Thank you @Ngree_H0bit and @TXVB for your editorials on this blog.
Imagine if someone walked up to your job, and fired an automatic weapon at the building or detonated a bomb in the lobby. Then the police showed up the conversation went like this:
LEO: “Did anyone die or get shot?”
LEO: “Is there any damage to the facility that can’t be repaired?”
LEO: “Ok, that’s all we wanted to know, our work is done here. You can go back to what you were doing.”
Company: “Wait?! Don’t you care who did this?”
LEO: “No, you’re safe now, the threat is contained”
Company: “Aren’t you going to try to figure out WHY they did this?”
LEO: “No, that’s not important, you’re not in danger anymore.”
Company: “How do you know that?”
LEO: “The threat has been contained, the attacker is gone/dead”
Company: “But what if there are more attackers?”
LEO: “Well, you better install some bullet proof glass, wear a Kevlar vest everyday, and hope for the best.”
(2 weeks later)
Company: “All employees are required to buy a Kevlar vest…”
Company: (to the property manager) “We need an upgrade to the building next year if we’re going to renew our lease….”
We would be absolutely oozing with disgust and screaming from the tops of our lungs at how incompetent and dismissive the police were at protecting us if this happened. Yet, in the InfoSec world we do it all the time. Let’s change the conversation slightly:
SCENARIO: Major digital attack against a company
Management: “Was anyone’s data lost?”
Strategic Threat Hunter: “We’re not sure, but it doesn’t look like it.”
Management: “Is there any damage to the computers that can’t be repaired?”
Strategic Threat Hunter: “No.”
Management: “Ok, that’s all we wanted to know, your work is done here. You can go back to what you were doing.”
Strategic Threat Hunter: “Wait?! Don’t you care who did this?”
Management: “No, we’re safe now, the threat is gone.”
Strategic Threat Hunter: “Aren’t you going to try to figure out WHY they did this?”
Management: “No, that’s not important, we’re not in danger anymore.”
Strategic Threat Hunter: “How do you know that?”
Management: “The threat has been contained, the attacker is gone/malware is blocked.”
Strategic Threat Hunter: “But what if there are more attackers in the group?”
Management: “We should improve security, buy/install a new security widget, and hope for the best. Oh and no, you can’t have any more resources to do this.”
Management comes running when something catastrophic happens yet all they care about is a damage report, the immediate impact. Even when Incident Response teams respond to a major breach, little, if any, time is spent after the event trying to understand why they were targeted or asking any of the questions above. Now don’t get me wrong, I’m not saying NOBODY EVER asks, I’m just saying that more often than not, nobody cares or is asking. Few companies put ANY investment in strategic intelligence efforts that can identify threats. Instead they sit and wait for the FBI to call them to tell them they are about to (or already do) have a problem.
It is this gap that concerns me the most, and what the remainder of this blog post will seek to touch on. I dare say address as that is a goal that I doubt I can achieve fully in one blog post.
The inability to gather strategic intelligence and conduct “target development” in the digital space, at lower echelons of the military or in the civilian sector, is troubling. Nonetheless, it is critical to for us to anticipate the adversary and to defend against them, and, frankly, to act offensively or pre-empt their actions.
One of the things we do in the military to prepare is train, train, train – and we train like we fight. If the enemy’s landscape is a desert – train in a desert, if it’s a jungle – train in the tropics, a winter wasteland – train in the arctic etc. Training like you fight isn’t limited to the environment either; it includes using the tools and weapons available to you in scenarios you may find yourself in. If your enemy might deploy chemical weapons, you might have to wear full chemical protective gear and fire your weapon to save your life. So you put on all that chemical gear, go to the range and, fire your weapon. You train in the environments, scenarios and, gear you may face; you train to all of it. You train to the point that it is a natural reflex, muscle memory, so you don’t even have to think about it. I can’t tell you how many times I responded to “Gas! Gas! Gas!” and ran full speed ahead, weapon in hand, and dove into a fighting position – “just training.”
