SlideShare a Scribd company logo

Intelligence Gathering and Analysis Techniques for Cybersecurity(1)

Download as DOCX, PDF
M
Mark Fuentes

This document discusses techniques for intelligence gathering and analysis in cybersecurity. It begins by introducing the cyber kill chain model used to frame attacks. It then discusses how cybersecurity analysis can expand its sources of intelligence beyond just security logs to include open source intelligence, human intelligence, technical intelligence and analyzing the dark web. The document also discusses techniques like adopting a red team mindset and conducting red team/blue team exercises to help analysts think like adversaries. It emphasizes training analysts to consider different perspectives and think outside normal models. The goal is to help analysts detect threats more proactively by gathering intelligence from more sources and using different analytical techniques.

1 of 12
Downloaded 38 times
1
2
3
4
5
6
7
8
9
10
11
12
1 Intelligence Gathering and Analysis Techniques for Cybersecurity Mark Fuentes
2 Table of Contents Introduction.......................................................................................................................................3 The Kill Chain......................................................................................................................................4 Intelligence AnalysisVs. CybersecurityAnalysis....................................................................................5 Expanding Sources of Intelligence Gathering........................................................................................6 HUMINT.........................................................................................................................................6 The Dark Web.................................................................................................................................6 OSINT.............................................................................................................................................7 TECHINT.........................................................................................................................................7 The Hamstrung Analyst.......................................................................................................................8 Noise vs. Value ...............................................................................................................................8 Mental Models...............................................................................................................................8 Techniques.........................................................................................................................................8 Red Team Mindset..........................................................................................................................8 Red Team/Blue Team......................................................................................................................9 Conclusion .......................................................................................................................................11 Bibliography.....................................................................................................................................12
3 Introduction “Cybersecurity” Thisis a majorbuzzword,these days. In academicinstitutionsacrossthe world,Cybersecuritydegreesare beingchurnedoutinrecord numbers. It’seasyto find: Justgo to eachcollege’sschool of InformationTechnology. Course listsare rife withclassesonthe OSImodel,firewall administration,routing,switching,administrationof Windows,PChardware,andthe listgoesonand on. While there isnoSecurityprofessional worthhisorhersaltthat isn’tan expertonall these subjects, these subjectsare toCybersecurityandComputerNetworkDefense(CND) merelywhatArithmeticand Algebraare to Calculus: A soundfoundation. Cybersecurityiscurrentlybeingtaughtinmostprogramsas an InformationTechnologydiscipline. Tomorrow’scybersecurityprofessionalsare beingtaughtthe toolsof the trade andthe capabilitiesof those tools. Theyare learningattackcountermeasuresanda“set itand forgetit”attitude. The reality is,because of the adversaryand the adversary’scapabilities,itisreallyComputerScience and IntelligenceAnalysis. A deeperunderstandingof ComputerScience isrequiredbecause the real threatsinthe fieldare programmersandcoders. The real weaponsare the code that theywrite. There are,admittedly,no shortagesof “script kiddies”,malevolentthreat-actorswhodon'twrite theirownexploitsbut,instead, relyon exploitsandtoolsthattheypaidforor foundinsome forum, somewhere. The factstill remains that whatwe reallyfearfrom all these threatsisthe code,whetherornot the personwhotargetedyour networkwrote itthemselvesordidnot. Withouta deeperunderstandingof how the software wasput togetherandwhateverylittle subroutine andfunctionismeanttodo,we are onlyable to detectlow- hangingfruit. Atbest,we are merelydetectingthe symptomsbutnotdiagnosingthe disease. Many a dramaticindividuallovestorefertothe internetasthe new battleground. Theylike toconjure up imagesof blackhat hackersand white hatcybersecurityanalystsandengineersasthe 21st Century warriors. Thissimile,asover-the-topasitis,isprettyaccurate. We are fightingawar...anintricate war againsta most sophisticatedadversary. Nowarwaseverwonwithoutadequate intelligence. IntelligenceAnalysisneedstobe revisitedasamore integral partof CybersecurityandCNDbecause the 21st Centuryhasseenthe rise of an adversarythat isadvanced,resourceful,well-trained,well- funded…butabove all else…Human.
4 The Kill Chain AnydiscussionaboutCybersecurityIntelligence inthe 21st Centuryhasto beginwithThe Kill Chain. “The IntrusionKill Chain”isa model forframingaComputerNetworkAttack(CNA) orComputer NetworkEspionage (CNE) Incidentbybreakingit intoattackphases. Thismodel wasdevelopedby LockheedMartin’sComputerIncidentResponseTeamin2010. It positsthat anyattack on a systemwill be carriedout in sevenphases:  RECONNAISSANCE- studyingpublicinformationaboutthe target,the target'senvironment, software mix,practicesandsoftware loadout  WEAPONIZATION- preparinga backdoorand a penetrationplanintendedtodelivera successful attack  DELIVERY - launchingthe attack andinjectingthe backdoor  EXPLOITATION - triggeringthe backdoor  INSTALLATION - installingthe backdoorasa bootstrapandany additional remote accesstools  COMMANDAND CONTROL - use of the toolstoestablishremote access  ACTIONS ON OBJECTIVES - collectingandexfiltratinginformation,orotheractionsagainstthe target Cybersecurityanalystsuse thismodel togaininsightintowhichphase of the attacktheyare observing, basedon givenintelligence. Analysisgleanedfromthismodel helpstoformulatethe proper recommendationsinreal time aswell asinformpost-morteminvestigationsandcreate detection content,afterthe fact.
