When we consider cyber threat intelligence (CTI) it is often worthwhile to segment intelligence according to its type. Different types of CTI can apply in different ways at different points in the attacker lifecycle.
Open source intelligence (OSINT): It is acquired from open (or public) sources. These sources can include mainstream media, Internet forums and ‘paste sites’ (where information is simply posted for public view), social media and discussion services.
OSINT can come in many formats, and be available in multiple languages. This can make it time-consuming and difficult to classify and take action. The overwhelming volume itself is the largest hindrance to extracting intelligence from the vast array of information pasted in open sources. It is therefore critical to use machine-learning and big data science approaches to assist human analysts in processing OSINT.
Where OSINT shines is in providing context and a view of the bigger picture; for example the relationship between geopolitical events and cyber threats.
With many politically and economically motivated threats, OSINT can be used to assist in uncovering the non-apparent connections between motivations and actions.
Technical intelligence (TECHINT): Most of what we think of as CTI belongs to the TECHINT family. TECHINT relates to technical indicators associated with cyber threat activity. Most commonly, this includes data sets such as Internet protocol (IP) addresses of systems associated with malicious behaviour, malware ‘signatures’, files associated with attackers and the tools they use.
TECHINT often has much less context, such as who the attacker is, when the attack happened, etc., but has a very rich set of data that can be immediately actionable by CTI consumers. For example, we could ingest feeds of IP addresses and web-sites associated with malicious attacks, and block these using existing security technologies such as firewalls and proxies.
It is in detection that TECHINT plays its greatest role. By loading technical indicators into monitoring platforms relating to known attacks (such as a security incident and event management – SIEM – platform) it is possible to quickly alert stakeholders on the detection of such attacks and take appropriate action.
Signals intelligence (SIGINT): Often, your best source of intelligence is your own environment. SIGINT is sourced from the monitoring and analysis of signals in communication networks, such as a company’s own internal computer network and data centre environments. There is no substitute for knowing your own environment which may yield data and provide key SIGINT.
We can consider existing security and operational systems as data sources from which SIGINT can be derived. Consider an anti-virus solution – information about what types of malware have been detected can inform how that malware might be delivered. It might also suggest where other security controls have not been as effective as expected.
The most extreme case of SIGINT could be considered the actions of state-level surveillance on communications networks. Analysing the metadata of such communications has facilitated the identification of individual threat actors and intelligence gathering on a global scale.
The case for sharing: By its very nature, open source intelligence is shared.
However, processing such information to form intelligence can be extremely time-consuming and unreliable.
In the OSINT space, curation is a critical step in filtering out irrelevant or low-value data to find that which we care about the most. This is impractical to do on a purely human basis, with hundreds of thousands of sources, in multiple languages.
Instead, machine learning and big-data analytics are required to augment human intelligence gathering.
Sharing pre-curated OSINT can minimise the duplication of effort in deriving actionable intelligence from open sources. In the air transport industry, we could adopt a model of each airline (for instance) performing this activity themselves, at the expense of duplication, or those airlines could collaborate and share their findings – creating efficiencies through a division of labour.
Technical intelligence is the most traditional of the intelligence types when we think of sharing.
For years, cyber defenders have informally formed communities to share IP addresses of attackers they have faced, malware samples they have collected and other technical items. However, the sharing mechanisms are ad-hoc, multi-format and ill-defined. This leads to intelligence being less actionable.
Recent research has shown there is little overlap between TECHINT intelligence data sets. This means that organisations have to bear the burden to subscribe, or be part of, multiple sharing communities.
Although the treat intelligence space is now seeing a period of consolidation, volume remains a problem.
By focusing only on TECHINT known to be relevant to the ATI, there is again a clear value proposition from curation. Consumers of this intelligence can focus on disrupting attacks that are aimed at our industry, rather than those which they may never see impact from.
Signals intelligence has traditionally been less likely to have been shared.
Organisational concerns around informing potential customers and competitors about anything that might be deemed negative, have driven sharing to a low level.
However, enlightened organisations are rising above this, as the realisation takes hold that our adversaries – the attackers – are sharing widely and often.
A new security vulnerability can go from being disclosed, to being weaponised in a matter of hours. A few days later, and those same weaponised attacks are now part of entire attack suites. The bad guys are sharing for success.
As defenders, we can realise that there is great value in learning from our peers.
Our collaboration and sharing of what intelligence we gather from our own environments can help us reduce the time adversaries have to carry out their attacks against us.
The author is a Bahrain-based management and technology expert
&uuid=(email))