Cyber Threat Intelligence

08.

Cybersecurity (CS)  intelligence or Cyber Threat Intelligence (CTI) is a process to gather valuable insights based on the analysis of contextual and situational risks to the enterprise's IT assets.

Sample Presentation

A presentation on defining threat intelligence, types of threats, and more...

Sample Documents

Cyber Kill Chain (CKC) Analysis on Yahoo Hack

Applying Lockheed Martin's CKC to the Yahoo hack

Cyber Threat Intelligence Plan (CTIP)

An example competitive assessment 

Topic Examples

Introducing types of intelligence

A discussion on competitive intelligence and where lines are drawn 

Applying Lockheed Martin's cyber kill chain to the Yahoo hack 

An example competitive assessment

Introduction to Cyber Threat Intelligence (CTI)

Cybersecurity (CS)  intelligence or Cyber Threat Intelligence (CTI) is a process to gather valuable insights based on the analysis of contextual and situational risks to the enterprise's IT assets.  To be effective, the intelligence reports are tailored to the organizations industry, threat landscape, or market. The access to intelligence can make a substantial difference to the organizations ability to anticipate breaches before they occur. Intelligence results in faster response and remediation to confirmed breaches, and effectively maneuvering defense mechanisms into place.

There are ethical and professional considerations when it comes to threat intelligence. The tools used can be easily turned to create unfair control over employees and business competitors. The data generated from these intelligence tools or from internal business operations must be carefully protected against those to sell it or share for financial purposes or impose will for personal benefit. We saw this play out recently with Facebook and countless other organizations who exploited their network and high level intelligence tools for advantages.

There are three pillars to CTI: operational, tactical, and strategic. The first pillar of strategic intelligence involve the highest levels of the organization including risk management. Strategic activities include threat briefings and making plans to prioritize defenses. Operational intelligence deals with day-to-day decisions of the network and review data for impending attacks. Cybersecurity personnel understands the tools used by adversaries and creates policies to foil any attempts. Tactical intelligence involves real-time decisions to mitigate threats. Personnel may need to block, deny, delay, or shutdown components to thwart an adversaries actions on the network.

Other types of intelligence include:

Research Intelligence- Supports other finished intelligence products (current, estimation, warning, and scientific and technical)

Current Intelligence- Addresses day-to-day events

Estimative Intelligence - Looks forward to assess potential developments

Warning Intelligence- Sounds an alarm or gives notice

Scientific and Technical Intelligence- Includes an examination of the technical development, characteristics, performance and capabilities of foreign technologies

See the presentation above to learn more about types of intelligence, threat actors, and recommendations.

 

Reviewing Ethics in Competitive Intelligence

“Do not fire unless fired upon” is a common rule of engagement. The police and military who adopt this strategy have it in place for good purpose- unfavorable public attention and consequences that involve retaliation from aggressive groups. In the cyber intelligence world, if intrusion methods are developed and deployed, this gives rise to copy cat attacks from adversaries who use the same exploits, vulnerabilities, and methods of the offending group.
 

The adversarial engagement can be sparked in many ways: employee poaching, patent trolling, unethical business practices, defamation, or outright patent infringement as we see with android phones. In the infamous Apple vs. Samsung case, competitive intelligence appeared to be in full swing when Steve Jobs responded to the infringement issue by saying:
 

“I will spend my last dying breath if I need to, and I will spend every penny of Apple's $40 billion in the bank, to right this wrong. I'm going to destroy Android, because it's a stolen product. I'm willing to go thermonuclear war on this.”
 

Ideally, a tech company should be innovative and inward focused when it comes performance and security. If the company puts significant investment into the training and awareness people and the business behind a good product the profits will show and internal risks are reduced. The persistent internal threats that companies like Apple or Tesla faces are real despite how well employees are treated due to the value of their technology and processes. Internal threats become a focus for some organizations that need to protect intellectual capital.
 

