Intelligence Gathering and

Analysis Techniques for

Cybersecurity
Mark Fuentes

Table of Contents
Introduction................................................................................................................ 2
The Kill Chain.............................................................................................................. 2
Expanding Sources of Intelligence Gathering.............................................................4
HUMINT.................................................................................................................... 4
The Dark Web.......................................................................................................... 4
OSINT...................................................................................................................... 4
TECHINT.................................................................................................................. 5
The Hamstrung Analyst.............................................................................................. 5
Noise vs. Value........................................................................................................ 5
Mental Models......................................................................................................... 5
Techniques.................................................................................................................. 5
Red Team/Blue Team............................................................................................... 6
Bibliography............................................................................................................. 17

Introduction
Cybersecurity

This is a major buzzword, these days.

In academic institutions across the world, Cybersecurity degrees are being churned
out in record numbers. Its easy to find: Just go to each colleges school of
Information Technology. Course lists are rife with classes on the OSI model, firewall
administration, routing, switching, administration of Windows, PC hardware, and the
list goes on and on.
While there is no Security professional worth his or her salt that isnt an expert on
all these subjects, these subjects are to Cybersecurity and Computer Network
Defense (CND) merely what Arithmetic and Algebra are to Calculus: A sound
foundation.
Cybersecurity is currently being taught in most programs as an Information
Technology discipline. Tomorrows cybersecurity professionals are being taught the
tools of the trade and the capabilities of those tools. They are learning attack
countermeasures and a set it and forget it attitude. The reality is, because of the
adversary and the adversarys capabilities, it is really Computer Science and
Intelligence Analysis.
A deeper understanding of Computer Science is required because the real threats in
the field are programmers and coders. The real weapons are the code that they
write. There are, admittedly, no shortages of script kiddies, malevolent threatactors who don't write their own exploits but, instead, rely on exploits and tools that
they paid for or found in some forum, somewhere. The fact still remains that what
we really fear from all these threats is the code, whether or not the person who
targeted your network wrote it themselves or did not. Without a deeper
understanding of how the software was put together and what every little
subroutine and function is meant to do, we are only able to detect low-hanging fruit.
At best, we are merely detecting the symptoms but not diagnosing the disease.
Many a dramatic individual loves to refer to the internet as the new battleground.
They like to conjure up images of black hat hackers and white hat cybersecurity
analysts and engineers as the 21st Century warriors. This simile, as over-the-top as
it is, is pretty accurate. We are fighting a war...an intricate war against a most
sophisticated adversary. No war was ever won without adequate intelligence.
Intelligence Analysis needs to be revisited as a more integral part of Cybersecurity
and CND because the 21st Century has seen the rise of an adversary that is
advanced, resourceful, well-trained, well-fundedbut above all elseHuman.

The Kill Chain

Any discussion about Cybersecurity Intelligence in the 21 st Century has to begin
with The Kill Chain.
The Intrusion Kill Chain is a model for framing a Computer Network Attack (CNA)
or Computer Network Espionage (CNE) Incident by breaking it into attack phases.
This model was developed by Lockheed Martins Computer Incident Response Team
in 2010. It posits that any attack on a system will be carried out in seven phases:

RECONNAISSANCE - studying public information about the target, the

target's environment, software mix, practices and software loadout
WEAPONIZATION - preparing a backdoor and a penetration plan intended to
deliver a successful attack
DELIVERY - launching the attack and injecting the backdoor
EXPLOITATION - triggering the backdoor
INSTALLATION - installing the backdoor as a bootstrap and any additional
remote access tools
COMMAND AND CONTROL - use of the tools to establish remote access
ACTIONS ON OBJECTIVES - collecting and exfiltrating information, or other
actions against the target

Cybersecurity analysts use this model to gain insight into which phase of the attack
they are observing, based on given intelligence. Analysis gleaned from this model
helps to formulate the proper recommendations in real time as well as inform postmortem investigations and create detection content, after the fact.

