CSO Perspectives (Pro) 6.22.20
Ep 12 | 6.22.20

Intelligence operations: a first principle of cybersecurity.


Rick Howard: I am a huge Lee Marvin fan. And for you youngsters out there, he was a famous tough-guy TV and movie star back in the '60s, '70s and '80s. He was also an enlisted Marine during the Second World War, so a real-world tough guy, too. He surprised everybody by winning an Academy Award for a musical, of all things, called "Cat Ballou" in 1965. But in 1967, he starred as an Army major in one of my most loved rewatchable movies called "The Dirty Dozen" that MGM released in 1967. And do you know what makes a movie rewatchable? Here's my definition. When you walk through the living room on your way to perform some household chore and you notice that a beloved movie is playing on the TV in the background, and that scene you really like is coming up, so you immediately stop what you're doing, plop your butt down in the easy chair and wait for that scene to come on. That is a rewatchable movie.

Rick Howard: "The Dirty Dozen" has a lot of these rewatchable scenes. The plot is preposterous, but Marvin has to take a bunch of commandos behind enemy lines during World War II to attack a German chalet, where many senior German officers would be having a party just prior to the Allies' D-Day invasion - essentially, cut the leadership out of the German high command before the big battle. I love movies like this, but did you ever wonder about how Marvin and the commandos found out about the German chalet? Let that sink in for a second. 

Rick Howard: Or if you want a more modern example, how about the "Star Wars" world, where General Jan Dodonna told his fighter pilots about how to blow up the Death Star in the original "Star Wars" movie. How do you think Princess Leia got the engineering plans for the Death Star's weakness in the first place? Well, senior leaders told the intelligence team to go get them. In the movies, you don't usually get the stories about how the team got the intelligence, "Rogue One" notwithstanding. But in the network defender world, intelligence operations are the fuel that drives the entire infosec program. 

Rick Howard: My name is Rick Howard. You are listening to "CSO Perspectives," my podcast about the ideas, strategies and technologies that senior security executives wrestle with on a daily basis. This is the seventh show in a series that discusses the development of a general-purpose cybersecurity strategy using the concepts of first principles. So far, I have explained what first principles are and made an argument about what the very first principles should be as the foundation for the entire infosec program. Since then, I have added bricks to that foundation to give it strength - zero trust, intrusion kill chains, resilience, DevSecOps and risk assessment. In this show, we will start building the second course of the infosec wall because this next brick directly supports all the other strategic bricks we have already laid. This brick is called cyberthreat intelligence operations. 

Rick Howard: The intrusion kill chain strategy compels us to find ways to deploy prevention and detection controls for all known adversaries at every stage of the attack sequence. With DevSecOps, we are obligated to find ways to automate the supporting infrastructure of that process so that the consistency and agility we gain will enhance our overall resiliency and our ability to prevent a potential or ongoing attack before it materially affects the business. It will also allow us to check and recheck our zero-trust policy compared to the actual deployed configuration on a real-time basis. 

Rick Howard: And finally, with DevSecOps again, we can automatically update our evidence collection to support our risk assessment and adjust our probability forecast of a material cyber event in the next three years. Those deployed security bricks constitute a system of systems - an engine, so to speak - to reduce the probability of material impact to our organization due to a cyber event. The fuel that drives that engine is intelligence. 

Rick Howard: Cyberthreat intelligence, or CTI, isn't a new concept. It has been practiced in some form as early as the 2000s by various military organizations in the United States and elsewhere. The idea of it being a commercial best practice didn't really start to gain traction until roughly 2015, sometime after the publication of the famous intrusion kill chain paper by Lockheed Martin. Some commercial organizations were doing it early, but the bulk of the network defender community weren't. 

Rick Howard: Cyberthreat intelligence operations are really nothing more than regular intelligence operations applied to the cyber landscape, and intelligence operations have been around since the world was young. According to Professor Vejas Gabriel Liulevicius of the University of Tennessee, quote, "our earliest evidence of intelligence work comes from the clay tablets of Mesopotamia, and we know from the Bible that spies were used not only by political rivals, but also by religious ones in ancient Israel," end quote. 