5 Intelligence Analysis Vs. Cybersecurity Analysis IntelligenceAnalysisusesinformationtopredictbehavioral outcomesandproduce recommended coursesof action to organization leaders. Thisisachievedbycollectingintelligence fromamyriadof sources:  HUMINT : Human intelligence –gatheredfrompeople inthe field  GEOINT: Geospatial Intelligence –gatheredfromsatellite,aerial photography,or mapping/terraindata  MASINT: MeasurementandSignature intelligence –gatheredfrommeasureddata  OSINT: OpenSource Intelligence–gatheredfromopensources  SIGINT:Signalsintelligence –gatheredfrominterceptionof signals  TECHINT: Technical intelligence –gatheredfromanalysis of weaponsandequipmentusedby the armedforcesof foreignnationsorenvironmentalconditions  CYBINT/DNINT: Cyberintelligence/Digital NetworkIntelligence –gatheredfromcyberspace  FININT: Financial intelligence –gatheredfromanalysisof monetarytransactions While cybersecurityAnalysisattemptstodothe same thing,currentpracticesare focusedonsecurity logsand eventsforgatheringsaidinformation. Thislong-heldpractice firmlyplacesCybersecurityand CND underthe domainsof SIGINTand CYBINT/DNINT. Thishasshownto be quite useful indetecting attemptedattacksat the perimeterof networksandinfectedmachinesinside the network,afterthe fact. As successful asthismodel hasalwaysbeen,ithadthe drawbackof beingreactive. Inmostcases, these sourcesof intelligence onlyallowedforawarenessof maliciousbehaviorpost-delivery,onthe kill chain. The Cybersecurityprofessional needstoshiftperspectivesfromthinkingthatthe battle isagainsta facelessinternetof onesandzeroes,butagainstaliving,breathinghumanbeing. Thishumanbeingis cleverandresourceful. Thishumanbeingisswiftandunknown. Thishumanbeingis…human. At itscore,the discipline of Intelligence isbasedonthe notionthathumanbeingsare formidable opponents,butfallible. Thisdiscipline seesahumanadversarywho,nomatterhow crafty, leaves indicatorsof theirbehavior. The identificationof all the possiblesourcesof intelligence accountsforall the typesof indicatorsa humanproduces. Revisitingthe othersourcesof intelligencewillputamore humanface on the adversaryto enhance the wayanalystsperceive dataandcan increase visibilityintocurrentandfuture campaignsandbetter equipanorganizationtodeployCNDina more proactive way.
6 Expanding Sources ofIntelligence Gathering HUMINT As more of the worldisthrustintocyberspace andthe worldinchesclosertobecomingone big community,HUMINTsourcesthat once had no connectionswithcybercriminalsorhackersare starting to utilize those more technological avenuestomodernize once-analogcriminalactivities. These emergingconnectionsbetweenconventional criminal enterprisesandcybercriminalsmayresult inHUMINT withconnectionstocybercrime where thereweren't,inthe past. Human intelligence sourcesneedtobe collectedwitharenewedfocusonCND. The Dark Web The Web, as itis knowntomost people,iscomprisedof all the indexedwebsitesonthe internet. These websitesare indexedandsearchable fromany searchengine. The Dark Webis comprisedof all the sites that aren’tindexedorsearchable. ThisDarkWeb servesasthe electronicunderworld,where all the unsavorycharactersdwell. Because of itsintrinsicnature,mostCybersecurityoperationssteer clearof The Dark Webfor fearof infectingtheirsystemsorrunningafoul the wrongentities. On the otherhand,the same intrinsicnature makesitthe perfectsource forintelligence. The DarkWeb isa place where youcan find:  Spam/phishingcampaigns forhire  Stolenintellectual property(code,designs)  Vulnerabilitiesforsale  Exploits/Rootkits/ExploitKitsforsale  Hackingfor hire  Hacktivisttargetforums  Insiderthreatsforhire (disgruntledemployees) The Dark Webcan be monitoredforthis intelligence byanadvancedanalystusingThe OnionRouter (TOR) and an air-gappedmachine withofflinebrowsing. Thisadvancedpersonnel canalsobe developedtogatherintelligence fromindividualsonThe DarkWeb, posingas anotherblackhat. Thispractice cannot be takenlightly,asthere are legal issuestotake intoaccountthat wouldgovern whatsuch an agentcan andcannot do inthe course of performinghisorherduties.
7 OSINT As Cybersecurityevolves,intelligence gatheringhasslowlybeguntoincorporate OSINTinthe formof publicforums,Google,SecurityResearchGroups’publicationof findings. ThisintelligenceistypicallydigestedandminedforIndicatorsof Compromise (IOC’s)suchas:  MD5 hashesof filesthatcan be addedto a blacklist of maliciousfiles  IP’sand URL’s that can be identifiedasCommandandControl (C&C) hostsor are currently hostingmalware  Stringsthat can be foundinheaderor evenpayloadinformationof maliciouspacketsandused to create IDS/IPSsignatures Thisintelligencecanbe monitoredmore closelytoidentifythe qualityof the intelligence by:  Developingasystemthatmonitorswhichsourcesproduce the mostrewardingintelligence and whichproduce the least-rewardingintelligence  In-depthpoliciestoage out oldintelligence The Cybersecuritycommunityisfast-becomingmuchlargerthanit usedtobe,but it isas tight-knitas ever. Asinformationsharingcontinuestobolster,there willbe noshortage of OSINT. The return on investmentforOSINT,however, becomesmurkyasthe informationandsourcesincrease. Keepingtrack of the mostsoundand complete sourcesof informationwill be the keytomaintainingthe qualityof the intelligence. TECHINT The hacker has alwaysbeenanadversarywithmanyadvantages overthe Cybersecurityprofessional. Thisadversaryhas alwayshadan abundance of resourcefulness,commitment,andmeanstocarry out theirmaliciousintent. Theyhave alwayshadthe advantage of beinginabetterpositiontoknow more abouttheirtargetsthan theirtargetsknow aboutthem. The last few decadeshave seenthe rise of the state-sponsoredhacker. Thisisanadversarythat has developedtheirtechnical skillsfromaveryearlyand formative stage inlife. Thisadversaryhasbeen trainedina verysystematicmannerata veryfundamental level toensure hackingissecondnature. Vulnerabilities,Exploits,andCode are thisadversary’smothertongue. Intelligencemustbe gatheredwithafocuson the technical capabilitiesof adversaries. Anyindicatorsof the adversary’stechnology,go-tothreatvectors,andcode shouldbe gatheredforall adversaries. These adversariescanbe nations,hacktivists,terrorists,drugdealers,syndicates,cybercriminals. Keepinganaccurate record of thisintelligencecanhelpattribute certaincampaignstocertaingroupsor evenrule outgroupsfromcampaigns,basedonestablishedbehaviorpatternsandsignatures.