Then there’s the intelligence teams; what intelligence are they gathering to support that ground troop? Ask them to tell you how they leverage Cyber Command to gather strategic intelligence for the warfighter, and I’ll show you a politician doing the Cotton Eye Joe at warp speed (https://www.youtube.com/watch?v=b8Z4sVwdwp4) . They have no idea, the politicians that is. They’ll tell you that’s the NSA’s job, and they’ll still have no idea. I’m not going to go down a list, but there are other agencies such as DIA, DNI & DHS to name a few that also have cyber operations, who, to some degree, all suffer the same gap, discussed here. What of the civilian companies that support critical infrastructure or even city, county, and state governments? What about USCERT/DHS & ISACs? After all, isn’t this kind of support *THEIR* job? Ask them and they’ll tell you strategic intelligence is about targeted threats and APTs. *cough-ulzhit* No I’m not making that up, a C-level executive from state-level county government and US government officials have actually told me that. They have no idea either.
One of my favorite analogies that explains tactical, operational and strategic leadership came from a Stephen Covey presentation on the levels of leadership, first line managers, middle management, and senior leadership. However, it translates well here as first line managers are tactical, middle managers are at the operational level, and senior leadership are at the strategic level. Tactical intelligence tells you how to eliminate the threats in the jungle where you are working. Operational intelligence tells you where you should be in the jungle, and what kinds of threats are in each area of the jungle. Strategic intelligence is when someone yells “we’re in the wrong jungle!” (his presentation was on his book 7 Habits of Highly Effective People)
In the civilian world, our digital intelligence is heavily tactical, it is overwhelmingly focused on how malware executed or the fact that there is an 0-day in a piece of software. Tactical intelligence is important, it has a place, it serves a purpose, but it is focused on winning a battle, not a war. So how do we do this in a digital realm? How do you train to fight there? What does strategic intelligence to support a digital war look like? What does a tactical aggressive vs. strategic covert attack from the enemy look like in a digital war? What does it take to defend against it? What does “guard duty” look like when you’re defending 1’s and 0’s? Surely it isn’t pacing back and forth with an M16 in front of concertina wire if you’re a soldier. It isn’t going to be a roving watch like the border patrol. If you’re a civilian, is it simply sitting in a SOC staring at a dashboard for 12-hours looking for alerts/waiting for alarms? So just what do passive and active digital reconnaissance look like and how are they executed?
Strategic intelligence in support of a physical or digital fight – isn’t always in your logs, your dashboards or anything else digital. Development targets, predicting what your enemy would do and what you might need to do to win a fight, will almost certainly involve technology; however, more often than not, it is going to focus on gaining a greater understanding of your enemy as person, a human being with objectives that need resources and have motivations, habits, skills, and weaknesses. It will be less concerned with how the malware executed, than it would be with the knowledge required to design the malware to execute in the manner it did. Strategic intelligence would be more focused on derived metadata about the attacker that would go toward profiling skill/expertise/training/origins etc. Examples of questions to ask: Does the distribution or content indicate a country of origin? Did the execution require specific knowledge about the affected target’s design that indicates insider knowledge?? If yes, maybe your attacker is a former or current employee? If no, did it require knowledge of proprietary information? Let’s assume it did and, everyone is trusted/vetted; are you looking at a possible breach or data loss that hasn’t been detected? Again, we are less concerned with the tactical intelligence surrounding being protected and more concerned with strategic intelligence and understanding the person that is behind the attack/malware.
Next we’re going to get a 30,000-foot view of what strategic intelligence is with respect to the digital world, because understanding what it is sets the foundation for me to explain, in a future blog post, the kind of person(s) needed on your team and why they are critical to winning the war, not just the battles, that we, face as a country and commercial companies.
Typically, InfoSec people hate the word “cyber” we consider it as profane as most people would consider the F-word. Because we’re going be discussing intelligence gathering and analysis in this post, I’d rather say DIGINT, a collective term for digital intelligence, instead of CYINT. DIGINT is not its own intelligence domain, rather it is a component of all others. If I were to draw a diagram of the intelligence silos, DIGINT would run horizontally across all of them. Blasphemy you say? Let me ask you this, can you name a part of your life not affected by technology, something digital? Even a stroll in the park without an iPod or cellphone isn’t sacred as the cell phone and iPod rely on tens of thousands of lines of code and have multiple RF transmitters. Streetlights are powered by electricity, on a grid managed and monitored by technology, programmed to come on at a specific time or use solar power and light detection. Your walk on a beach with no cellphone and no smart watch – I bet you drove a car to get there that had electronic fuel injection, GPS or a digital radio. Anyway, you get my point…
DIGINT is best defined as the intelligence gathered from digital sources, and much like HUMINT is gathered from humans, SIGINT is gathered from “anything that goes through the air” etc. DIGINT can be found in an open source, in which case it would be digital intelligence from an OSINT source (a book, magazine, the news, the Internet etc). In the case of signals, SIGINT, it could be logs or transmission captures. If the source is human, their behavioral data captured in the apps they use and how they use them, the GPS history in their phone, their social media posts – all digital intelligence sources that can be leveraged for strategic intelligence gathering missions that support and enrich tactical intelligence operations.