Rick Howard: The subject of intelligence - what it is, how to do it, how to measure its effectiveness - is vast. Until the early 2000s, the study of it had mostly fallen to government employees and academics. In the last 20 years, the commercial security sector has started to pick up on it because it has a direct impact on how to protect their organizations in cyberspace or improve their own security products. When interested parties search for a definition, though, they are likely to find a wide spectrum of descriptions. For example, A.C. Wasemiller, writing for the CIA in 1996, said that intelligence operations produce, and I quote, "reliable information about all those enemies of a country who attack it by stealth," end quote. He also said that those intelligence products help the government prepare, quote, "passive or static defenses against all hostile and concealed acts," end quote. And finally, he said that they identify specific adversary operations so that they may be countered through penetration and manipulation, quote, "so that their thrust is turned back against the aggressor," end quote. Their thrust is turned back against the aggressor - I love that. I would like to buy Mr. A.C. Wasemiller a beer one day. 

Rick Howard: On the academic side, Christopher Gabel, writing for the "Scholastic" blog, defines intelligence operations this way - quote, "the process by which governments, military groups, businesses and other organizations systematically collect and evaluate information for the purpose of discovering the capabilities and intentions of their rivals. With such intelligence, an organization can protect itself from its adversaries and exploit its adversaries' weaknesses," end quote. 

Rick Howard: I've been a cyberintelligence guy for over 20 years, both in the military and in the commercial sector. Here's my definition - quote, "the process of turning raw information into intelligence products that leaders use to make decisions with," end quote. Now, all of these descriptions are correct to a point. If I had to choose one that most closely hits the mark, I would choose Mr. Gabel's. But I believe the vast array of opinions about what cyberthreat intelligence operations are have slowed their adoption in the network defender community. What is absolutely true is that cyberthreat intelligence operations for one organization will likely not look like intelligence operations in another. 

Rick Howard: The reason that they are so different across so many organizations is that cyberthreat intelligence depends on the leadership's goals for the team. Across the network defender community, those goals run the gamut from prioritizing incidents as they flow into the security operations center, keeping abreast of vulnerabilities discovered within the technology stack, developing indicators to prevent fraud, providing the risk team with estimates about how the internal technology stack and security stacks work together, synthesizing information about ongoing cyberattacks for senior leadership, creating an operational picture of what is actually happening in the network based on telemetry collected from the network and security stack devices. And these just name a few, but all of them are valid uses of an intelligence team. But since this podcast series is about first principles, I want to focus the intelligence function on tasks that will directly reduce the risk of material impact due to a cyber event. 

Rick Howard: The first brick in our first principle wall that could most use a cyberthreat intelligence team is the intrusion kill chain strategy. But to see why that is so, let's discuss how the intelligence process works. First, it's not that complicated. If you look at old and new Army field manuals and Army doctrine publications, it hasn't changed much in over 50 years. But here are the steps. First, get guidance from the boss, then break down that guidance into smaller, manageable questions. Then collect raw information that will help answer those smaller questions. Process that raw information into intelligence products which answer those questions. Deliver those intelligence products to key leaders who can make decisions with them. Seek feedback from the key leaders for improvement suggestions. And finally, rinse and repeat. All right, we're going to go through each of those with a bit of detail. 

Rick Howard: Step one - get guidance from the boss. In other words, start with the organization's leadership. In the military, this is the commander. When combat units begin preparing for the next operation, whether it is defensive or offensive, commanding officers tell their intelligence teams the kinds of processed information they need to plan the campaign. They call these questions the commander's information requirements, or CIRs. In the commercial sector, it's the same general idea. The organization's network defender coordinates information requirements with the CEO. Fortunately, that means we get to keep the same acronym that the military uses - CIRs. By design, CIRs don't change that often. In the commercial sector, they might need to be revisited about once a year. They are high-level and probably complex. They are likely open-ended. 

Rick Howard: As an example, here is a generic list that might apply to any organization. For risk, we might say what is the probability of a material cyber event in the next three years? For intrusion kill chains, we might say what are the most likely ways that adversary groups will try to breach our systems, and do we have prevention controls in place to stop them? For zero trust, we might say what are the material systems within our organization? Who needs to access them? For resilience, we might say which systems and datasets must be available to continue delivering service to our customers in times of crisis? For DevSecOps, we might say what are the priority DevSecOps projects that'll have the greatest impact on reducing the probability of material impact due to a cyber event? 