8 The Hamstrung Analyst As the flowof data increases,the jobof a Cybersecurityanalystbecomesmore andmore difficultwhile the approach to analysislurchesforwardinthe same mannerithasbeendone since the late 90’s. Noise vs. Value As there ismore data to be processed,itisincreasinglydifficultforanalyststopickoutvaluable data throughall the noise. To add to thisnoise,the enemyisconstantlyworkingonnew waystodeceive and obfuscate theirintentions. Mental Models It has beenarguedthatall individualsassimilate andevaluateinformationthroughthe mediumof what iscalled“mental models”. Theyare experience-basedconstructswhichfrom assumptionsor expectationsof the worldandmore specificsubjects,inthiscase, Cybersecurity. Analysts,bynature,become accustomedtowhattheyhave seeninthe pastand paintfuture analysis withthese mental models,sometimesmissingcrucial indicators orfindingmaliciousactivitywhere there isn’tany. The problemincreasesasthe analystgainsexperience,asmental modelsare resistantto change,once formed. Techniques The intelligence communityandmilitaryhave come upwithmanymethodsof developingthe mindsof highly-adaptable,versatile,well-preparedoperatorsand agentswhocansee all the angles,thinkoutside of the box,andperforminunorthodox ways. These same techniquescanbe translatedtoCybersecurity analyststoovercome manychallengestoCNDanalysis. Some are alreadybeingutilizedtoformteams withadvancedanalysiscapabilities. Red Team Mindset Securityteamsneedtoprotecteverypossiblewayintotheirnetworkswhile threatactorsonlyneedto findone that isunprotected. RedTeams are usedby militaryandintelligence organizationstoimprove theireffectivenessby employingthe mindsetof anopposingforce. Itis,essentially,"thinkinglike the enemy". RedTeams operate inthe exactwayan organization'sadversarywouldoperate,oftenadopting methodsandtechniquesthatare fundamentally differentfromsaidorganization'stoaccountfor differentbackgrounds,tools,training,andperspectives. Analystsneedtobe trainedinthe mindsetof aRed Teambecause itaidsin catchingsecurityholesthat may have beenoverlooked. Itdevelopsthe abilityof ananalystto lookat situationswitha“freshpairof eyes”. TraininginRedTeamthinkingshouldhave anemphasison:  Analyzingcomplex systemsandproblemsfrommanydifferentperspectives.
9  Utilizingconcepts,theories,insights,tools,and methodologiesof cultural andmilitary anthropologytopredictothers'perceptionsof anorganization'sstrengthsandvulnerabilities.  Utilizingcritical andcreative thinkinginthe contextof operational environmenttofullyexplore alternativestoconcepts,operations,plans,organizations,andcapabilities. These skillsare currentlyutilized,mostlyinthe fieldof ethical hackingandpenetrationtesting,butare keyskillstoanalyzingthreatsinalive environment. Withthese skills,analystswill be able totake seeminglydisparate eventsandlogstoextrapolate scenariosthataren'trightoutof the incident handler'stextbook. Red Team/Blue Team RedTeam/Blue Teamexercisestake the adversarialmindsettoanotherlevel. The exercise wasoriginatedbythe military totestforce-readinessandhasbeentranslatedtoCND by pittingtwosetsof well-trainedanalystsagainsteachotherina simulatedattack. The Blue Teamstands up a networkandattemptsto secure itas bestas it can and monitoritwhile The RedTeamattemptsto infiltrate the systemandperformanarbitraryobjective suchasdata exfiltration,obtainingrootaccess to significantnodes,ordefacingadummywebsite. Afterthe exercise,jointanalysisisperformedby bothteamsto identifystrengthsandvulnerabilitiesinthe establishedsecurity,aswell asstrengthsand weaknessesincertainapproachesof infiltration. Takingthe conceptfurther,itis alsohighlyeffectivetohave the twoteamsswitchsides,before analysis, to gaintwo perspectivesfrombothRedandBlue sides. Indicators or Signposts of Change The intelligence communityusesthistechnique totrackmajorchangesin geo-political climates. Itis done bylistingaset of scenariosandunderthose,a listof observable signsthatmayindicate that scenarioor outcome. These are trackedovertime to create a visual representationof whattheyare facinginthe fieldandthe warrantedconcernof those possiblescenarios,atanygiventime. Thissame technique canbe employedtotrackpossible changesinthe wildthatare of concern to CND clients. Itcan be usedto track indicatorsof change that may pointto possible scenariosortrendsas theyrelate tospecificorganizationsorevensectorsof business. Thistechnique hasthe advantage of providinganobjectivebaselinethatincomingdataandintelligence can be comparedagainsttobolsterconfidence inthe accuracyof any analysis. Thistechniquealsohelps to objectifyanyhypothesesbyframingtheminamore quantifiable basis.
10 Tracking the potential for Malicious Campaigns by Target Sector Target Sectors Indicators 2013 2014 Quarter 1 2 3 4 1 2 3 4 Defense Rise in traffic on endpoints 1 Serious Concern Rise in scans 2 Substantial Concern many related C&C Incidents 3 Moderate Concern Malicious External IP's Inbound 4 Low Concern Energy Rise in traffic on endpoints 5 Negligible Concern Rise in scans many related C&C Incidents Malicious External IP's Inbound Increased attacks on SCADA systems Financial Rise in traffic on endpoints Rise in scans many related C&C Incidents Malicious External IP's Inbound Increased CCN Information in transit Increased PII loss Retail Rise in traffic on endpoints Rise in scans many related C&C Incidents Malicious External IP's Inbound Increased CCN Information in transit Increased PII loss Increased attacks on POS systems Rogue AP's at Retail locations Presence of Trigger Mechanisms ("Y" if present) Major Data Exfiltration Major PII spill Homepage defacement DDOS Tracking the potential for MaliciousCampaigns in an indicators matrix. A matrix like the one above can be usedtotrack the targetingof certainsectors.
11 Conclusion Cyberwarfare isadvancingatan exponential rate andouradversaries,usingamyriadof advantages,are evolvingalongwithit. The defenders of enterprise networkscannotcontinue toface the dangersof tomorrowwiththe methodsof yesterday. The situationis“adaptordie”. Revisitingconventionalmethodsof intelligence gatheringandanalysisandretrofittingthemforCND will helptodevelopcybersecurityprofessionalswhoprioritizeknowingtheirenemyandadaptingtonew situationsoverscouringforthe low-hangingfruit. Addingthese methodstothe existingcapabilitiesof cybersecurityanalysiswill greatlyimproveany security operations’effectiveness.
12 Bibliography A TradecraftPrimer:Structured AnalyticTechniquesforImproving IntelligenceAnalysis.Washington, D.C.: US Government,2009. Print. "IntelligenceCollectionDisciplines." FBI.FBI,21 May 2010. Web. 30 June 2015. E.M. Hutchins,M.J. CloppertandR.MAminPH.D.,"Intelligence-DrivenComputerNetworkDefense InformedbyAnalysisof AdversaryCampaignsandIntrusionKill Chains," Proc.6th Int'lConf.Information Warfareand Security (ICIW11), AcademicConferencesLtd.,2010, pp. 113–125; URL http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper- Intel-Driven-Defense.pdf Polancich,Jason."The DarkWeb: AnUntappedSource For Threat Intelligence." TheDarkWeb: An Untapped SourceForThreatIntelligence.InformationWeek,23June 2015. Web.30 June 2015. <http://www.darkreading.com/analytics/the-dark-web-an-untapped-source-for-threat-intelligence- /a/d-id/1320983>

