The Many Faces of Threat Intelligence: Part 2
In my previous article, “The Many Faces of Threat Intelligence: Part 1”, I outlined six common enterprise threat intelligence domains and their associated use cases: 1) Cyber Threat Intelligence 2) Reputation Intelligence 3) Fraud Intelligence 4) Platform Intelligence 5) Protective Intelligence and 6) Third-Party Intelligence. In this article, I will discuss the capabilities needed to achieve positive outcomes to the problems faced in those domains. These capabilities range from open osource research to more technical tradecraft, including active reconnaissance which is often seen in early-stage application testing. Intelligence and investigations with incomplete or poorly defined findings are not likely to be useful to business stakeholders, so it’s important to identify and understand the benchmarks that ensure success for mature security programs.
What is Open Source Intelligence
Many think open source intelligence is just another name for better googling. They are wrong. Many think threat intelligence is just identifying indicators of compromise (IoCs) and generating alerts when they appear. They are also wrong. Good open source and threat intelligence are derived from three core capabilities:
1) Technical Signature Analysis: The use of external telemetry and raw technical data that brings context to adversary infrastructure (cyber, disinformation, surveillance for hire, threats to executives, etc). This type of analysis combines targeted reconnaissance of the online presence of a person, company, application, or website with various types of publicly available or vendor-based telemetry. More advanced intelligence teams combine aspects of application testing (see OWASP Top 10), attack surface monitoring, and intelligence context to understand not only what is possible (as seen in vulnerability management), but also what is actually happening. Most people would be surprised at the types of leaks that can occur when application penetration testing of the infrastructure does not occur.
2) Threat Actor Engagement: Backstopped personas and infrastructure to engage actors in social media, closed, and dark web forums. Often referred to informally as digital human intelligence (HUMINT), creating personas that appear authentic and withstand scrutiny is critical to success. The ability to move from forums to isolated chats (in Telegram or What’s App, for example) is key to gaining access, engaging with threat actors and groups, and ultimately understanding the nuances of sophisticated TTPs.
3) Open Source Intelligence Research: Quantitative and qualitative collection of public, non-classified sources such as, but not limited to, people sites, dating sites, domain registries, third party repositories, social media networks, instant messaging, foreign press, and known exploits. Successful open source researchers don’t live in a world of domains, IPs addresses, and malware strings. They live in a world of seemingly anonymous phone numbers, email addresses, device IDs, and user agent strings. This in-depth investigation and analysis allow them to do the seemingly impossible, including the personal attribution and unmasking of e-crime actors and fraudsters, enabling companies to take criminal or civil action when appropriate or necessary.
What Are Positive Outcomes
The phrase “what, so what, and now what?” is commonly heard when discussing and reviewing intelligence assessments. Enterprise security practitioners aim to deter adversaries by implementing strong risk identification and mitigation capabilities for employees and customers. These controls go a long way toward increasing adversary costs and effort and as a result deterring attacks. But world-class research and technical tradecraft are ineffective unless desired outcomes have been defined by business stakeholders, including representatives of legal, engineering, human resources, and information technology departments. Mature security teams often identify the following concerns as the starting place for outcomes:
● Protect consumers, employees, and vendors on their platforms and applications from bad actors doing bad things.
● Proactively make the business environment safer from persistent actors.
● Increasing the cost to the adversary, to create risk and assurance of consequences that influence adversarial behavior.
In order to achieve those outcomes, they often take the following approaches to disrupt their adversaries:
● Disrupt the network: Working with the cryptocurrency or hosting providers to remove marketplace infrastructure.
● Blow their cover: Publicly exposing criminals to deter future crime.
● Attribute: Removing the anonymity of the fraud actors and criminal conspirators.
● Share with law enforcement and policymakers: Collaborating with these teams to determine the amount of loss, resulting in prosecution.
● Share with the industry: Implementing technical controls, policies, and procedures around applications.
● Share with researchers: Engaging the perpetrator and the perpetrator’s associates to facilitate cooperation without legal recourse.
● Warn victims: Reaching out to consumers and employees to inform them of malicious activity.
The actions and outcomes described in this article are both necessary and complementary to any enterprise. These actions will help protect enterprise businesses and their products and services while ensuring a fair marketplace for themselves and their customers.