In the context of the cyber domain, threat intelligence (TI) endeavours to describe how computers might be at risk1 of attack or misuse in facilitating various types of hostility (in a conceptual battle-space). Expressed in simplest terms, TI is the product of timely, relevant information and its meaningful evaluation in terms of the probability of attack, the vulnerability of systems, the capability of attackers, their motivation, opportunity for exploitation and the likely severity of impact. Couple all these with an extra factor that TI tends to be functionally non-compositional, and it looks a complex affair, but easy when one knows how.
Properly applied TI guides configuration of security controls in concordance with an overall defence posture2. (Although beyond the scope of this report, TI also assists in alignment of technical capability in business continuity, disaster recovery, data management, interoperability and many aspects of legal and regulatory compliance.) Applied TI should collectively achieve the two critical goals of battle-space situational awareness and commensurate response to diminish an attacker's available time and resource envelopes. Within the cyber domain, a TI development cycle with underpinning toolsets3 would seem critical.
Authority is crucial in TI collection; that curious amalgam of capability, knowledge of and influence over a given computing arena, and is essential for selecting intelligence sources. TI must be relevant, its veracity and trustworthiness tested and triangulated against a bridgehead of demonstrable facts; any interpretation should avoid inaccuracy, dangerously insidious bias4 or deliberate deception.
Proximity of sources is everything. The value of TI arising from within an organisation's own technical domain arises by virtue of its dependability. Products such as LogRhythm5 are particularly adept at gleaning actionable TI by interrogation of the organisation's aggregated logs, parsing, analysing and reacting to seemingly innocent event data that when conjoined, alert possible indicators or compromise. But serious insider threat might be more subtle; a laissez faire attitude to security amongst those with influence (or even keen maintaining the status quo) is a more dangerous internal threat, and technically undetectable.
Disparate non-human sources of TI
Specialist tools such as Darktrace6 are self-tuning / configuring, employing advanced statistical analysis of internal network traffic. Acting like a biological immune system, over time it detects subtle deviations from normal network interoperability and user activity. External network interaction in real time can be assessed by tools such as FireEye 6 identifying anomalous traffic, data types and sources across a variety of domains and applications. In concert, (with well-practised process13) these tools may rapidly direct attention to the tell-tale signs of miss-configuration or, more importantly, exploitative, capable threat actor's presence.
Much benefit can be gleaned from reliable dialogue with networks of computing emergency response teams (CERTs) and warning, advice and reporting points (WARPs)8 or even international feeds from US National Vulnerability Database9 run by National Institute of Science and Technology (NIST).
Gathering open source intelligence is often fruitful, especially the recognition and location of lost data (possibly even for sale!) or novel exploits applicable to known and pertinent vulnerabilities that could be deployed by capable and motivated threat actors. Access to a private global threat intelligence network (e.g. the service offering from FireEye) presents the possibility of immediate notification of newly discovered indicators of compromise. When such response is integrated into the prevailing configuration of their worldwide client-base, this functionality reduces the probability and severity of pending attack down the line, or perhaps enabling discovery of a latent threat vector buried away within extant data or processes.
Similarly, historic threats often re-surface, but newly repackaged, recombined and re-blended after years of quiescence. More worryingly, attack on critical SCADA systems10 necessarily implies that critical national infrastructure (CNI) is unlikely to be exempt from sophisticated cyber attackers and consequently, must attract both considerable threat intelligence effort and highly robust response11 at government level. The extreme complexity, severity and adverse impact implies that such attacks will be zero-day in nature and directed against the very highest value assets and processes.
Volumes of data
Automated processes underlying threat intelligence analysis usually requires the collection and processing of very large amounts of data, the vast majority being totally benign in nature. The challenge is finding the needle (or even just that blade of straw!) in the haystack; this is often seen as the greatest detraction to undertaking threat intelligence programmes. The collection of disparate data sources presents considerable challenges for some organisations, testing their technical capabilities to the limit. Many organisations give up and consequently, their aforementioned authority exists in name only.
Unfortunately, gathering critical TI sources is like potty training; any parent will testify that persistence is critical and success is vital (and non-negotiable!) if serious organisations are to be truly responsive, functioning and properly contributing to the internet society. Once underpinning data is collectable, timing is everything; data aggregation presents other issues because subtle extraneous factors (such as event simultaneity) are critical in intelligence assessment. Furthermore, there are legal hurdles to overcome; response must be proportionate and lawful.
Response and actionable intelligence
In formulating and invoking commensurate cyber response, if there is no meaningful TI capability, then the organisation is at best partially sighted, or at worst, driving blind. An effective TI programme manoeuvres an organisation from knee-jerk, reactive, fire-fighting to greater proactivity, observing and nipping potential problems in the bud. Without behavioural data from systems, an organisation's TI function will be impossible to realise. There will be little opportunity to expose indicators of compromise generated by threat actors. Response will be impaired, if not impossible and formal compliance with security incident management12 sub-systems and other regulatory compliance will be muted.
In conclusion, to provide most benefit, the TI cycle must be linked with analytical / forensic processes13 that blend intelligence sources. Vital evidence from aggregated network device logs, security enforcing systems, applications software, database architecture and other business services, if handled properly and responsibly, may even be admissible in court. While such endeavours are rarely non-trivial they will test even hardened professionals. However, effective intelligence-led security management is said to enhance both trustworthiness and corporate reputation, thus providing clear wealth generation benefits from such positive market differentiation.
- In the context of this article, risk is the probability of a threat actor successfully employing their capability, resources and vector(s), to engineer opportunity for exploitation of vulnerability resulting in adverse/severe impact, and that probability can either be tolerated, transferred, treated, transmuted or the venture completely terminated.
- Defence posture is usually expressed in terms of notifiable events, logical rules, risk thresholds and anomalous activity with reference to the 5-Ts of risk management (as in footnote 1 above).
- SANS Institute InfoSec Reading Room - Tools and Standards for Cyber Threat Intelligence Projects (Author: Greg Farnham Advisor: Kees Leune).
- UNODC - Criminal Intelligence Manual for Managers
- SIEM Security Analytics and Log Management
- DarkTrace - Employing advanced recursive Bayesian estimation to statistical network behavioural analytics.
- FireEye - Adaptive approach to cyber threats.
- National Vulnerability Database
- Computerworld.com - Brute-force cyberattacks against critical infrastructure, energy industry, intensify
- IT Now - Critical Infrastructure Under Attack - Dec.'14 - Richard Piggin
- GPG24 - The HM Government Security Incident Management Process
- GPG18 - The HM Government Forensic Readiness standard