More Related Content

PDF
White Paper: The Cyber Resilience Blueprint: A New Perspective on Security
Symantec
 
PDF
Иллюстрации
eextra
 
PDF
Zenman в отпуске
eextra
 
PPTX
Top 8 health communications specialist resume samples
johnsmithvn2
 
PDF
4 Things to Do and See in Lisbon, Portugal
Mickael Marsali
 
DOCX
Logistic engineer
ChristianIngebrigtsen012
 
PPTX
Neha d22
2010neha
 
PDF
фирменный стиль центра фотографии им. братьев Люмьер
eextra
 
White Paper: The Cyber Resilience Blueprint: A New Perspective on Security
Symantec
 
Иллюстрации
eextra
 
Zenman в отпуске
eextra
 
Top 8 health communications specialist resume samples
johnsmithvn2
 
4 Things to Do and See in Lisbon, Portugal
Mickael Marsali
 
Logistic engineer
ChristianIngebrigtsen012
 
Neha d22
2010neha
 
фирменный стиль центра фотографии им. братьев Люмьер
eextra
 

Viewers also liked (20)

PPTX
Top 8 pc support specialist resume samples
johnsmithvn2
 
DOCX
CV Prity Diwan
Prity Diwan
 
PDF
Distance Training: Low Tech Solutions for High Tech Success
RethinkFirst
 
PDF
Differentiating Data Collection: Best Practices for Collecting Data in Inclus...
RethinkFirst
 
PDF
Иллюстрации
eextra
 
DOCX
Marcom executive performance appraisal
ChristianIngebrigtsen012
 
PPTX
Medicine Support Solutions LIMOS
LGTNHS
 
PDF
4 Sights to See in Bordeaux, France
Mickael Marsali
 
PPTX
Top 8 clerical specialist resume samples
johnsmithvn2
 
PPTX
Top 8 computer forensics specialist resume samples
johnsmithvn2
 
PDF
Иллюстрации
eextra
 
PPTX
Top 8 financial management specialist resume samples
johnsmithvn2
 
PPTX
Top 8 correctional treatment specialist resume samples
johnsmithvn2
 
DOCX
Kristina Resume - PM Leasing Consultant 2017
Kristina Sosa
 
DOCX
Literacy specialist performance appraisal
ChristianIngebrigtsen012
 
PDF
Top 5 NASDAQ Biotech Stocks
Mickael Marsali
 
PDF
May the Workforce be with You
RethinkFirst
 
PPTX
Georgei 150701035049-lva1-app6891
antocataldo
 
DOCX
Marketing project coordinator performance appraisal
ChristianIngebrigtsen012
 
PPTX
Top 8 marketing support specialist resume samples
johnsmithvn2
 
Top 8 pc support specialist resume samples
johnsmithvn2
 
CV Prity Diwan
Prity Diwan
 
Distance Training: Low Tech Solutions for High Tech Success
RethinkFirst
 
Differentiating Data Collection: Best Practices for Collecting Data in Inclus...
RethinkFirst
 
