Is there danger in taking action on public / private Cyber threat intelligence feeds?
HUMINT treatment of information has a place in Cyber Threat Intelligence analysis
Ok…. before I start and for those that have been reading carefully….. in my last post I talked about the “intelligence” vs “information” for the ease reading and comparison I’ll continue to use “intelligence” for what is really information. But this article importantly starts to lead us to real “intelligence”.
What is HUMINT? Intelligence has always had an important place in various military and government operations. One such source of information is Human Intelligence (HUMINT). HUMINT is the gathering of information directly from a person or persons – this can be achieved in various ways through sources that are willing, unwittingly or even under various forms of duress. The largest challenge that HUMINT collectors have is to evaluate the information for truthfulness – since the source may not have had the information first hand, it maybe rumour or the source may want to be deceitful for whatever reason.
So how did HUMINT operators get around this? They addressed this in a twofold manner by separately analysing the source for reliability and then the information for credibility. This was refined and developed by NATO into what they call the admiralty rating system – also widely adopted by the western militaries of the world. The HUMINT operator would assign a letter from A to F to the source based on their historic reliability, regardless of the information provided. Secondly, the information itself is assessed and assigned a numeric value from 1 to 6 based on the veracity of the information. The tables below help explain the system. As an example information passed by a reliable source that could be verified by other means such as Signal Intelligence (SIGINT) – would likely be assigned a rating of “A1”. Whereas, on the other extreme a first time source that provided new information not yet seen, supported but neither counter information; would likely be assigned a rating of “F6”.
Naivety of Cyber “threat intelligence” – at the moment the industry and vendors provide the threat intelligence (largely tactical nature) through a “fire hose of consumption” with the tens of thousands events. I’d argue most organisations are drowning in the information and using the information a largely reactive manner to counter attacks that have already occurred. I have an issue that this feed of information has not been verified for source credibility or information reliability. Therefore, we are treating all of this information the same – I’d argue with a rating of A1 – and acting with naive confidence on the information provided.
So what next? – Well now for the obvious conclusion….. I believe that we as Cyber specialists and the Cyber industry should adopt analysis of the source and information in our “threat intelligence feeds” in order to provide a better product to the end user and assist in their analysis or action. Such ratings will become more important as the Cyber industry matures in the Intelligence field and moves up the “intelligence stack” to strategic intelligence, as evaluation is critical at such levels. Rather than create a new rating system, it would be great if the industry can adopt an existing international and proven standard such as the NATO Admiralty system which would provide further value in the global cyber epidemic of cyber warfare that is transcending industries, competitors, government and citizens.
The term “threat intelligence” is used widely in the Cyber industry for various products, forums and marketing campaigns. Examples include technical threat intelligence feeds for SIEM, threat intelligence updates, notes or publications, and even in naming teams themselves. Unfortunately most of this “threat intelligence” is actually only raw information with no analysis.
As a recent good article in Dark Reading by Nick Selby put it “Even the database itself is not intelligence, per se. It turns out that a database is just a collection of data. Don’t get me wrong: The data within the database — or the threat feed — can be highly useful to the intelligence process. But (and I am not picking nits here) it comprises a data feed, not an intelligence feed (except to marketers).” (http://www.darkreading.com/threat-intelligence/why-threat-intelligence-is-like-teenage-sex/a/d-id/1235049)
So what is information? It is essentially a raw piece of data that has not yet been analysed for its authenticity, veracity or reliability. The information can come from various sources and in the case of “Cyber Threat Intelligence” it generally originates from systems that generate bad IP addresses or other such raw information that is gathered from honeypots, anti-virus networks, etc. So it certainly has its place and provides a level of what is essentially tactical Cyber threat data.
Intelligence is more than just information— it is the analysis of information that is gathered through surveillance, reconnaissance and research. In the case of Cyber it is the collation, correlation and analysis of the data into building an assessment of various data in order to provide higher value to the information itself. Unfortunately, systems cannot provide intelligence although they can certainly help a professional intelligence analyst in conducting their assessment.
As defined in military doctrine “intelligence. 1. The product resulting from the collection, processing, integration, evaluation, analysis, and interpretation of available information…….” (JP 1-02)
Misuse of the term – Although I cannot put my finger on exactly when the term started to be misused, I do suggest that we at least try and correct the mistake and use the right terminology, instead of a marketing stunt. This will help to clearly differentiate between true intelligence professionals and services provided by the industry, in particular as it matures in this market. The time for higher value industry services and the use of government / military grade intelligence is coming for the Cyber industry in the form of Strategic Threat Intelligence. We have to act to turn the tables on the threat actors and move away from our loosing, reactive, defensive war of attrition we are currently in and true intelligence services are certainly part of the solution.
Approach to Cybersecurity: Compliance VS Threat
It seems that everyday new regulations or standards are being released by various bodies in what is seemingly an endless attempt to provide confidence against ever increasing pace of Cyber warfare. Two questions come to mind: How effective has compliance been? How do attackers view compliance controls?
Threats come in various forms – but are largely separated by motive, capability and intent. In most cases they will not care about compliance or their controls, which will result in the less sophisticated attacks being thwarted by such defenses. The interesting point is that more mature threat actors are probably actually using compliance achievement as a part of reconnaissance to help them understand their target and exploit areas where compliance controls are not required to attain accreditation – now that changes the game!
The differences in the approaches can be summarized as:
Sure compliance has it place and is required, as it at least lifts security to a minimum level. However, I’d argue organisations really need to mature their view to a threat based approach to Cybersecurity and then compliance will naturally come.