This document discusses techniques for intelligence gathering and analysis in cybersecurity. It begins by introducing the cyber kill chain model used to frame attacks. It then discusses how cybersecurity analysis can expand its sources of intelligence beyond just security logs to include open source intelligence, human intelligence, technical intelligence and analyzing the dark web. The document also discusses techniques like adopting a red team mindset and conducting red team/blue team exercises to help analysts think like adversaries. It emphasizes training analysts to consider different perspectives and think outside normal models. The goal is to help analysts detect threats more proactively by gathering intelligence from more sources and using different analytical techniques.
2. 2
Table of Contents
Introduction.......................................................................................................................................3
The Kill Chain......................................................................................................................................4
Intelligence AnalysisVs. CybersecurityAnalysis....................................................................................5
Expanding Sources of Intelligence Gathering........................................................................................6
HUMINT.........................................................................................................................................6
The Dark Web.................................................................................................................................6
OSINT.............................................................................................................................................7
TECHINT.........................................................................................................................................7
The Hamstrung Analyst.......................................................................................................................8
Noise vs. Value ...............................................................................................................................8
Mental Models...............................................................................................................................8
Techniques.........................................................................................................................................8
Red Team Mindset..........................................................................................................................8
Red Team/Blue Team......................................................................................................................9
Conclusion .......................................................................................................................................11
Bibliography.....................................................................................................................................12
3. 3
Introduction
“Cybersecurity”
Thisis a majorbuzzword,these days.
In academicinstitutionsacrossthe world,Cybersecuritydegreesare beingchurnedoutinrecord
numbers. It’seasyto find: Justgo to eachcollege’sschool of InformationTechnology. Course listsare
rife withclassesonthe OSImodel,firewall administration,routing,switching,administrationof
Windows,PChardware,andthe listgoesonand on.
While there isnoSecurityprofessional worthhisorhersaltthat isn’tan expertonall these subjects,
these subjectsare toCybersecurityandComputerNetworkDefense(CND) merelywhatArithmeticand
Algebraare to Calculus: A soundfoundation.
Cybersecurityiscurrentlybeingtaughtinmostprogramsas an InformationTechnologydiscipline.
Tomorrow’scybersecurityprofessionalsare beingtaughtthe toolsof the trade andthe capabilitiesof
those tools. Theyare learningattackcountermeasuresanda“set itand forgetit”attitude. The reality
is,because of the adversaryand the adversary’scapabilities,itisreallyComputerScience and
IntelligenceAnalysis.
A deeperunderstandingof ComputerScience isrequiredbecause the real threatsinthe fieldare
programmersandcoders. The real weaponsare the code that theywrite. There are,admittedly,no
shortagesof “script kiddies”,malevolentthreat-actorswhodon'twrite theirownexploitsbut,instead,
relyon exploitsandtoolsthattheypaidforor foundinsome forum, somewhere. The factstill remains
that whatwe reallyfearfrom all these threatsisthe code,whetherornot the personwhotargetedyour
networkwrote itthemselvesordidnot. Withouta deeperunderstandingof how the software wasput
togetherandwhateverylittle subroutine andfunctionismeanttodo,we are onlyable to detectlow-
hangingfruit. Atbest,we are merelydetectingthe symptomsbutnotdiagnosingthe disease.
Many a dramaticindividuallovestorefertothe internetasthe new battleground. Theylike toconjure
up imagesof blackhat hackersand white hatcybersecurityanalystsandengineersasthe 21st
Century
warriors. Thissimile,asover-the-topasitis,isprettyaccurate. We are fightingawar...anintricate war
againsta most sophisticatedadversary. Nowarwaseverwonwithoutadequate intelligence.
IntelligenceAnalysisneedstobe revisitedasamore integral partof CybersecurityandCNDbecause the
21st
Centuryhasseenthe rise of an adversarythat isadvanced,resourceful,well-trained,well-
funded…butabove all else…Human.
4. 4
The Kill Chain
AnydiscussionaboutCybersecurityIntelligence inthe 21st
Centuryhasto beginwithThe Kill Chain.