Иллюстрации
eextra
 
Marcom executive performance appraisal
ChristianIngebrigtsen012
 
Medicine Support Solutions LIMOS
LGTNHS
 
4 Sights to See in Bordeaux, France
Mickael Marsali
 
Top 8 clerical specialist resume samples
johnsmithvn2
 
Top 8 computer forensics specialist resume samples
johnsmithvn2
 
Иллюстрации
eextra
 
Top 8 financial management specialist resume samples
johnsmithvn2
 
Top 8 correctional treatment specialist resume samples
johnsmithvn2
 
Kristina Resume - PM Leasing Consultant 2017
Kristina Sosa
 
Literacy specialist performance appraisal
ChristianIngebrigtsen012
 
Top 5 NASDAQ Biotech Stocks
Mickael Marsali
 
May the Workforce be with You
RethinkFirst
 
Georgei 150701035049-lva1-app6891
antocataldo
 
Marketing project coordinator performance appraisal
ChristianIngebrigtsen012
 
Top 8 marketing support specialist resume samples
johnsmithvn2
 
Ad

Similar to Intelligence Gathering and Analysis Techniques for Cybersecurity(1) (20)

PDF
IBM Cyber Threat Analysis
IBM Government
 
DOCX
Outsmarting the Attackers A Deep Dive into Threat Intelligence.docx
manas23pgdm157
 
PPTX
bsides NOVA 2017 So You Want to Be a Cyber Threat Analyst eh?
Anthony Melfi
 
PPT
New definition for APT
Richard Stiennon
 
PDF
Cyber Threat Intelligence
Marlabs
 
PDF
01 INTRODUCTION TO CYBERTHREAT INTELIGENCE.pdf
EnockSimon
 
PPTX
Unit-1&2,mdngmnd,mngmdnmgnmdnfmngdf.pptx
jayarao21
 
PDF
SecurityOperations
Antonio (Tony) Robinson
 
PPTX
Need for Threat Intelligence & How to Operationalize it for your Organisation.
Aditya Mukherjee Information Security
 
PDF
Best_of_Breed_3-24-2015_How_to_Achieve_ABAC_Today copy
Stephanie McVitty
 
PDF
Threat Intelligence 101 - Steve Lodin - Submitted
Steve Lodin
 
PDF
[Bucharest] Attack is easy, let's talk defence
OWASP EEE
 
PDF
Road map for actionable threat intelligence
abhisheksinghcs
 
PPTX
Corporate Intelligence: Bridging the security and intelligence community
antitree
 
PDF
Understanding Cyber Threat Intelligence A Guide for Analysts.pdf
uzair
 
PDF
Security - intelligence - maturity-model-ciso-whitepaper
CMR WORLD TECH
 
PDF
The Role Of Data Analytics In Cybersecurity
ABMCollege2
 
PDF
AI-Cyber-Security-White-Papers-06-15-LR
Bill Besse
 
PDF
Threat Hunting Procedures and Measurement Matrice
Vishal Kumar
 
PDF
Cyber Security
NC Military Business Center
 
IBM Cyber Threat Analysis
IBM Government
 
Outsmarting the Attackers A Deep Dive into Threat Intelligence.docx
manas23pgdm157
 
bsides NOVA 2017 So You Want to Be a Cyber Threat Analyst eh?
Anthony Melfi
 
New definition for APT
Richard Stiennon
 
Cyber Threat Intelligence
Marlabs
 
01 INTRODUCTION TO CYBERTHREAT INTELIGENCE.pdf
EnockSimon
 
Unit-1&2,mdngmnd,mngmdnmgnmdnfmngdf.pptx
jayarao21
 
SecurityOperations
Antonio (Tony) Robinson
 
Need for Threat Intelligence & How to Operationalize it for your Organisation.
Aditya Mukherjee Information Security
 
Best_of_Breed_3-24-2015_How_to_Achieve_ABAC_Today copy
Stephanie McVitty
 
Threat Intelligence 101 - Steve Lodin - Submitted
Steve Lodin
 
[Bucharest] Attack is easy, let's talk defence
OWASP EEE
 
Road map for actionable threat intelligence
abhisheksinghcs
 
Corporate Intelligence: Bridging the security and intelligence community
antitree
 
Understanding Cyber Threat Intelligence A Guide for Analysts.pdf
uzair
 
Security - intelligence - maturity-model-ciso-whitepaper
CMR WORLD TECH
 
The Role Of Data Analytics In Cybersecurity
ABMCollege2
 
AI-Cyber-Security-White-Papers-06-15-LR
Bill Besse
 
Threat Hunting Procedures and Measurement Matrice
Vishal Kumar
 
Cyber Security
NC Military Business Center
 
Ad

Intelligence Gathering and Analysis Techniques for Cybersecurity(1)

