What is cyber threat intelligence (CTI)?
That was the question I was trying to answer. Having conducted cyber intelligence as a military intelligence officer it meant something different from the majority of the job postings I read for CTI analysts. Therefore, I started to think about what cyber threat intelligence means in the civilian sector. I searched the internet and job postings to understand how companies were defining cyber threat intelligence. It seems that most are defining the job as a traditional cyber security professional that comes from the IT world. The unique requirements of an intelligence analyst are vastly different than just network data. There are stark differences.
What does CTI bring to the cyber security fight?
Intelligence brings the entire intelligence process to the fight. It brings prediction of future adversary intentions and actions and allows for understanding the differences in courses of action (COA). Without true analysis you have raw data without the “so what” of finished intelligence. Raw data is meaningless unless it is put into context and meaning defined for leadership. Intelligence also provides “information gap coverage.” If your organization doesn’t understand “who” is attacking it gets difficult to understand the kind of attacks and why. Sometimes it is straight forward, as in the case of criminal organizations stealing credit card information. Sometimes it is more difficult and insidious like what happened in the Sony attack. As outlined in Department of Defense’s Joint Publication 2-0 (p. 19), “Information is of greatest value when it contributes to the commander’s decision-making process by providing reasoned insight into future condition or situations.” If we substitute commander’s with corporate leadership it still has the same meaning and is then put in the corporate context. This intelligence whither defining an adversaries threat capabilities and intentions or the sociocultural factors provides predictive, accurate and relevant intelligence estimates to gain advantage in understanding the operating environment and the adversary’s decision-making cycle. By understanding the adversaries intent it enables counter-operations which can deny threat vectors by understanding the attackers decision cycle and disrupting their operations.
What is the intelligence cycle?
The process of creating intelligence is referred to as the intelligence cycle. The cycle consists of: Planning and direction, collection, processing, analysis and production, and dissemination. The planning and direction is defined by the intelligence gaps and information requirements. By knowing what you need to understand you can begin to develop plans to fill these intelligence gaps. This is a critical step in the process. Without a good understanding of what your requirements are you are bound to spend an inordinate amount of time finding answers to questions you do not need answered. Understanding the operational environment and how your organization navigates it allows one perspective. When added with the understanding of your adversary allows a detailed understanding of the operational environment.
The Intelligence Process
Getting to the left of a cyber incident.
Most cyber security has historically concentrated at the point of attack on a network, the forensics and the polices. CTI attempts to get ahead of an incident and understand the threat groups and organizations that are attacking the network. By knowing the threat an organization can anticipate the threat and get to the left of an incident. This assists in the organization understanding what the threats are and where they may arise from. Intelligence analyst (IA) must track multiple threat organizations whither they are actively planning attacks on their organization or not. Determining what may or may not become a threat is almost impossible to determine. That leaves tracking all threats. For instance, a hacktivist will attack one organization one day and another the next based on their perceived injustice or for a political statement they want to make. When the IA’s organization is perceived by the hacktivist has defied them or their cause they too will be put in the cross-hairs. If the IA is already tracking the hacktivists then mitigation procedures are already identified and if the IA is tied into the network defenders then these mitigation techniques should already be initiated. This highlights a key ingredient to the success of the success of CTI in an organization … the integration into the whole of a cyber security plan. Processed intelligence must be integrated for it to assist in security implementation.
Another key element for CTI is the coordination with government and private organizations in sharing threat intelligence. This assists in getting a broader picture of the threat landscape in order to holistically understand it. This allows the IA to piece together the pieces of different threat streams and assist in understanding current and emerging threat vectors. This assists in understanding the groups behind the attacks, which is a key element of CTI. The shift of focus from specific network attack methodologies to understanding the human network behind these attacks will allow deeper understanding of attacks with the hope of better prevention techniques.
While the cyber security analyst can analyze what is taking place on the network from which threat vector, the intelligence analyst pieces together the “who” and “why” of an attack. Being able to understand this enables indications and warnings (I & W) which can predict pending attacks. This is where the “getting to the left of an attack” comes from. It’s the anticipation of the attack and applying counter measures prior to an attack.
Intelligence Requirements
Intelligence should be integrating into operational planning at the beginning. A good understanding of the operational environment is required.
 |
Intelligence Requirements |
In looking at the environment and the operational plan gaps start to form. These gaps will become intelligence requirements. These requirements start at Critical Information Requirements (CIRs). CIRs are broken down to Priority Intelligence Requirements (PIRs) which answer questions about the environment and/or adversary. PIRs are further broken down into Essential Elements of Information (EEIs) which are the most critical for leadership in order to make a operational decision or understanding or the environment. Anyone in the organization also has the ability to request information known as RFIs (Request for Information). The EEI and the PIR are information requirements that feed into intelligence products while the PIRs are the finished intelligence. In order to answer the PIRs and RFIs one of two courses of action take place. The first is that the information is available and is feed back to the requester for integration into intelligence products. The second course of action is the information doesn’t exist and needs to be gathered. This requirement is then feed into the collection requirements process. This can be confusing so lets look at an example.
ACME Widgets is going to open up a new facility in Turkey. The leadership needs to know what the operational environment is like. Even though this is starting out in the physical realm are there threats in the cyber world that ACME would encounter while moving into this new geographic area? This starts the first information requirements. What are the threat actors in this new environment? This is now a PIR. What are the information requirements that need to be answered in order to answer the PIR. These information requirements then make up the EEIs. Examples would be who is opposed to ACME Widgets establishing a facility in Turkey? What are the TTPs (tactics, techniques and procedures) of those individuals and organizations? Next is the determination of whither the information was available or it should be sent to collection plan. Once the intelligence is collected then it is analyzed and disseminated through a intelligence product (future blog posts will discuss intelligence products).
No comments:
Post a Comment