“The IntrusionKill Chain”isa model forframingaComputerNetworkAttack(CNA) orComputer
NetworkEspionage (CNE) Incidentbybreakingit intoattackphases. Thismodel wasdevelopedby
LockheedMartin’sComputerIncidentResponseTeamin2010. It positsthat anyattack on a systemwill
be carriedout in sevenphases:
RECONNAISSANCE- studyingpublicinformationaboutthe target,the target'senvironment,
software mix,practicesandsoftware loadout
WEAPONIZATION- preparinga backdoorand a penetrationplanintendedtodelivera
successful attack
DELIVERY - launchingthe attack andinjectingthe backdoor
EXPLOITATION - triggeringthe backdoor
INSTALLATION - installingthe backdoorasa bootstrapandany additional remote accesstools
COMMANDAND CONTROL - use of the toolstoestablishremote access
ACTIONS ON OBJECTIVES - collectingandexfiltratinginformation,orotheractionsagainstthe
target
Cybersecurityanalystsuse thismodel togaininsightintowhichphase of the attacktheyare observing,
basedon givenintelligence. Analysisgleanedfromthismodel helpstoformulatethe proper
recommendationsinreal time aswell asinformpost-morteminvestigationsandcreate detection
content,afterthe fact.
5. 5
Intelligence Analysis Vs. Cybersecurity Analysis
IntelligenceAnalysisusesinformationtopredictbehavioral outcomesandproduce recommended
coursesof action to organization leaders. Thisisachievedbycollectingintelligence fromamyriadof
sources:
HUMINT : Human intelligence –gatheredfrompeople inthe field
GEOINT: Geospatial Intelligence –gatheredfromsatellite,aerial photography,or
mapping/terraindata
MASINT: MeasurementandSignature intelligence –gatheredfrommeasureddata
OSINT: OpenSource Intelligence–gatheredfromopensources
SIGINT:Signalsintelligence –gatheredfrominterceptionof signals
TECHINT: Technical intelligence –gatheredfromanalysis of weaponsandequipmentusedby
the armedforcesof foreignnationsorenvironmentalconditions
CYBINT/DNINT: Cyberintelligence/Digital NetworkIntelligence –gatheredfromcyberspace
FININT: Financial intelligence –gatheredfromanalysisof monetarytransactions
While cybersecurityAnalysisattemptstodothe same thing,currentpracticesare focusedonsecurity
logsand eventsforgatheringsaidinformation. Thislong-heldpractice firmlyplacesCybersecurityand
CND underthe domainsof SIGINTand CYBINT/DNINT. Thishasshownto be quite useful indetecting
attemptedattacksat the perimeterof networksandinfectedmachinesinside the network,afterthe
fact. As successful asthismodel hasalwaysbeen,ithadthe drawbackof beingreactive. Inmostcases,
these sourcesof intelligence onlyallowedforawarenessof maliciousbehaviorpost-delivery,onthe kill
chain.
The Cybersecurityprofessional needstoshiftperspectivesfromthinkingthatthe battle isagainsta
facelessinternetof onesandzeroes,butagainstaliving,breathinghumanbeing. Thishumanbeingis
cleverandresourceful. Thishumanbeingisswiftandunknown. Thishumanbeingis…human.
At itscore,the discipline of Intelligence isbasedonthe notionthathumanbeingsare formidable
opponents,butfallible. Thisdiscipline seesahumanadversarywho,nomatterhow crafty, leaves
indicatorsof theirbehavior. The identificationof all the possiblesourcesof intelligence accountsforall
the typesof indicatorsa humanproduces.
Revisitingthe othersourcesof intelligencewillputamore humanface on the adversaryto enhance the
wayanalystsperceive dataandcan increase visibilityintocurrentandfuture campaignsandbetter
equipanorganizationtodeployCNDina more proactive way.
6. 6
Expanding Sources ofIntelligence Gathering
HUMINT
As more of the worldisthrustintocyberspace andthe worldinchesclosertobecomingone big
community,HUMINTsourcesthat once had no connectionswithcybercriminalsorhackersare starting
to utilize those more technological avenuestomodernize once-analogcriminalactivities.