  • 1. 1 Intelligence Gathering and Analysis Techniques for Cybersecurity Mark Fuentes
  • 2. 2 Table of Contents Introduction.......................................................................................................................................3 The Kill Chain......................................................................................................................................4 Intelligence AnalysisVs. CybersecurityAnalysis....................................................................................5 Expanding Sources of Intelligence Gathering........................................................................................6 HUMINT.........................................................................................................................................6 The Dark Web.................................................................................................................................6 OSINT.............................................................................................................................................7 TECHINT.........................................................................................................................................7 The Hamstrung Analyst.......................................................................................................................8 Noise vs. Value ...............................................................................................................................8 Mental Models...............................................................................................................................8 Techniques.........................................................................................................................................8 Red Team Mindset..........................................................................................................................8 Red Team/Blue Team......................................................................................................................9 Conclusion .......................................................................................................................................11 Bibliography.....................................................................................................................................12
  • 3. 3 Introduction “Cybersecurity” Thisis a majorbuzzword,these days. In academicinstitutionsacrossthe world,Cybersecuritydegreesare beingchurnedoutinrecord numbers. It’seasyto find: Justgo to eachcollege’sschool of InformationTechnology. Course listsare rife withclassesonthe OSImodel,firewall administration,routing,switching,administrationof Windows,PChardware,andthe listgoesonand on. While there isnoSecurityprofessional worthhisorhersaltthat isn’tan expertonall these subjects, these subjectsare toCybersecurityandComputerNetworkDefense(CND) merelywhatArithmeticand Algebraare to Calculus: A soundfoundation. Cybersecurityiscurrentlybeingtaughtinmostprogramsas an InformationTechnologydiscipline. Tomorrow’scybersecurityprofessionalsare beingtaughtthe toolsof the trade andthe capabilitiesof those tools. Theyare learningattackcountermeasuresanda“set itand forgetit”attitude. The reality is,because of the adversaryand the adversary’scapabilities,itisreallyComputerScience and IntelligenceAnalysis. A deeperunderstandingof ComputerScience isrequiredbecause the real threatsinthe fieldare programmersandcoders. The real weaponsare the code that theywrite. There are,admittedly,no shortagesof “script kiddies”,malevolentthreat-actorswhodon'twrite theirownexploitsbut,instead, relyon exploitsandtoolsthattheypaidforor foundinsome forum, somewhere. The factstill remains that whatwe reallyfearfrom all these threatsisthe code,whetherornot the personwhotargetedyour networkwrote itthemselvesordidnot. Withouta deeperunderstandingof how the software wasput togetherandwhateverylittle subroutine andfunctionismeanttodo,we are onlyable to detectlow- hangingfruit. Atbest,we are merelydetectingthe symptomsbutnotdiagnosingthe disease. Many a dramaticindividuallovestorefertothe internetasthe new battleground. Theylike toconjure up imagesof blackhat hackersand white hatcybersecurityanalystsandengineersasthe 21st Century warriors. Thissimile,asover-the-topasitis,isprettyaccurate. We are fightingawar...anintricate war againsta most sophisticatedadversary. Nowarwaseverwonwithoutadequate intelligence. IntelligenceAnalysisneedstobe revisitedasamore integral partof CybersecurityandCNDbecause the 21st Centuryhasseenthe rise of an adversarythat isadvanced,resourceful,well-trained,well- funded…butabove all else…Human.
  • 4. 4 The Kill Chain AnydiscussionaboutCybersecurityIntelligence inthe 21st Centuryhasto beginwithThe Kill Chain. “The IntrusionKill Chain”isa model forframingaComputerNetworkAttack(CNA) orComputer NetworkEspionage (CNE) Incidentbybreakingit intoattackphases. Thismodel wasdevelopedby LockheedMartin’sComputerIncidentResponseTeamin2010. It positsthat anyattack on a systemwill be carriedout in sevenphases:  RECONNAISSANCE- studyingpublicinformationaboutthe target,the target'senvironment, software mix,practicesandsoftware loadout  WEAPONIZATION- preparinga backdoorand a penetrationplanintendedtodelivera successful attack  DELIVERY - launchingthe attack andinjectingthe backdoor  EXPLOITATION - triggeringthe backdoor  INSTALLATION - installingthe backdoorasa bootstrapandany additional remote accesstools  COMMANDAND CONTROL - use of the toolstoestablishremote access  ACTIONS ON OBJECTIVES - collectingandexfiltratinginformation,orotheractionsagainstthe target Cybersecurityanalystsuse thismodel togaininsightintowhichphase of the attacktheyare observing, basedon givenintelligence. Analysisgleanedfromthismodel helpstoformulatethe proper recommendationsinreal time aswell asinformpost-morteminvestigationsandcreate detection content,afterthe fact.