Unfortunately, as the world gets interconnected and social media becomes a force to be reckoned with, carrying out adversarial assessment and analysis becomes common place. For the first time, any person on the internet can make an organization, industry, or country around the world accountable for their wrong doings. Examples are include bad business practices exposed on popular websites like Glassdoor or social media sites like Reddit and YouTube. This check and balance by the employees and customers who provide reviews are now being weaponized  by competitive organization as disinformation campaigns against the target organization to steer the user/customer base.
 

A careful eye can see campaigns by bots spamming social media and corporations utilizing professional social media commenters to spam the internet with paid opinions. From such acts, intelligence tools to capture shady campaigns are then justified to monitor, track, and shutdown accounts will the cooperation of the user or account host. But this solution is a ticking time bomb itself until those organizations for tracking are paid to unjustly mark individuals for crimes they did not commit. It's a vicious circle.
 

The video below titled "Social Media Executives Testify at House Hearing"  highlights misuse of social media and targeted advertising.

 

Case Study: Cyber Kill Chain®
Analysis on Yahoo!

The Cyber Kill Chain® is a "framework is part of the Intelligence Driven Defense® model for identification and prevention of cyber intrusions activity. The model identifies what the adversaries must complete in order to achieve their objective" (Lockheed Martin, n.d.). There are 7 primary stages in the CKC:

ckc_orig.png

The goal of classifying the stages of attack is to identify attack vectors and provide defenses to limit the attackers capability. With effective controls in the beginning stages: reconnaissance, weaponization, and delivery will reduce most problems for any industry targeted by an APT. One might ask, "How can you have control over stages like weaponization and delivery?", and one would respond "counterintelligence".

This report analyzes the Yahoo data breach through the “Cyber Kill Chain ®” (CKC) framework established by Lockheed’s security team during an intrusion involving stolen credentials for their SecurID system. The multi-million dollar system is designed to stop advanced persistent threats (APT) by providing barriers at each level of the attacking process and data exfiltration phases.

This brief presents an explanation on how the Yahoo breach occurred, based primarily from the 39-page indictment created by the United States District Court for the Northern District of California created on February 28, 2017. Supporting information includes media reports and expert analysis.

See analysis on Yahoo here.
 

Attackers do not always follow the CKC playbook. They skip steps, add steps, backtrack, and rearrange the pieces. "Some of the most devastating recent attacks bypass the defenses that security teams have carefully built up over the years because they're following a different game plan " (Korolov & Lysa, 2017). One of the examples of this differentiating strategy is the proliferation of ransomware and bitcoin mining operations.


References
Korolov, M., Lysa, M. (2017, November 7). What is the cyber kill chain? Why it's not always the right approach for cyber attacks. Retrieved from https://www.csoonline.com/article/2134037/cyber-attacks-espionage/strategic-planning-erm-the-practicality-of-the-cyber-kill-chain-approach-to-security.html?page=2

Lockheed Martin. (n.d.). Cyber Kill Chain®. Retrieved from https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html

 

 

Cyber Threat Intelligence Plan (CTIP)

A Cyber Threat Intelligence Plan presented below is designed to assess threats using an aggregated honey net. The plan is primarily conceptual and uses current honey pot technologies to identify, track, and profile threats. The plan provides an overview of types of threat actors, tools used, and includes a competitive threat analysis.
 

All approaches taken the competitive threat assessment for open source information were ethical. And did not involve intrusive or aggressive methods to collect information. It is highly recommended that anyone conducting a competitive threat assessment follow principles and methods aligned with laws and common sense. As a rule of thumb, do not conduct assessments in a way that you wouldn't want done to you or your family.
 

Disclaimer: The chosen case scenario is for learning purposes only. Intention of the document is for case study only and is NOT a real competitive assessment against organizations listed in the document. The plan presented in the case scenario is fictitious and are not intended to be implemented without professional consultation. Reference herein to any specific commercial products, processes, or services by trade name, trademark, manufacturer, or otherwise does not constitute or imply its endorsement, recommendation, favoring by the U.S., State, local governments, or the University of San Diego. The information and statements shall not be used for the purposes of advertising.