These emergingconnectionsbetweenconventional criminal enterprisesandcybercriminalsmayresult
inHUMINT withconnectionstocybercrime where thereweren't,inthe past.
Human intelligence sourcesneedtobe collectedwitharenewedfocusonCND.
The Dark Web
The Web, as itis knowntomost people,iscomprisedof all the indexedwebsitesonthe internet. These
websitesare indexedandsearchable fromany searchengine. The Dark Webis comprisedof all the sites
that aren’tindexedorsearchable. ThisDarkWeb servesasthe electronicunderworld,where all the
unsavorycharactersdwell. Because of itsintrinsicnature,mostCybersecurityoperationssteer clearof
The Dark Webfor fearof infectingtheirsystemsorrunningafoul the wrongentities.
On the otherhand,the same intrinsicnature makesitthe perfectsource forintelligence. The DarkWeb
isa place where youcan find:
Spam/phishingcampaigns forhire
Stolenintellectual property(code,designs)
Vulnerabilitiesforsale
Exploits/Rootkits/ExploitKitsforsale
Hackingfor hire
Hacktivisttargetforums
Insiderthreatsforhire (disgruntledemployees)
The Dark Webcan be monitoredforthis intelligence byanadvancedanalystusingThe OnionRouter
(TOR) and an air-gappedmachine withofflinebrowsing.
Thisadvancedpersonnel canalsobe developedtogatherintelligence fromindividualsonThe DarkWeb,
posingas anotherblackhat.
Thispractice cannot be takenlightly,asthere are legal issuestotake intoaccountthat wouldgovern
whatsuch an agentcan andcannot do inthe course of performinghisorherduties.
7. 7
OSINT
As Cybersecurityevolves,intelligence gatheringhasslowlybeguntoincorporate OSINTinthe formof
publicforums,Google,SecurityResearchGroups’publicationof findings.
ThisintelligenceistypicallydigestedandminedforIndicatorsof Compromise (IOC’s)suchas:
MD5 hashesof filesthatcan be addedto a blacklist of maliciousfiles
IP’sand URL’s that can be identifiedasCommandandControl (C&C) hostsor are currently
hostingmalware
Stringsthat can be foundinheaderor evenpayloadinformationof maliciouspacketsandused
to create IDS/IPSsignatures
Thisintelligencecanbe monitoredmore closelytoidentifythe qualityof the intelligence by:
Developingasystemthatmonitorswhichsourcesproduce the mostrewardingintelligence and
whichproduce the least-rewardingintelligence
In-depthpoliciestoage out oldintelligence
The Cybersecuritycommunityisfast-becomingmuchlargerthanit usedtobe,but it isas tight-knitas
ever. Asinformationsharingcontinuestobolster,there willbe noshortage of OSINT. The return on
investmentforOSINT,however, becomesmurkyasthe informationandsourcesincrease. Keepingtrack
of the mostsoundand complete sourcesof informationwill be the keytomaintainingthe qualityof the
intelligence.
TECHINT
The hacker has alwaysbeenanadversarywithmanyadvantages overthe Cybersecurityprofessional.
Thisadversaryhas alwayshadan abundance of resourcefulness,commitment,andmeanstocarry out
theirmaliciousintent. Theyhave alwayshadthe advantage of beinginabetterpositiontoknow more
abouttheirtargetsthan theirtargetsknow aboutthem.
The last few decadeshave seenthe rise of the state-sponsoredhacker. Thisisanadversarythat has
developedtheirtechnical skillsfromaveryearlyand formative stage inlife. Thisadversaryhasbeen
trainedina verysystematicmannerata veryfundamental level toensure hackingissecondnature.
Vulnerabilities,Exploits,andCode are thisadversary’smothertongue.
Intelligencemustbe gatheredwithafocuson the technical capabilitiesof adversaries. Anyindicatorsof
the adversary’stechnology,go-tothreatvectors,andcode shouldbe gatheredforall adversaries. These
adversariescanbe nations,hacktivists,terrorists,drugdealers,syndicates,cybercriminals.