  • 5. 5 Intelligence Analysis Vs. Cybersecurity Analysis IntelligenceAnalysisusesinformationtopredictbehavioral outcomesandproduce recommended coursesof action to organization leaders. Thisisachievedbycollectingintelligence fromamyriadof sources:  HUMINT : Human intelligence –gatheredfrompeople inthe field  GEOINT: Geospatial Intelligence –gatheredfromsatellite,aerial photography,or mapping/terraindata  MASINT: MeasurementandSignature intelligence –gatheredfrommeasureddata  OSINT: OpenSource Intelligence–gatheredfromopensources  SIGINT:Signalsintelligence –gatheredfrominterceptionof signals  TECHINT: Technical intelligence –gatheredfromanalysis of weaponsandequipmentusedby the armedforcesof foreignnationsorenvironmentalconditions  CYBINT/DNINT: Cyberintelligence/Digital NetworkIntelligence –gatheredfromcyberspace  FININT: Financial intelligence –gatheredfromanalysisof monetarytransactions While cybersecurityAnalysisattemptstodothe same thing,currentpracticesare focusedonsecurity logsand eventsforgatheringsaidinformation. Thislong-heldpractice firmlyplacesCybersecurityand CND underthe domainsof SIGINTand CYBINT/DNINT. Thishasshownto be quite useful indetecting attemptedattacksat the perimeterof networksandinfectedmachinesinside the network,afterthe fact. As successful asthismodel hasalwaysbeen,ithadthe drawbackof beingreactive. Inmostcases, these sourcesof intelligence onlyallowedforawarenessof maliciousbehaviorpost-delivery,onthe kill chain. The Cybersecurityprofessional needstoshiftperspectivesfromthinkingthatthe battle isagainsta facelessinternetof onesandzeroes,butagainstaliving,breathinghumanbeing. Thishumanbeingis cleverandresourceful. Thishumanbeingisswiftandunknown. Thishumanbeingis…human. At itscore,the discipline of Intelligence isbasedonthe notionthathumanbeingsare formidable opponents,butfallible. Thisdiscipline seesahumanadversarywho,nomatterhow crafty, leaves indicatorsof theirbehavior. The identificationof all the possiblesourcesof intelligence accountsforall the typesof indicatorsa humanproduces. Revisitingthe othersourcesof intelligencewillputamore humanface on the adversaryto enhance the wayanalystsperceive dataandcan increase visibilityintocurrentandfuture campaignsandbetter equipanorganizationtodeployCNDina more proactive way.
  • 6. 6 Expanding Sources ofIntelligence Gathering HUMINT As more of the worldisthrustintocyberspace andthe worldinchesclosertobecomingone big community,HUMINTsourcesthat once had no connectionswithcybercriminalsorhackersare starting to utilize those more technological avenuestomodernize once-analogcriminalactivities. These emergingconnectionsbetweenconventional criminal enterprisesandcybercriminalsmayresult inHUMINT withconnectionstocybercrime where thereweren't,inthe past. Human intelligence sourcesneedtobe collectedwitharenewedfocusonCND. The Dark Web The Web, as itis knowntomost people,iscomprisedof all the indexedwebsitesonthe internet. These websitesare indexedandsearchable fromany searchengine. The Dark Webis comprisedof all the sites that aren’tindexedorsearchable. ThisDarkWeb servesasthe electronicunderworld,where all the unsavorycharactersdwell. Because of itsintrinsicnature,mostCybersecurityoperationssteer clearof The Dark Webfor fearof infectingtheirsystemsorrunningafoul the wrongentities. On the otherhand,the same intrinsicnature makesitthe perfectsource forintelligence. The DarkWeb isa place where youcan find:  Spam/phishingcampaigns forhire  Stolenintellectual property(code,designs)  Vulnerabilitiesforsale  Exploits/Rootkits/ExploitKitsforsale  Hackingfor hire  Hacktivisttargetforums  Insiderthreatsforhire (disgruntledemployees) The Dark Webcan be monitoredforthis intelligence byanadvancedanalystusingThe OnionRouter (TOR) and an air-gappedmachine withofflinebrowsing. Thisadvancedpersonnel canalsobe developedtogatherintelligence fromindividualsonThe DarkWeb, posingas anotherblackhat. Thispractice cannot be takenlightly,asthere are legal issuestotake intoaccountthat wouldgovern whatsuch an agentcan andcannot do inthe course of performinghisorherduties.
  • 7. 7 OSINT As Cybersecurityevolves,intelligence gatheringhasslowlybeguntoincorporate OSINTinthe formof publicforums,Google,SecurityResearchGroups’publicationof findings. ThisintelligenceistypicallydigestedandminedforIndicatorsof Compromise (IOC’s)suchas:  MD5 hashesof filesthatcan be addedto a blacklist of maliciousfiles  IP’sand URL’s that can be identifiedasCommandandControl (C&C) hostsor are currently hostingmalware  Stringsthat can be foundinheaderor evenpayloadinformationof maliciouspacketsandused to create IDS/IPSsignatures Thisintelligencecanbe monitoredmore closelytoidentifythe qualityof the intelligence by:  Developingasystemthatmonitorswhichsourcesproduce the mostrewardingintelligence and whichproduce the least-rewardingintelligence  In-depthpoliciestoage out oldintelligence The Cybersecuritycommunityisfast-becomingmuchlargerthanit usedtobe,but it isas tight-knitas ever. Asinformationsharingcontinuestobolster,there willbe noshortage of OSINT. The return on investmentforOSINT,however, becomesmurkyasthe informationandsourcesincrease. Keepingtrack of the mostsoundand complete sourcesof informationwill be the keytomaintainingthe qualityof the intelligence. TECHINT The hacker has alwaysbeenanadversarywithmanyadvantages overthe Cybersecurityprofessional. Thisadversaryhas alwayshadan abundance of resourcefulness,commitment,andmeanstocarry out theirmaliciousintent. Theyhave alwayshadthe advantage of beinginabetterpositiontoknow more abouttheirtargetsthan theirtargetsknow aboutthem. The last few decadeshave seenthe rise of the state-sponsoredhacker. Thisisanadversarythat has developedtheirtechnical skillsfromaveryearlyand formative stage inlife. Thisadversaryhasbeen trainedina verysystematicmannerata veryfundamental level toensure hackingissecondnature. Vulnerabilities,Exploits,andCode are thisadversary’smothertongue. Intelligencemustbe gatheredwithafocuson the technical capabilitiesof adversaries. Anyindicatorsof the adversary’stechnology,go-tothreatvectors,andcode shouldbe gatheredforall adversaries. These adversariescanbe nations,hacktivists,terrorists,drugdealers,syndicates,cybercriminals. Keepinganaccurate record of thisintelligencecanhelpattribute certaincampaignstocertaingroupsor evenrule outgroupsfromcampaigns,basedonestablishedbehaviorpatternsandsignatures.
