From #CTISUMMIT.
More info here: https://dragos.com/blog/industry-news/meet-me-in-the-middle-threat-indications-and-warning-in-principle-and-practice/
Video here: https://youtu.be/79RdB3aj2vA
Discussions on threat intelligence often get bogged down between “machine speed” ingestion of atomic indicators and in-depth analysis of activity taking weeks (or months) to produce. Left in the cold in such debates is a very important but seldom considered middle ground: time-sensitive and incomplete but enriched threat intelligence. In the U.S. Navy and similar services, this is referred to as threat “indications and warning” (I&W) – a step beyond a simple observable refined to ensure accuracy and timely receipt.
The goal of I&W is to get actionable, important information to those in need of it most as quickly, efficiently, and accurately as possible, even if as a result some context or other insights are lost. As a result of this activity, consumers are better armed and equipped to deal with and counter threats as they emerge, rather than either reacting to items with no context whatsoever or only reading about their challenges weeks after the fact in a complete intelligence report. This discussion explores the concept of threat I&W within the context of network security generally and threat intelligence specifically to identify this topic as a shamefully ignored middle ground between extremes. The presentation explores the conceptual background behind this idea, then transition to real-life examples of I&W drawn from the speaker’s past activity in threat intelligence, incident response, and military operations.
7. Where does Threat Intelligence “fit in”?
Role and Nature of Finalized Intelligence
Operationalizing Incomplete Intelligence
Putting Everything in Perspective
11. • Senior leadership
• Focus on future capabilities, intentions that can
impact strategic goals
Strategic
Intelligence
• Mid-level decision-makers
• Applying collected information to operational
guidance that informs everyday operations
Operational
Intelligence
• Operational decision-makers, personnel
• Informs everyday activity and immediate actions
Tactical
Intelligence
12. US DOD JP2-0 Intelligence, http://www.jcs.mil/Portals/36/Documents/Doctrine/pubs/jp2_0.pdf
13. US DOD JP2-0 Intelligence, http://www.jcs.mil/Portals/36/Documents/Doctrine/pubs/jp2_0.pdf
14.
15. • Finished, completed analysis
• Examples:
• Campaign or intrusion reports
• Malware analysis reports
• Timeliness:
• After an event has taken place
• Following analysis & production
16.
17. • Ideally contextual observations
• Most often: atomic data lacking
significant context
• Purpose: facilitate speedy information
sharing
• Timeliness: highly variable
22. • IOCs allow for quick-alerting and
sharing, but at the cost of accuracy and
context
• Reports can be thorough, but historical
in nature and typically arrive long after a
campaign is complete
23. US DOD JP2-0 Intelligence, http://www.jcs.mil/Portals/36/Documents/Doctrine/pubs/jp2_0.pdf
24. Daily Operations Require Intelligence Support
Raw Indicators are Insufficient, Finalized
Intelligence is Not Timely
Enriched Information providing Indications and
Warning of Malicious Activity can be Informative
and Time Sensitive
27. From The Tao of Network Security Monitoring:
I&W is a process of strategic monitoring that analyzes indicators and produces
warnings. We could easily leave the definition of indicator as stated by the Army
manual and define digital I&W as the strategic monitoring of network traffic to
assist in the detection and validation of intrusions. Observe that the I&W
process is focused against threats. It is not concerned with vulnerabilities,
although the capability of a party to harm an asset is tied to weaknesses in an
asset.
- Richard Bejtlich
28. • Attack attribution
• Adversary Intent
I&W AVOIDS
• Differentiating and categorizing threats
• Informing defenders and enabling
response
I&W
FOCUSES
ON
29. CTI Tracks
Overall Threat
Landscape
Informs I&W
of TTPs &
Trends
Day-to-Day
Operations
Supported
through I&W
I&W Feedback
to CTI on
Operations
CTI Adjusts
and
Aggregates
based on
Observations
31. • I&W as illustrated in recent events:
• CRASHOVERRIDE
• SHAMOON and APT33
32.
33. December
2016
•Initial Event
•No Information Sharing
January
2017
•Sources Indicate Likely Cyber Nexus
•No Public or Private* Information
Shared
June 2017
•ESET and Dragos Public Disclosures
•Information on ICS Malware,
Additional Tools
October
2018
•First Instance of Attack Lifecycle
TTPs Discussed
•Almost Two Years after Event
34. Raw Data Sharing
• Complete
failure
• No remotely
actionable
information
shared until
nearly 2 years
post-event
Indications &
Warning
• Eventual success
• Took too long to
reveal
fundamental TTPs
• Organizations &
defenders left
vulnerable
Intelligence
• Reasonable
success
• Reporting from
2017-2018
covered attack
implications in
detail
35.
36.
37.
38. • Maybe? Reporting was rapid after initial sightings
• However – amplifying data was scarce to non-existent
• Relationship to broader campaigns not indicated
Did We Do a
Good Job?
• Largely depends on accuracy of APT33 attribution
• If tied to past, long-running activity – then I&W failed
• No indications of threat identification, alert before
destructive event
What Could
We Have
Done Better?
39. I&W Bridges a Critical Gap between Raw Data
Sharing and Completed Intelligence Reports
Security Operations Benefit from Robust I&W
Production and Development
Current CTI Process Does not Adequately
Capture Operational Needs, while I&W does
For I&W to Remain Relevant and Accurate,
Must be Informed by CTI
40. CTI Analysts
• Demand I&W Support
for Operations
• Dig in to IOCs to
Extract TTPs
• Build out Behavioral
Understanding from
Intelligence Reports
• Socialize Operations to
Incomplete
Information
Sharing Groups
• Develop
Mechanisms to
Enable and Share
I&W
• Move beyond Raw
IOC Sharing
• Enable Analyst
Communication
CTI Vendors
• Identify Means to
Report before the
“Whole Story”
• Condition and Educate
Customers to Different
Levels of Intelligence
Support
• Tailor Products to
Different Customer
Needs and Audiences
41. • Notification ASAP
• Goal: Min necessary time to vet and enrichTimely
• What happened/What was observed
• Avoid speculation, incomplete picture is
acceptable
Descriptive
• Provide or link to mitigation and threat behavior
• IOCs properly enriched with event or observable
context
Actionable