Rick Howard: Notice that these CIRs aren't strictly adversary-based. Many of them revolve around the security posture of our organization. Understanding the underlying security infrastructure is as important as understanding how an adversary might leverage a weakness in the system. And I hear what you're saying - jeez, Rick, this sounds expensive; I don't have the resources to do this. I hear you. For the moment, let's just assume that you have unlimited resources. I know nobody does; let's just see what cyberthreat intelligence looks like if you do. Later in the podcast, I will offer ideas about how you might get some of this done on a shoestring budget. But let's first discuss what a fully funded cyberthreat intelligence operation that has a deep-throated support by senior management might look like. 

Rick Howard: Step two - break down that guidance, the CIRs, into smaller, manageable questions. The intelligence team takes the CIRs and breaks them apart into smaller, more answerable bits called PIRs, or priority information requirements. This is classic problem-solving - take a big problem and break it into smaller and smaller pieces, until they get small enough to solve. It is the same with PIRs. Typical CIRs might generate between three and 20 PIRs, depending on the complexity. 

Rick Howard: For example, let's take the intrusion kill chain CIR and break that down into generic PIRs for most organizations. The CIR ask - what are the most likely ways that adversary groups will try to breach our systems? And do we have preventive controls in place to stop them? Some PIRs, or these smaller questions you might ask, are how many cyber adversary groups run operations on any given day? What are the most likely adversary groups that would seek our organization as a target? What are all the attack campaigns that adversary groups run across the intrusion kill chain? Do we have prevention and detection controls deployed in our security stack for every phase of the intrusion kill chain for these adversary groups? And for your organization, you might have some specific PIRs that you tailor for yourself, too. 

Rick Howard: Step three - collect raw information that will help answer those smaller questions. Once you establish the PIRs, the intelligence team looks at the raw information at its disposal and decides if it can answer them. If they can, that's great. If not, then they need to seek new sources of information that will. This is called collection management, and it is a never-ending process of evaluating the PIRs against the raw intelligence coming into the organization. There are many places you can get this kind of raw intelligence, like internal network and security stack telemetry or open-source intelligence feeds or subscription intelligence feeds or security blogs and news outlets or intelligence-sharing organizations like the FS-ISAC and the Cyber Threat Alliance or one-on-one sharing arrangements with partner organizations. And that is just basically scratching the surface. 

Rick Howard: Step four - process that raw information into intelligence products which answer those questions. This next step is where the intelligence analysts come in. Their job is to consume the raw information, synthesize it to answer the PIRs and create a deliverable that leadership can use to make a decision. Conversion of raw information into something useful - we call that actionable intelligence - is the characteristic that distinguishes a news reporter from an intelligence analyst. Both are valuable services. In fact, an intelligence analyst performs many of the same functions as a news reporter but has the added responsibility of advising the leadership about what specifically to do with the information. And just like a reporter, analysts will also flag whether they think they can answer the PIRs with the raw information available or if they need to seek other sources of information to do it. 

Rick Howard: Step five - deliver those intelligence products to key leaders who can make decisions with them. This next step might seem obvious, but how you distribute these intelligence products will determine how useful they will be to leadership. Do you push those products via email or Slack or some other mechanism? Do you have the customer pull them from a website, a SAS drive or something else? Or is this intelligence suitable for the DevSecOps infrastructure-as-code engine that can eliminate the human-in-the-loop decision process? 

Rick Howard: Step six - seek feedback from the key leaders for improvement suggestions. It goes without saying that if the intelligence products you create are not useful, then maybe you shouldn't make them. Getting feedback on their usefulness and how you can make them better is essential to the entire intelligence process. Interestingly, the government intelligence community and the commercial sector both use the same terminology to describe the service they deliver to their customers. They each call them products. 

Rick Howard: Now, I have no evidence of this, but I believe that the common usage is purely coincidental. Regardless, both groups should treat them the same way. In the best-case scenarios, each commercial product and intelligence product should have a product manager assigned whose job it is to capture the current state of the product and plan the road map for future changes. A key component of that road map design is polling customers for the features they like, the ones they don't like and the features they want in the future. 

Rick Howard: The intelligence process that I just described for the intrusion kill chain strategy assumes unlimited resources. Like I said, most of us don't have that, especially if we run a small- to medium-sized business. What is a network defender to do, then, in that circumstance? Regardless of the size of your organization, seek security vendors who are already doing this for you. I would focus on the mainstream network security platforms and endpoint products. These vendors invest heavily in their intelligence teams both to improve their product sets and to demonstrate to the world how smart they are about the cybersecurity landscape. Pursue those that have already bought into the intrusion kill chain strategy. They should be tracking adversary campaigns and building prevention controls for their products to defeat them. 