So what exactly is Strategic Threat Intelligence and how is DIGINT factored in? Let us first understand what Tactical Threat Intelligence (TTI) is in the digital world, as most of us will be able to relate to this much more easily. Tactical Threat Intelligence in the digital world is very similar to the tangible world it is sometimes referred to intelligence developed from and in support of incident response and is easily likened to fighting fires, playing whack-a-mole, smack-a-RAT, bash-a-bot etc; you may have even heard the term Indications/Indicators of Compromise (IoC). It is the kind of intelligence that supports addressing an immediate threat, one that is right in front of you, either presently attacking/affecting your assets or running rampant in the wild and could be on your network’s doorstep at any moment. These kinds of threats include malware (viruses, Trojans, RATs, ransomware), DDoS tools/networks, spam etc. TTI is “current” information that allows you to take an action to prevent or address these impending threats. It is easily recognizable to anyone who’s defended against an attack or been part of a penetration testing team on the offensive.
To understand what Strategic Threat Intelligence (STI) is and how it translates to the digital space we also need to understand the characteristics of it. The easiest way to do this is by reviewing what we know about tactical intelligence thereby identifying what strategic intelligence is NOT. Below are some of these examples of TTI vs STI that commercial companies might need, along with the characteristics of each.
Timely != Current
TTI is “current;” that means it is dealing with the here and now, immediate threat. For those of you who have been to a gun range you might call it “the 50-meter target.” STI, on the other hand, is TIMELY, not necessarily current. This means it is actionable and relevant to the timeline of achieving an objective. Timely does not arbitrarily translate into long range. For instance, you might find that a client is opening a new office or manufacturing plant, or perhaps an agreement of some sort is going to be signed in 3-6 months. Timely in this sense would mean identifying digital threats to one of these targets in a timeframe that allowed identification, detections and/or protections to be developed relating to the event. The artifacts of this research would be considered strategic.
A timely piece of STI in one of those scenarios is any significant local cultural, religious, educational or competitor activities scheduled to occur in the same location around the same time. Also, identifying relatives of key corporate staff or engineers that hold proprietary information that may be targeted for a phishing or social engineering attack could be helpful. Taking that a step further, strategic DIGINT could determine if there is there evidence of online activity related to events that can be used to mask a pending attack, for example a distributed denial of service (DDoS). An often-overlooked form of STI is historical activities. In this case, answering questions surrounding what “digital challenges” or “cyber threats” [I feel gross just saying that] has the client (or your organization) faced in this region in the past for regions with similar economic/cultural composition? None of these would necessarily help you defend or protect against an immediate attack, but they could all be used to prepare (train) for a future attack, identify risks, and identify information & information sources that could be leveraged to provide a company the upper hand against a digital attack.
Deep Analysis != Long Range
STI, much like TTI, involves analysis where you collect data, vet the source and content, assign a value to it, interpret it and convert it into intelligence. A common misconception is that STI is long-range because it requires deep analysis and deep analysis takes a very long time, thus is reserved for long-range projects. This is simply not true. Sometimes a raw piece of data itself, given a relevant situation can be immediately relevant. The term “deep” is relative to the mission/objective. Deep could mean, finding out who really owns/runs a company, especially considering that what is often on paper doesn’t reflect real-world dynamics. This deep analysis could take a couple hours or it could take a couple weeks.