Keepinganaccurate record of thisintelligencecanhelpattribute certaincampaignstocertaingroupsor
evenrule outgroupsfromcampaigns,basedonestablishedbehaviorpatternsandsignatures.
8. 8
The Hamstrung Analyst
As the flowof data increases,the jobof a Cybersecurityanalystbecomesmore andmore difficultwhile
the approach to analysislurchesforwardinthe same mannerithasbeendone since the late 90’s.
Noise vs. Value
As there ismore data to be processed,itisincreasinglydifficultforanalyststopickoutvaluable data
throughall the noise. To add to thisnoise,the enemyisconstantlyworkingonnew waystodeceive and
obfuscate theirintentions.
Mental Models
It has beenarguedthatall individualsassimilate andevaluateinformationthroughthe mediumof what
iscalled“mental models”. Theyare experience-basedconstructswhichfrom assumptionsor
expectationsof the worldandmore specificsubjects,inthiscase, Cybersecurity.
Analysts,bynature,become accustomedtowhattheyhave seeninthe pastand paintfuture analysis
withthese mental models,sometimesmissingcrucial indicators orfindingmaliciousactivitywhere there
isn’tany. The problemincreasesasthe analystgainsexperience,asmental modelsare resistantto
change,once formed.
Techniques
The intelligence communityandmilitaryhave come upwithmanymethodsof developingthe mindsof
highly-adaptable,versatile,well-preparedoperatorsand agentswhocansee all the angles,thinkoutside
of the box,andperforminunorthodox ways. These same techniquescanbe translatedtoCybersecurity
analyststoovercome manychallengestoCNDanalysis. Some are alreadybeingutilizedtoformteams
withadvancedanalysiscapabilities.
Red Team Mindset
Securityteamsneedtoprotecteverypossiblewayintotheirnetworkswhile threatactorsonlyneedto
findone that isunprotected.
RedTeams are usedby militaryandintelligence organizationstoimprove theireffectivenessby
employingthe mindsetof anopposingforce. Itis,essentially,"thinkinglike the enemy".
RedTeams operate inthe exactwayan organization'sadversarywouldoperate,oftenadopting
methodsandtechniquesthatare fundamentally differentfromsaidorganization'stoaccountfor
differentbackgrounds,tools,training,andperspectives.
Analystsneedtobe trainedinthe mindsetof aRed Teambecause itaidsin catchingsecurityholesthat
may have beenoverlooked. Itdevelopsthe abilityof ananalystto lookat situationswitha“freshpairof
eyes”. TraininginRedTeamthinkingshouldhave anemphasison:
Analyzingcomplex systemsandproblemsfrommanydifferentperspectives.
9. 9
Utilizingconcepts,theories,insights,tools,and methodologiesof cultural andmilitary
anthropologytopredictothers'perceptionsof anorganization'sstrengthsandvulnerabilities.
Utilizingcritical andcreative thinkinginthe contextof operational environmenttofullyexplore
alternativestoconcepts,operations,plans,organizations,andcapabilities.
These skillsare currentlyutilized,mostlyinthe fieldof ethical hackingandpenetrationtesting,butare
keyskillstoanalyzingthreatsinalive environment. Withthese skills,analystswill be able totake
seeminglydisparate eventsandlogstoextrapolate scenariosthataren'trightoutof the incident
handler'stextbook.
Red Team/Blue Team
RedTeam/Blue Teamexercisestake the adversarialmindsettoanotherlevel.
The exercise wasoriginatedbythe military totestforce-readinessandhasbeentranslatedtoCND by
pittingtwosetsof well-trainedanalystsagainsteachotherina simulatedattack. The Blue Teamstands
up a networkandattemptsto secure itas bestas it can and monitoritwhile The RedTeamattemptsto
infiltrate the systemandperformanarbitraryobjective suchasdata exfiltration,obtainingrootaccess
to significantnodes,ordefacingadummywebsite. Afterthe exercise,jointanalysisisperformedby
bothteamsto identifystrengthsandvulnerabilitiesinthe establishedsecurity,aswell asstrengthsand
weaknessesincertainapproachesof infiltration.
