Fighting cyber threats with intelligence

With the recent wide attack of WannaCry, which had devastating effects and damage, it has never been more important to form Cyber Threat Intelligence.  There are different types of Cyber Threat Intelligence that can apply in different ways at different points in the attacker lifecycle.

Open Source Intelligence is acquired from open (or public) sources. These sources can include mainstream media.  Internet forums, and ‘paste sites’ (where information is simply posted for public view), social media and discussion services.

Open Source Intelligence can come in many formats, and be available in multiple languages.  This can make it time consuming and difficult to classify and action.  The overwhelming volume itself is the largest hindrance to extracting intelligence from the vast array of information pasted in open sources.  It is therefore critical to use machine-learning and big data science approaches to assist human analysts in such processing.

By its very nature, Open Source Intelligence is shared. However, processing such information to form intelligence can be extremely time consuming and unreliable.  In the Open Source Intelligence space, curation is a critical step in filtering out irrelevant or low-value data to find that which we care about the most.  This is impractical to do on a purely human basis, with hundreds of thousands of sources, in multiple languages.  Instead, machine learning and big-data analytics are required to augment human intelligence gathering.

Technical Intelligence relates to technical indicators associated with cyber threat activity.  Most commonly, this includes data sets such as IP addresses of systems associated with malicious behaviour, malware ‘signatures’, files associated with attackers and the tools they use.

Technical Intelligence often has much less context, such as who the attacker is, when the attack happened, etc., but has a very rich set of data that can be immediately actionable.  For example, we could ingest feeds of IP addresses and web sites associated with malicious attacks, and block these using existing security technologies such as firewalls and proxies.

Technical Intelligence is the most traditional of the intelligence types when we think of sharing.  For years, cyber defenders have informally formed communities to share IP addresses of attackers they have faced, malware samples they have collected and other technical items.  However, the sharing mechanisms are ad-hoc, multi-format and ill-defined.  This leads to intelligence being less actionable. 

Recent research has shown there is little overlap between Technical Intelligence data sets. Meaning that organizations have to bear the burden to subscribe, or be part of, multiple sharing communities.  Although the Treat Intelligence space is now seeing a period of consolidation, volume remains a problem.

Further, Signals Intelligence is sourced from the monitoring and analysis of signals in communication networks, such as a company’s own internal computer network and data centre environments.

We can consider existing security and operational systems as data sources from which Signals Intelligence can be derived.  Consider an Anti-Virus solution:  information about what types of malware have been detected can inform how that malware might be delivered.  It might also suggest where other security controls have not been as effective as expected.

The most extreme case of Signals Intelligence could be considered the actions of state-level surveillance on communications networks.  Analyzing the metadata of such communications has facilitated the identification of individual threat actors and intelligence gathering on a global scale.

Signals Intelligence has traditionally been less likely to have been shared.  Organizational concerns around informing potential customers and competitors about anything that might be deemed negative, have driven sharing to a low level.  However, enlightened organizations are rising above this, as the realization takes hold that our adversaries – the attackers – are sharing widely and often.

A new security vulnerability can go from being disclosed, to being weaponized in a matter of hours.  A few days later, and those same weaponized attacks are now part of entire attack suites.  The bad guys are sharing for success.

As defenders, we can realize that there is great value in learning from our peers.  Our collaboration and sharing of what intelligence we gather from our own environments can help us reduce the time adversaries have to carry out their attacks against us.