Intelligence Analysis Vs. Cybersecurity Analysis

Intelligence Analysis uses information to predict behavioral outcomes and produce
recommended courses of action to organization leaders. This is achieved by
collecting intelligence from a myriad of sources:

HUMINT : Human intelligence gathered from people in the field

GEOINT: Geospatial Intelligence gathered from satellite, aerial
photography, or mapping/terrain data
MASINT: Measurement and Signature intelligence gathered from measured
data
OSINT: Open Source Intelligence gathered from open sources
SIGINT: Signals intelligence gathered from interception of signals
TECHINT: Technical intelligence gathered from analysis of weapons and
equipment used by the armed forces of foreign nations or environmental
conditions
CYBINT/DNINT: Cyber intelligence/Digital Network Intelligence gathered
from cyberspace
FININT: Financial intelligence gathered from analysis of monetary
transactions

While cybersecurity Analysis attempts to do the same thing, current practices are
focused on security logs and events for gathering said information. This long-held
practice firmly places Cybersecurity and CND under the domains of SIGINT and
CYBINT/DNINT. This has shown to be quite useful in detecting attempted attacks at
the perimeter of networks and infected machines inside the network, after the fact.
As successful as this model has always been, it had the drawback of being reactive.
In most cases, these sources of intelligence only allowed for awareness of malicious
behavior post-delivery, on the kill chain.
The Cybersecurity professional needs to shift perspectives from thinking that the
battle is against a faceless internet of ones and zeroes, but against a living,
breathing human being. This human being is clever and resourceful. This human
being is swift and unknown. This human being ishuman.
At its core, the discipline of Intelligence is based on the notion that human beings
are formidable opponents, but fallible. This discipline sees a human adversary who,
no matter how crafty, leaves indicators of their behavior. The identification of all
the possible sources of intelligence accounts for all the types of indicators a human
produces.
Revisiting the other sources of intelligence will put a more human face on the
adversary to enhance the way analysts perceive data and can increase visibility into
current and future campaigns and better equip an organization to deploy CND in a
more proactive way.

Expanding Sources of Intelligence Gathering

HUMINT
As more of the world is thrust into cyberspace and the world inches closer to
becoming one big community, HUMINT sources that once had no connections with
cybercriminals or hackers are starting to utilize those more technological avenues to
modernize once-analog criminal activities.
These emerging connections between conventional criminal enterprises and
cybercriminals may result in HUMINT with connections to cybercrime where there
weren't, in the past.
Human intelligence sources need to be collected with a renewed focus on CND.

The Dark Web

The Web, as it is known to most people, is comprised of all the indexed websites on
the internet. These websites are indexed and searchable from any search engine.
The Dark Web is comprised of all the sites that arent indexed or searchable. This
Dark Web serves as the electronic underworld, where all the unsavory characters
dwell. Because of its intrinsic nature, most Cybersecurity operations steer clear of
The Dark Web for fear of infecting their systems or running afoul the wrong entities.
On the other hand, the same intrinsic nature makes it the perfect source for
intelligence. The Dark Web is a place where you can find:

Spam/phishing campaigns for hire

Stolen intellectual property (code, designs)
Vulnerabilities for sale
Exploits/Rootkits/Exploit Kits for sale
Hacking for hire
Hacktivist target forums
Insider threats for hire (disgruntled employees)

The Dark Web can be monitored for this intelligence by an advanced analyst using
The Onion Router (TOR) and an air-gapped machine with offline browsing.
This advanced personnel can also be developed to gather intelligence from
individuals on The Dark Web, posing as another black hat.

This practice cannot be taken lightly, as there are legal issues to take into account
that would govern what such an agent can and cannot do in the course of
performing his or her duties.

OSINT
As Cybersecurity evolves, intelligence gathering has slowly begun to incorporate
OSINT in the form of public forums, Google, Security Research Groups publication of
findings.
This intelligence is typically digested and mined for Indicators of Compromise
(IOCs) such as:

MD5 hashes of files that can be added to a blacklist of malicious files

IPs and URLs that can be identified as Command and Control (C&C) hosts or
are currently hosting malware
Strings that can be found in header or even payload information of malicious
packets and used to create IDS/IPS signatures

This intelligence can be monitored more closely to identify the quality of the
intelligence by:

Developing a system that monitors which sources produce the most

rewarding intelligence and which produce the least-rewarding intelligence
In-depth policies to age out old intelligence

The Cybersecurity community is fast-becoming much larger than it used to be, but
it is as tight-knit as ever. As information sharing continues to bolster, there will be
no shortage of OSINT. The return on investment for OSINT, however, becomes
murky as the information and sources increase. Keeping track of the most sound
and complete sources of information will be the key to maintaining the quality of the
intelligence.

