Professional Documents
Culture Documents
Table of Contents
Introduction................................................................................................................ 2
The Kill Chain.............................................................................................................. 2
Expanding Sources of Intelligence Gathering.............................................................4
HUMINT.................................................................................................................... 4
The Dark Web.......................................................................................................... 4
OSINT...................................................................................................................... 4
TECHINT.................................................................................................................. 5
The Hamstrung Analyst.............................................................................................. 5
Noise vs. Value........................................................................................................ 5
Mental Models......................................................................................................... 5
Techniques.................................................................................................................. 5
Red Team/Blue Team............................................................................................... 6
Bibliography............................................................................................................. 17
Introduction
Cybersecurity
Cybersecurity analysts use this model to gain insight into which phase of the attack
they are observing, based on given intelligence. Analysis gleaned from this model
helps to formulate the proper recommendations in real time as well as inform postmortem investigations and create detection content, after the fact.
While cybersecurity Analysis attempts to do the same thing, current practices are
focused on security logs and events for gathering said information. This long-held
practice firmly places Cybersecurity and CND under the domains of SIGINT and
CYBINT/DNINT. This has shown to be quite useful in detecting attempted attacks at
the perimeter of networks and infected machines inside the network, after the fact.
As successful as this model has always been, it had the drawback of being reactive.
In most cases, these sources of intelligence only allowed for awareness of malicious
behavior post-delivery, on the kill chain.
The Cybersecurity professional needs to shift perspectives from thinking that the
battle is against a faceless internet of ones and zeroes, but against a living,
breathing human being. This human being is clever and resourceful. This human
being is swift and unknown. This human being ishuman.
At its core, the discipline of Intelligence is based on the notion that human beings
are formidable opponents, but fallible. This discipline sees a human adversary who,
no matter how crafty, leaves indicators of their behavior. The identification of all
the possible sources of intelligence accounts for all the types of indicators a human
produces.
Revisiting the other sources of intelligence will put a more human face on the
adversary to enhance the way analysts perceive data and can increase visibility into
current and future campaigns and better equip an organization to deploy CND in a
more proactive way.
The Dark Web can be monitored for this intelligence by an advanced analyst using
The Onion Router (TOR) and an air-gapped machine with offline browsing.
This advanced personnel can also be developed to gather intelligence from
individuals on The Dark Web, posing as another black hat.
This practice cannot be taken lightly, as there are legal issues to take into account
that would govern what such an agent can and cannot do in the course of
performing his or her duties.
OSINT
As Cybersecurity evolves, intelligence gathering has slowly begun to incorporate
OSINT in the form of public forums, Google, Security Research Groups publication of
findings.
This intelligence is typically digested and mined for Indicators of Compromise
(IOCs) such as:
This intelligence can be monitored more closely to identify the quality of the
intelligence by:
The Cybersecurity community is fast-becoming much larger than it used to be, but
it is as tight-knit as ever. As information sharing continues to bolster, there will be
no shortage of OSINT. The return on investment for OSINT, however, becomes
murky as the information and sources increase. Keeping track of the most sound
and complete sources of information will be the key to maintaining the quality of the
intelligence.
TECHINT
The hacker has always been an adversary with many advantages over the
Cybersecurity professional. This adversary has always had an abundance of
resourcefulness, commitment, and means to carry out their malicious intent. They
have always had the advantage of being in a better position to know more about
their targets than their targets know about them.
The last few decades have seen the rise of the state-sponsored hacker. This is an
adversary that has developed their technical skills from a very early and formative
stage in life. This adversary has been trained in a very systematic manner at a very
Mental Models
It has been argued that all individuals assimilate and evaluate information through
the medium of what is called mental models. They are experience-based
constructs which from assumptions or expectations of the world and more specific
subjects, in this case, Cybersecurity.
Analysts, by nature, become accustomed to what they have seen in the past and
paint future analysis with these mental models, sometimes missing crucial
indicators or finding malicious activity where there isnt any. The problem increases
as the analyst gains experience, as mental models are resistant to change, once
formed.
Techniques
The intelligence community and military have come up with many methods of
developing the minds of highly-adaptable, versatile, well-prepared operators and
agents who can see all the angles, think outside of the box, and perform in
unorthodox ways. These same techniques can be translated to Cybersecurity
analysts to overcome many challenges to CND analysis. Some are already being
utilized to form teams with advanced analysis capabilities.
These skills are currently utilized, mostly in the field of ethical hacking and
penetration testing, but are key skills to analyzing threats in a live environment.
With these skills, analysts will be able to take seemingly disparate events and logs
to extrapolate scenarios that aren't right out of the incident handler's textbook.
Energy
Financial
1
2
3
Serious
Concern
Substantial
Concern
Moderate
Concern
Low Concern
Negligible
Concern
10
Retail
endpoints
Rise in scans
many related C&C
Incidents
Malicious External IP's
Inbound
Increased CCN
Information in transit
Increased PII loss
Rise in traffic on
endpoints
Rise in scans
many related C&C
Incidents
Malicious External IP's
Inbound
Increased CCN
Information in transit
Increased PII loss
Increased attacks on POS
systems
Rogue AP's at Retail
locations
Conclusion
Cyberwarfare is advancing at an exponential rate and our adversaries, using a
myriad of advantages, are evolving along with it. The defenders of enterprise
networks cannot continue to face the dangers of tomorrow with the methods of
yesterday. The situation is adapt or die.
Revisiting conventional methods of intelligence gathering and analysis and
retrofitting them for CND will help to develop cybersecurity professionals who
prioritize knowing their enemy and adapting to new situations over scouring for the
low-hanging fruit.
Adding these methods to the existing capabilities of cybersecurity analysis will
greatly improve any security operations effectiveness.
11
Bibliography
A Tradecraft Primer: Structured Analytic Techniques for Improving Intelligence
Analysis. Washington, D.C.: US Government, 2009. Print.
"Intelligence Collection Disciplines." FBI. FBI, 21 May 2010. Web. 30 June 2015.
E.M. Hutchins, M.J. Cloppert and R.M Amin PH.D., "Intelligence-Driven Computer
Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill
Chains," Proc. 6th Int'l Conf. Information Warfare and Security (ICIW 11), Academic
Conferences Ltd., 2010, pp. 113125; URL
http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/L
M-White-Paper-Intel-Driven-Defense.pdf
Polancich, Jason. "The Dark Web: An Untapped Source For Threat Intelligence." The
Dark Web: An Untapped Source For Threat Intelligence. Information Week, 23 June
12
13