Rick Howard: Influence them with your checkbook. Don't buy them unless they directly support your first principle's infosec program and, specifically, your intrusion kill chain strategy, and point them to the MITRE ATT&CK Evaluation website. The MITRE nonprofit company is this strange hybrid that is kind of a government organization and kind of a commercial organization but not really one or the other. The U.S. government calls them federally funded research and development centers, or FFRDCs, and they fund them to assist the United States government with scientific research and analysis, development and acquisition and systems engineering and integration. 

Rick Howard: The good news for the network defender community - because of their unique FFRDC status - is that much of the MITRE work product is available to the public at no cost. The MITRE cyberthreat intelligence team has been tracking adversary campaigns for years and has been the brainpower to formalize how network defenders standardize adversary campaign information and how to share it with their sharing partners. They originated the de facto network defender language, STIX - or Structured Threat Information eXpression - to do just that. They also originated the MITRE ATT&CK framework. And according to the website, MITE ATT&CK is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. 

Rick Howard: This is one of the most complete open-source collections of adversary campaign intelligence across the intrusion kill chain in the world. The MITRE ATT&CK Evaluation program is relatively new. The team has begun to evaluate security products based on their effectiveness against every aspect of an adversary's attack sequences. As of today, they've only done two groups so far - APT3 and APT29. You will recall from previous podcasts in this series that the network defender community believes that there may be upward of 100 groups active on the internet on any given day. So they have some work to do. But do yourself a favor - go to their website and see just how well-known security products perform against the campaigns of some of our most infamous adversary groups. 

Rick Howard: Better yet, seek vendors who belong to the Cyber Threat Alliance. As of today, it is a group of some 26 vendors who have agreed to share adversary playbook intelligence with each other, so that their common customers don't have to do the work themselves. They have all agreed that they wouldn't compete on the quality of intelligence collected, processed and shared. Instead, they'd compete on how well their product sets used that intelligence to prevent the success of adversary campaigns. The thing that makes them different from other sharing organizations is that all members have to share or they can't be in the club, and there is a minimum daily quota. 

Rick Howard: If you buy and install one of these vendor's products, you not only get the adversary campaign tracking from their intelligence team, you get the work of all 26 vendors combined. The CTA's collection of adversary campaign intelligence is likely the most comprehensive and useful in the industry and can compete head-to-head with what the U.S. government collects with its intelligence agencies. To make it easy to use, they have standardized on the STIX language and the MITRE ATT&CK framework to build their sharing platform. In other words, if you don't have the resources to build an intelligence team that can track all known adversary campaigns, buy and install security products from vendors who do. Use your checkbook to encourage your security vendors to participate in programs like the MITRE ATT&CK Evaluation program and the Cyber Threat Alliance. It costs you nothing to do so, but it makes the entire community safer. The best part is that you get to leverage those high-end intelligence teams to support your intrusion kill chain strategy. 

Rick Howard: In the early days of the internet, building a fully functional intelligence team felt like a luxury to most network defenders. In light of a first principle analysis, though, we have learned that we can't pursue our key strategies of zero trust, intrusion kill chains or resilience, DevSecOps and risk assessment without it, but it is a big ask. For many, they don't have the resources to do it. But remember - strategies are a direction. You don't have to build the equivalent of the NSA, a la A.C. Wasemiller, today to get the benefit of this work. It is something we should all be building toward. 

Rick Howard: In the meantime, seek vendors who are doing the work for you. Encourage them with your checkbook to support your first-principle programs. Take advantage of the good work that the MITRE ATT&CK Evaluation program and the Cyber Threat Alliance is doing for the community. Support it whenever you can. These efforts make the entire community safer and provide you a cheaper way to pursue your first-principle infosec wall that won't break the bank. And if you see Mr. Wasemiller wandering around somewhere, tell him I'm buying the first beer. We need to raise a glass for Jyn Erso and her "Dirty Dozen" ragtag group from "Rogue One." 

Rick Howard: That's a wrap. If you agree or disagree with anything I've said, hit me up on LinkedIn or Twitter, and we can further the conversation there. The CyberWire's "CSO Perspectives" is edited by John Petrik and executive produced by Peter Kilpe. Mix, sound design and original music by the insanely talented Elliott Peltzman. And I am Rick Howard. Thanks for listening.