  • 8. 8 The Hamstrung Analyst As the flowof data increases,the jobof a Cybersecurityanalystbecomesmore andmore difficultwhile the approach to analysislurchesforwardinthe same mannerithasbeendone since the late 90’s. Noise vs. Value As there ismore data to be processed,itisincreasinglydifficultforanalyststopickoutvaluable data throughall the noise. To add to thisnoise,the enemyisconstantlyworkingonnew waystodeceive and obfuscate theirintentions. Mental Models It has beenarguedthatall individualsassimilate andevaluateinformationthroughthe mediumof what iscalled“mental models”. Theyare experience-basedconstructswhichfrom assumptionsor expectationsof the worldandmore specificsubjects,inthiscase, Cybersecurity. Analysts,bynature,become accustomedtowhattheyhave seeninthe pastand paintfuture analysis withthese mental models,sometimesmissingcrucial indicators orfindingmaliciousactivitywhere there isn’tany. The problemincreasesasthe analystgainsexperience,asmental modelsare resistantto change,once formed. Techniques The intelligence communityandmilitaryhave come upwithmanymethodsof developingthe mindsof highly-adaptable,versatile,well-preparedoperatorsand agentswhocansee all the angles,thinkoutside of the box,andperforminunorthodox ways. These same techniquescanbe translatedtoCybersecurity analyststoovercome manychallengestoCNDanalysis. Some are alreadybeingutilizedtoformteams withadvancedanalysiscapabilities. Red Team Mindset Securityteamsneedtoprotecteverypossiblewayintotheirnetworkswhile threatactorsonlyneedto findone that isunprotected. RedTeams are usedby militaryandintelligence organizationstoimprove theireffectivenessby employingthe mindsetof anopposingforce. Itis,essentially,"thinkinglike the enemy". RedTeams operate inthe exactwayan organization'sadversarywouldoperate,oftenadopting methodsandtechniquesthatare fundamentally differentfromsaidorganization'stoaccountfor differentbackgrounds,tools,training,andperspectives. Analystsneedtobe trainedinthe mindsetof aRed Teambecause itaidsin catchingsecurityholesthat may have beenoverlooked. Itdevelopsthe abilityof ananalystto lookat situationswitha“freshpairof eyes”. TraininginRedTeamthinkingshouldhave anemphasison:  Analyzingcomplex systemsandproblemsfrommanydifferentperspectives.
  • 9. 9  Utilizingconcepts,theories,insights,tools,and methodologiesof cultural andmilitary anthropologytopredictothers'perceptionsof anorganization'sstrengthsandvulnerabilities.  Utilizingcritical andcreative thinkinginthe contextof operational environmenttofullyexplore alternativestoconcepts,operations,plans,organizations,andcapabilities. These skillsare currentlyutilized,mostlyinthe fieldof ethical hackingandpenetrationtesting,butare keyskillstoanalyzingthreatsinalive environment. Withthese skills,analystswill be able totake seeminglydisparate eventsandlogstoextrapolate scenariosthataren'trightoutof the incident handler'stextbook. Red Team/Blue Team RedTeam/Blue Teamexercisestake the adversarialmindsettoanotherlevel. The exercise wasoriginatedbythe military totestforce-readinessandhasbeentranslatedtoCND by pittingtwosetsof well-trainedanalystsagainsteachotherina simulatedattack. The Blue Teamstands up a networkandattemptsto secure itas bestas it can and monitoritwhile The RedTeamattemptsto infiltrate the systemandperformanarbitraryobjective suchasdata exfiltration,obtainingrootaccess to significantnodes,ordefacingadummywebsite. Afterthe exercise,jointanalysisisperformedby bothteamsto identifystrengthsandvulnerabilitiesinthe establishedsecurity,aswell asstrengthsand weaknessesincertainapproachesof infiltration. Takingthe conceptfurther,itis alsohighlyeffectivetohave the twoteamsswitchsides,before analysis, to gaintwo perspectivesfrombothRedandBlue sides. Indicators or Signposts of Change The intelligence communityusesthistechnique totrackmajorchangesin geo-political climates. Itis done bylistingaset of scenariosandunderthose,a listof observable signsthatmayindicate that scenarioor outcome. These are trackedovertime to create a visual representationof whattheyare facinginthe fieldandthe warrantedconcernof those possiblescenarios,atanygiventime. Thissame technique canbe employedtotrackpossible changesinthe wildthatare of concern to CND clients. Itcan be usedto track indicatorsof change that may pointto possible scenariosortrendsas theyrelate tospecificorganizationsorevensectorsof business. Thistechnique hasthe advantage of providinganobjectivebaselinethatincomingdataandintelligence can be comparedagainsttobolsterconfidence inthe accuracyof any analysis. Thistechniquealsohelps to objectifyanyhypothesesbyframingtheminamore quantifiable basis.
  • 10. 10 Tracking the potential for Malicious Campaigns by Target Sector Target Sectors Indicators 2013 2014 Quarter 1 2 3 4 1 2 3 4 Defense Rise in traffic on endpoints 1 Serious Concern Rise in scans 2 Substantial Concern many related C&C Incidents 3 Moderate Concern Malicious External IP's Inbound 4 Low Concern Energy Rise in traffic on endpoints 5 Negligible Concern Rise in scans many related C&C Incidents Malicious External IP's Inbound Increased attacks on SCADA systems Financial Rise in traffic on endpoints Rise in scans many related C&C Incidents Malicious External IP's Inbound Increased CCN Information in transit Increased PII loss Retail Rise in traffic on endpoints Rise in scans many related C&C Incidents Malicious External IP's Inbound Increased CCN Information in transit Increased PII loss Increased attacks on POS systems Rogue AP's at Retail locations Presence of Trigger Mechanisms ("Y" if present) Major Data Exfiltration Major PII spill Homepage defacement DDOS Tracking the potential for MaliciousCampaigns in an indicators matrix. A matrix like the one above can be usedtotrack the targetingof certainsectors.
  • 11. 11 Conclusion Cyberwarfare isadvancingatan exponential rate andouradversaries,usingamyriadof advantages,are evolvingalongwithit. The defenders of enterprise networkscannotcontinue toface the dangersof tomorrowwiththe methodsof yesterday. The situationis“adaptordie”. Revisitingconventionalmethodsof intelligence gatheringandanalysisandretrofittingthemforCND will helptodevelopcybersecurityprofessionalswhoprioritizeknowingtheirenemyandadaptingtonew situationsoverscouringforthe low-hangingfruit. Addingthese methodstothe existingcapabilitiesof cybersecurityanalysiswill greatlyimproveany security operations’effectiveness.
  • 12. 12 Bibliography A TradecraftPrimer:Structured AnalyticTechniquesforImproving IntelligenceAnalysis.Washington, D.C.: US Government,2009. Print. "IntelligenceCollectionDisciplines." FBI.FBI,21 May 2010. Web. 30 June 2015. E.M. Hutchins,M.J. CloppertandR.MAminPH.D.,"Intelligence-DrivenComputerNetworkDefense InformedbyAnalysisof AdversaryCampaignsandIntrusionKill Chains," Proc.6th Int'lConf.Information Warfareand Security (ICIW11), AcademicConferencesLtd.,2010, pp. 113–125; URL http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper- Intel-Driven-Defense.pdf Polancich,Jason."The DarkWeb: AnUntappedSource For Threat Intelligence." TheDarkWeb: An Untapped SourceForThreatIntelligence.InformationWeek,23June 2015. Web.30 June 2015. <http://www.darkreading.com/analytics/the-dark-web-an-untapped-source-for-threat-intelligence- /a/d-id/1320983>