Takingthe conceptfurther,itis alsohighlyeffectivetohave the twoteamsswitchsides,before analysis,
to gaintwo perspectivesfrombothRedandBlue sides.
Indicators or Signposts of Change
The intelligence communityusesthistechnique totrackmajorchangesin geo-political climates. Itis
done bylistingaset of scenariosandunderthose,a listof observable signsthatmayindicate that
scenarioor outcome. These are trackedovertime to create a visual representationof whattheyare
facinginthe fieldandthe warrantedconcernof those possiblescenarios,atanygiventime.
Thissame technique canbe employedtotrackpossible changesinthe wildthatare of concern to CND
clients. Itcan be usedto track indicatorsof change that may pointto possible scenariosortrendsas
theyrelate tospecificorganizationsorevensectorsof business.
Thistechnique hasthe advantage of providinganobjectivebaselinethatincomingdataandintelligence
can be comparedagainsttobolsterconfidence inthe accuracyof any analysis. Thistechniquealsohelps
to objectifyanyhypothesesbyframingtheminamore quantifiable basis.
10. 10
Tracking the potential for Malicious Campaigns by Target Sector
Target
Sectors
Indicators
2013 2014
Quarter 1 2 3 4 1 2 3 4
Defense
Rise in traffic on endpoints 1 Serious Concern
Rise in scans 2
Substantial
Concern
many related C&C Incidents 3
Moderate
Concern
Malicious External IP's Inbound 4 Low Concern
Energy
Rise in traffic on endpoints 5
Negligible
Concern
Rise in scans
many related C&C Incidents
Malicious External IP's Inbound
Increased attacks on SCADA
systems
Financial
Rise in traffic on endpoints
Rise in scans
many related C&C Incidents
Malicious External IP's Inbound
Increased CCN Information in
transit
Increased PII loss
Retail
Rise in traffic on endpoints
Rise in scans
many related C&C Incidents
Malicious External IP's Inbound
Increased CCN Information in
transit
Increased PII loss
Increased attacks on POS
systems
Rogue AP's at Retail locations
Presence of Trigger Mechanisms ("Y" if present)
Major Data Exfiltration
Major PII spill
Homepage defacement
DDOS
Tracking the potential for MaliciousCampaigns in an indicators matrix. A matrix like the one above
can be usedtotrack the targetingof certainsectors.
11. 11
Conclusion
Cyberwarfare isadvancingatan exponential rate andouradversaries,usingamyriadof advantages,are
evolvingalongwithit. The defenders of enterprise networkscannotcontinue toface the dangersof
tomorrowwiththe methodsof yesterday. The situationis“adaptordie”.
Revisitingconventionalmethodsof intelligence gatheringandanalysisandretrofittingthemforCND will
helptodevelopcybersecurityprofessionalswhoprioritizeknowingtheirenemyandadaptingtonew
situationsoverscouringforthe low-hangingfruit.
Addingthese methodstothe existingcapabilitiesof cybersecurityanalysiswill greatlyimproveany
security operations’effectiveness.
12. 12
Bibliography
A TradecraftPrimer:Structured AnalyticTechniquesforImproving IntelligenceAnalysis.Washington,
D.C.: US Government,2009. Print.
"IntelligenceCollectionDisciplines." FBI.FBI,21 May 2010. Web. 30 June 2015.
E.M. Hutchins,M.J. CloppertandR.MAminPH.D.,"Intelligence-DrivenComputerNetworkDefense
InformedbyAnalysisof AdversaryCampaignsandIntrusionKill Chains," Proc.6th Int'lConf.Information
Warfareand Security (ICIW11), AcademicConferencesLtd.,2010, pp. 113–125; URL
http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-
Intel-Driven-Defense.pdf
Polancich,Jason."The DarkWeb: AnUntappedSource For Threat Intelligence." TheDarkWeb: An
Untapped SourceForThreatIntelligence.InformationWeek,23June 2015. Web.30 June 2015.
<http://www.darkreading.com/analytics/the-dark-web-an-untapped-source-for-threat-intelligence-
/a/d-id/1320983>