TECHINT
The hacker has always been an adversary with many advantages over the
Cybersecurity professional. This adversary has always had an abundance of
resourcefulness, commitment, and means to carry out their malicious intent. They
have always had the advantage of being in a better position to know more about
their targets than their targets know about them.
The last few decades have seen the rise of the state-sponsored hacker. This is an
adversary that has developed their technical skills from a very early and formative
stage in life. This adversary has been trained in a very systematic manner at a very

fundamental level to ensure hacking is second nature. Vulnerabilities, Exploits, and

Code are this adversarys mother tongue.
Intelligence must be gathered with a focus on the technical capabilities of
adversaries. Any indicators of the adversarys technology, go-to threat vectors, and
code should be gathered for all adversaries. These adversaries can be nations,
hacktivists, terrorists, drug dealers, syndicates, cybercriminals.
Keeping an accurate record of this intelligence can help attribute certain campaigns
to certain groups or even rule out groups from campaigns, based on established
behavior patterns and signatures.

The Hamstrung Analyst

As the flow of data increases, the job of a Cybersecurity analyst becomes more and
more difficult while the approach to analysis lurches forward in the same manner it
has been done since the late 90s.

Noise vs. Value

As there is more data to be processed, it is increasingly difficult for analysts to pick
out valuable data through all the noise. To add to this noise, the enemy is
constantly working on new ways to deceive and obfuscate their intentions.

Mental Models
It has been argued that all individuals assimilate and evaluate information through
the medium of what is called mental models. They are experience-based
constructs which from assumptions or expectations of the world and more specific
subjects, in this case, Cybersecurity.
Analysts, by nature, become accustomed to what they have seen in the past and
paint future analysis with these mental models, sometimes missing crucial
indicators or finding malicious activity where there isnt any. The problem increases
as the analyst gains experience, as mental models are resistant to change, once
formed.

Techniques
The intelligence community and military have come up with many methods of
developing the minds of highly-adaptable, versatile, well-prepared operators and
agents who can see all the angles, think outside of the box, and perform in
unorthodox ways. These same techniques can be translated to Cybersecurity
analysts to overcome many challenges to CND analysis. Some are already being
utilized to form teams with advanced analysis capabilities.

Red Team Mindset

Security teams need to protect every possible way into their networks while threat
actors only need to find one that is unprotected.
Red Teams are used by military and intelligence organizations to improve their
effectiveness by employing the mindset of an opposing force. It is, essentially,
"thinking like the enemy".
Red Teams operate in the exact way an organization's adversary would operate,
often adopting methods and techniques that are fundamentally different from said
organization's to account for different backgrounds, tools, training, and
perspectives.
Analysts need to be trained in the mindset of a Red Team because it aids in catching
security holes that may have been overlooked. It develops the ability of an analyst
to look at situations with a fresh pair of eyes. Training in Red Team thinking
should have an emphasis on:

Analyzing complex systems and problems from many different perspectives.

Utilizing concepts, theories, insights, tools, and methodologies of cultural and
military anthropology to predict others' perceptions of an organization's
strengths and vulnerabilities.
Utilizing critical and creative thinking in the context of operational
environment to fully explore alternatives to concepts, operations, plans,
organizations, and capabilities.

These skills are currently utilized, mostly in the field of ethical hacking and
penetration testing, but are key skills to analyzing threats in a live environment.
With these skills, analysts will be able to take seemingly disparate events and logs
to extrapolate scenarios that aren't right out of the incident handler's textbook.

