send a phishing email saying ‘you should have a look at this article’, but employees are not so responsive anymore.
Moving to a threat intelligence operation has also been recommended by the British signal intelligence agency, GCHQ. For such operations, it is necessary to have a strategic point of view of the global geopolitical context to plan the resource allocation and to effectively plan the entire operation. Businesses can survive just having a tactical view. But businesses which do not integrate a more strategic view are going to suffer more and more because it will be harder to build their operations and setting appropriate budgets.
There exist different levels of intelligence, and not all intelligence is ‘actionable’ (or of the same value for the decision maker). Only intelligence as context will beget really little change for decision makers because they will not relate that to their specific reality. But if the information is targeted to the decision maker’s company, then a response can be taken. For instance, this type of information can be an advanced notice of an hacktivist attack on certain media companies. With an advanced notice of the attacks obtained through the monitoring of forums, then a reaction with a better security posture is possible.
Running a Threat Intelligence Cycle
By definition, threat intelligence is a cyclical model, where it is an imperative need to constantly react to changes, as the threat constantly varies. Two questions are at the core of the cycle: What are the priorities for intelligence? What do we need as a business? These two questions surge in the collection, analysis, and dissemination aspect of the intelligence cycle.
Before setting to collect data, it is also important to understand who the customer of the intelligence product is: the Chief Information Officer (CIO) or the Chief Information Security Officer (CISO) for instance. It has been noticed that if the need for the intelligence product are too loosely determined, then the product greatly loses in effectiveness.
The skillset needed is to find a leader who can understand a business requirement and understand the business culture in a way that makes it effective inside the threat intelligence operations. This has to go against the typical cliché of the IT employee who sets very strict guidelines (e.g., for accessing video websites, or for installing software) and who just say ‘no’ to every request. This type of model does not work. But a leader, who has the ability to understand the business requirement and the specific threat to the industry can make a difference.
In the context of a bank, this would be a leader who understands how frauds are perpetrated and who would have good communication skills to talk to business leaders on one side, and on the other side to talk to the threat intelligence teams, in more technical terms. Companies already have highly developed security practices, and it is indeed important to integrate these with what is existent, while bringing a change of view in the business.
In terms of collection of the actual data, the organisation needs to define who the threat actors are, where they meet, and what kind of tools they use. Although it is possible to outsource many aspect of the intelligence process, understanding the business requirements is a process that can only be carried out internally.
The areas of open source intelligence and social media intelligence are the two main areas to be outsourced. These are sources for collecting data, and they are already extremely valuable. Amazingly, hacktivist groups and even cyber criminals use social media openly to plan their operations. It takes a long time to gain the trust of groups; this does not happen over night or without prior experience. The other sources of intelligence are to monitor for key words online, and to reverse engineer malware. In the end, the criminals are very sophisticated, but they also commit mistakes, and organisations can learn from these mistakes.
When building a threat intelligence operations different skillsets are required in each phase of the cycle.
In terms of setting direction, adequate business understanding is needed. Directions ideally come from a well-informed decision maker, ideally the CEO of the organisation or a Board member, who set the requirements for the intelligence product. This decision maker – the sponsor of the strategy – will be looking at challenges from a broader perspective, across departments. The sponsor needs to be keept up to date with changes in the industry’s threat landscape.
For the CISO to engage successfully with the Board level, influencing is a key competency. The goal is to win decision makers to articulate the security posture and mission. This can only be done efficiently by advising them in terms of a technical perspective understandable from the business’ perspective. Showing perseverance is essential when confronted with any frustration, opposition or pressure in the process of advising key executives. CISO’s need to be able to react adequately to the audience’s questions or critique by adapting their communications technique and message to a business-focused audience.
For an efficient collection phase, excellent analytical skills are needed that include an ability to make rational judgments about the available data, evaluate issues with a critical eye and not accepting information on a face value. Ideally, a good threat intelligence analyst would distill complex information into distinct components and identify recurring patterns by contextualising the data. Key data need to be distinguished from secondary data prior to presenting it as an analysis. Based on a successful analysis, the data needs to be taken to the next level, the right connections need to be established between the different sources. This can not be achieved without possessing the right level of technical insight to the operational aspect of cyber crime or hactivist techniques and tactics. A sound technical understanding will help avoid false alarms and unnecessary tension.
The analytical phase corresponds to the identification of patterns and the attempt of creating attackers’ profiles from the different tactics and techniques that they use. A military training / background is very useful in this sense as it adds rigour to the decision making. An accurate understanding of the situation will come from integration of different sources and types of data. Critical situations need to be resolved by finding a number of feasible alternative solutions and eventually coming to a correct and timely conclusion by evaluating the possible outcomes. Action needs to be taken by suggesting the right course of action to the right people in the organisation who can address the situation effectively.
The last phase of the Threat Intelligence cycle, dissemination feeds the necessary information back to the key sponsors of the security programme, who have defined the security posture and mission in the first place. CISO’s need to inspire change in Board level by allowing Board members to build the organisation’s capability to respond effectively to changes in the industry’s threat landscape efficiently. High level decision makers need to respond effectively and quickly to emerging changes and threats in the industry that may have an impact on their business.
Libicki, Martin. “Cyberspace Is Not a Warfighting Domain.” A Journal of Law and Policy for the Information Society 8, no. 2 (2012): 325-40.
Perlroth, Nicole. “Researchers Find Clues in Malware.” The New York Times, 30 May 2012.
Townsend, Troy, Melissa Ludwick, Jay McAllister, Andrew O. Mellinger, and Kate Ambrose Sereno. “Sei Emerging Technology Center: Cyber Intelligence Tradecraft Project.” Pittsburgh: Carnegie Mellon University, 2013.
Weber, Peter. “The Great Atm Heist: How Thieves Brazenly Stole $45 Million in a Few Hours.” The Week, 10 May 2013.