Another example: you might learn that a company from a global power (US, Russia, UK, Germany etc.) is planning a joint venture to build critical infrastructure in another country and, this project could have huge economic impact on the cities involved and the country it is in. If you provide services such as travel, communications, HR, accounting etc. to this region or any of the parties involved or do business with your customer(s), this might be considered a piece of strategic intelligence. Why? Because this information could help you identify where or what types of threats might emerge to attack the communications, electronic resources, and infrastructure of the parties involved in the deal, thereby also making you a potential target. Just search for “data breach” and you can create a list of your own of companies that were compromised when an attacker pivoted from a subcontractor or partner’s network. While learning of this business venture is considered raw data, it has immediate value impacting a strategic objective and can result in an action being taken such as focusing the next round of data gathering in a new direction, changing what’s being searched for in logs/telemetry data. The list of responses to this kind of intelligence will vary depending on your organization, the service(s) you provide, and your own objectives among many other things.
Indicator of Attack != Indicator of Compromise
The acronym IOC (or IoC) is something every TTI analyst or researcher is likely familiar with. An Indicator of Compromise (IOC) is something developed from analysis of an event that has already occurred, or malware that has already been discovered. It is a piece of metadata that helps identify a threat hiding in other places where it may not have yet been discovered. The difference with STI is that it seeks to identify threats on the horizon, an indication of a future attack, or better called an Indicator of Attack (IoA). An IoA is simply identifying the fact that a threat is developing and an attack is probable.
Let’s consider a physical fight first and some progressively obvious indicators of attack brewing. To start, you observe a country suddenly shipping large quantities of equipment, supplies and troops to an area that is declared a training facility only meant to support a small number of soldiers for a brief time. That might be an indicator that something is developing. Then later, you observed these activities occurring outside of any scheduled military training that might further support a theory that something is about to happen. Finally you noticed missiles loaded, armed and pointed at your location. This is probably a pretty good indication that an attack is coming. On a smaller scale, if you noticed a person snapping pictures, it might be reconnaissance or he/she could just be a tourist. If you noticed the same person, at the same place multiple days, maybe even at approximately the same time, snapping pictures that is probably a little more suspicious and it could be argued it is more likely indicates a reconnaissance activity, something that usually happens before an attack.
So how do we identify the suspicious person from a DIGINT perspective? A very simple example of an IoA in the digital realm is port scans on your firewall from an IP address that’s never scanned you before. Another less obvious IoA would be an IP from a strange subnet that pings, scans, or attempts a connection to just a few ports, every 12 hours. Maybe this activity occurs only on Sundays or during hours when nobody is working, and they’ve been doing it for the last six months. Another way you could develop an IoA would be from a human intelligence source in a digital space. In the old days, you’d be eavesdropping on conversations at a coffee shop whereas today it could be something learned from hanging out in a chat room or forum. If you found an archive of the forum or chat logs, it could be argued that this is DIGINT. The tactics and techniques the old days such as in-person eavesdropping and reconnaissance, aren’t forgotten or antiquated. This is why the paranoid InfoSec person of today won’t talk about a pending attack or sensitive topics online. Either way (online or in person), you might learn of someone discussing the fact that your client is going to have a really bad day once “their friend” is finished with X activity/development/recon etc. All of these could be considered an indication of an attack that will be played out in the digital space. Of course, like any other form of threat intelligence, it needs to be reviewed, assessed, put into context with other pieces of intelligence from other sources etc. to develop a true threat intelligence report.
Strategic intelligence is essential for long-range success in any war, whether you are fighting it with boots-on-ground or in a digital space. It requires investments of time and money and it requires leadership to insist on deeper understanding. It means that we need to spend time thinking like the enemy, doing target development, and figuring out where the next strike could happen so that we can look through relevant indicators in order to develop DIGINT related to that target with a new analytic perspective. We should be going back over the history of attacks we’ve endured at our companies as if they were cold cases that never got solved and, we should be looking at them with a new objective – that of profiling the adversary through his attack. Look at your “crime scene” and ask, what kind of person did this and why?
I encourage you to start pushing your leadership to ask these higher level questions; insist that you stop simply being victims building yet another/higher wall for the enemy to scale. Start doing some reconnaissance of your own, and look for adversaries in their planning stages so you can foil their plot. Catch the bad guys in their recon stages of your assets and start figuring out what might be on the horizon so that if you do have to defend, at least you’ll know what you’re up against and when it’s coming. I leave you with this final thought: If you keep doing what you’ve always done, you’ll keep getting what you’ve always got.
Stay tuned for a future blog post on what skill sets to look for in potential strategic intelligence team members.