Red Team/Blue Team

Red Team/Blue Team exercises take the adversarial mindset to another level.
The exercise was originated by the military to test force-readiness and has been
translated to CND by pitting two sets of well-trained analysts against each other in a
simulated attack. The Blue Team stands up a network and attempts to secure it as
best as it can and monitor it while The Red Team attempts to infiltrate the system
and perform an arbitrary objective such as data exfiltration, obtaining root access to
significant nodes, or defacing a dummy website. After the exercise, joint analysis is
performed by both teams to identify strengths and vulnerabilities in the established
security, as well as strengths and weaknesses in certain approaches of infiltration.
Taking the concept further, it is also highly effective to have the two teams switch
sides, before analysis, to gain two perspectives from both Red and Blue sides.

Indicators or Signposts of Change

The intelligence community uses this technique to track major changes in geopolitical climates. It is done by listing a set of scenarios and under those, a list of
observable signs that may indicate that scenario or outcome. These are tracked
over time to create a visual representation of what they are facing in the field and
the warranted concern of those possible scenarios, at any given time.
This same technique can be employed to track possible changes in the wild that are
of concern to CND clients. It can be used to track indicators of change that may
point to possible scenarios or trends as they relate to specific organizations or even
sectors of business.
This technique has the advantage of providing an objective baseline that incoming
data and intelligence can be compared against to bolster confidence in the accuracy
of any analysis. This technique also helps to objectify any hypotheses by framing
them in a more quantifiable basis.

Tracking the potential for Malicious Campaigns by

Target Sector
Target
Indicators
Sectors
2013
2014
Quarter
1 2 3 4 1 2 3 4
Rise in traffic on
endpoints
Rise in scans
Defense

Energy

Financial

many related C&C

Incidents
Malicious External IP's
Inbound
Rise in traffic on
endpoints
Rise in scans
many related C&C
Incidents
Malicious External IP's
Inbound
Increased attacks on
SCADA systems
Rise in traffic on

1
2
3

Serious
Concern
Substantial
Concern
Moderate
Concern

Low Concern

Negligible
Concern

10

Retail

endpoints
Rise in scans
many related C&C
Incidents
Malicious External IP's
Inbound
Increased CCN
Information in transit
Increased PII loss
Rise in traffic on
endpoints
Rise in scans
many related C&C
Incidents
Malicious External IP's
Inbound
Increased CCN
Information in transit
Increased PII loss
Increased attacks on POS
systems
Rogue AP's at Retail
locations

Presence of Trigger Mechanisms ("Y" if present)

Major Data Exfiltration
Major PII spill
Homepage defacement
DDOS
Tracking the potential for Malicious Campaigns in an indicators matrix. A
matrix like the one above can be used to track the targeting of certain sectors.

Conclusion
Cyberwarfare is advancing at an exponential rate and our adversaries, using a
myriad of advantages, are evolving along with it. The defenders of enterprise
networks cannot continue to face the dangers of tomorrow with the methods of
yesterday. The situation is adapt or die.
Revisiting conventional methods of intelligence gathering and analysis and
retrofitting them for CND will help to develop cybersecurity professionals who
prioritize knowing their enemy and adapting to new situations over scouring for the
low-hanging fruit.
Adding these methods to the existing capabilities of cybersecurity analysis will
greatly improve any security operations effectiveness.

11

Bibliography
A Tradecraft Primer: Structured Analytic Techniques for Improving Intelligence
Analysis. Washington, D.C.: US Government, 2009. Print.
"Intelligence Collection Disciplines." FBI. FBI, 21 May 2010. Web. 30 June 2015.
E.M. Hutchins, M.J. Cloppert and R.M Amin PH.D., "Intelligence-Driven Computer
Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill
Chains," Proc. 6th Int'l Conf. Information Warfare and Security (ICIW 11), Academic
Conferences Ltd., 2010, pp. 113125; URL
http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/L
M-White-Paper-Intel-Driven-Defense.pdf
Polancich, Jason. "The Dark Web: An Untapped Source For Threat Intelligence." The
Dark Web: An Untapped Source For Threat Intelligence. Information Week, 23 June

12

2015. Web. 30 June 2015. <http://www.darkreading.com/analytics/the-dark-web-anuntapped-source-for-threat-intelligence-/a/d-id/1320983>

13