From Infosec to intelligence based cybersecurity


Gone are the days when IT could be protected by implementing a standard set of security controls.

The complexity of national information networks is increasing faster than our ability to understand them and, on an internet that was never designed to be secure, to defend against them.

It is sobering to realise that the most prevalent standard for security controls, ISO 27002: Code of Practice for Information Security Controls, has its roots in the UK Department of Trade and Industry’s PD0003 document, developed in the early 1990s – 25 years ago and prior to the internet as we know it. This became the British Standard BS7799, then International Standard 17799, and in 2005 was renumbered to the 27000 series, with a new version being released in 2013.

A key reason for the longevity of these controls has been their adoption by the audit community as the basis for auditing the security aspects of IT General Controls used to ensure protection of financial systems.

However, information security is not cyber security, and new frameworks are needed to address the unique characteristics and environments which make up cyberspace. The US National Institute of Standards and Technology in 2014 issued a framework for ensuring the cybersecurity of the critical infrastructure which provides an updated list of security categories and maps them to a range of controls from information security standards, including ISO 27000. One of the key controls in the cybersecurity framework which has no ISO equivalent is ID.RA-3: Threats, both internal and external, are identified and documented. This is a key control for understanding security risk.

With cyberspace increasingly looking like a battlefield, knowing who is attacking you, what their motives are, and how they execute their attacks is a key part of cyber situational awareness and an important input to designing an effective security regime.

Sun Tzu said if you do not know your enemies but do know yourself, you will win one battle and lose one, if you do not know your enemies nor yourself, you will be imperiled in every single battle. Ideas in the kinetic world don’t always translate into the cyber world, but the value for an organisation in knowing its own disposition and the threats which it faces is significant.

As the threats in cyberspace have grown, cyber threat intelligence has emerged as a key cybersecurity service, not only for government and critical infrastructure, but for all organisations operating in cyberspace. The value of cyber threat intelligence lies in its ability to change an organisation’s posture from being reactive, responding to attacks when it’s breached, to being proactive, where cybersecurity defenses are tuned to expect and deflect attacks. Cyber threat intelligence comes in two forms: operational and strategic.

The prevalence of polymorphic malware makes it difficult for operational threat intelligence to keep up with tomorrow’s malware. Strategic threat intelligence, on the other hand, will often be relevant for the life of the adversary or malware family.

  1. Operational intelligence comes in the form of data which can be used to configure cyber-defense equipment such as intrusion detection devices to look for specific patterns or types of behavior which are characteristic of a threat. These are known as indicators of compromise. The effective use of automated operational threat intelligence feeds can also deliver timely response to rapidly evolving threats, substantially reducing the window of opportunity within which an attacker can exploit a known vulnerability. Blacklists (lists of compromised IP addresses) are also a popular form of operational threat intelligence.
  2. Strategic cyber threat intelligence is defined, according to Gartner, as ‘Evidence-based knowledge, including context, mechanisms, indicators, implications, and actionable advice about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard’. However it may be defined, strategic threat intelligence translates to knowing your enemies.

The prevalence of polymorphic malware makes it difficult for operational threat intelligence to keep up with tomorrow’s malware. Strategic threat intelligence, on the other hand, will often be relevant for the life of the adversary or malware family.

For example, the Snake Campaign report issued by BAE Systems in 2014 noted that despite the McAfee ShadyRAT report being published in 2011, there had been no change to the characteristics of attacks from the group. The Snake Campaign report provides detailed threat intelligence on the malware known as Agent.BTZ and the group behind it. This malware was first discovered in 2008, with samples showing that the authors had variants known as snake, urobouros, snark, and sengoku.

Recent malware samples have been found to be much more advanced variants of Agent.BTZ, though still sharing many similarities with the original. Despite spanning many years and numerous updates, the malware retains key characteristics such as the files and devices created when it executes, the way it cloaks itself, and the manner in which it injects into new processes.

Similarly, the command and control infrastructure upon which the malware operates and the time-of-day at which variants have been compiled remain constant. This knowledge allows the security analyst to derive methods to detect the malware either as it arrives or when it attempts to execute.

While developing operational threat intelligence can be done by analysis of the malware, developing strategic threat intelligence requires not only malware analysis but also many sources of human and technically sourced intelligence from open and darknet sources, as well as a team of analysts who can interpret and fuse the information into intelligence. This intelligence then needs to be supported with actionable advice which is accurate and timely, and tailored to the specific intelligence requirements of the consuming organisation.

Organisations can start to understand their adversaries by mapping the adversaries’ past activities and capabilities, historical and current affiliations, their readiness and objectives, and future ambitions. This allows informed priorities to be set for cyber defense investments, and by being able to attribute attacks to threat actors enables better response in the event of an incident.

Honeypots and sinkholes are two key technologies which are deployed by researchers to attract attacks and redirect malware traffic. These provide a rich source of input into threat analysis. There are many open source feeds for operational threat intelligence, and many companies release malware and threat actor analyses. However, open source strategic threat intelligence often lags behind paid services, and real time displays, while visually appealing, provide little actionable threat intelligence.

Cyber attacks are rarely carried out without clear motivation and rarely occur as a single action, so one of the key goals of threat intelligence is to anticipate them. The use of social media feeds to predict traditional activism and cybercrime has been successful, with Nathan Kallus from the Massachusetts Institute of Technology successfully demonstrating his model for predicting national-level unrest based on Twitter feeds.

Another obvious source of predictive cyber threat information is monitoring of malware spread; the use of BlackPOS was seen many months in advance of its first sighting in the United States and the subsequent attack on Target’s POS system.

The importance of threat intelligence is not lost on the United States Government. In February 2015, President Obama tasked the Director of National Intelligence to establish the Cyber Threat Intelligence Integration Centre
as a national intelligence centre focused on “connecting the dots” regarding malicious foreign cyber threats, and providing all-source analysis of threats for US policymakers. Here in Australia, the establishment of the Australian Cybersecurity Centre will enable more effective threat intelligence integration by having government cybersecurity agencies and key critical infrastructure organisations co-located.

Threat intelligence is an emerging discipline both for service providers and for consumers. In a survey carried
out by the Ponemon Institute, released in March 2015, 80% of companies in the survey that had suffered a material breach said threat intelligence would have helped prevent or minimise the consequences of the attack.

To successfully defend against contemporary attacks requires a focus on new areas of cybersecurity, including importantly, threat intelligence.

Information security remains important, but in the age of cyberspace on its own is not enough.