Cybersecurity first principles: threat intelligence operations.

By Rick Howard

Jun 22, 2020

CSO Perspectives is a weekly column and podcast where Rick Howard discusses the ideas, strategies and technologies that senior cybersecurity executives wrestle with on a daily basis.

Cybersecurity first principles: threat intelligence operations.

Listen to the podcast episode.

Note: This is the seventh essay in a planned series that discusses the development of a general purpose cybersecurity strategy for all network defender practitioners-- be they from the commercial sector, government enterprise, or academic institutions-- using the concept of first principles.

We are building a strategy wall, brick by brick, for a cyber security infosec program based on first principles. The foundation of that wall is the ultimate and atomic first principle:

Reduce the probability of material impact to my organization due to a cyber event.

That’s it. Nothing else matters. This simple statement is the pillar, on which we can build an entire infosec program.

The first six bricks we put on that foundation were zero trust, intrusion kill chains, resilience, DevSecOps, and risk. This next building block will start the second course of the wall because it directly supports all of the other strategic bricks we have already laid. This brick is called cyber threat intelligence operations.

Intelligence is the fuel that drives the entire infosec engine.

The intrusion kill chain strategy compels us to find ways to deploy prevention and detection controls for all known adversaries at every stage of the attack sequence. With DevSecOps, we are obligated to find ways to automate the supporting infrastructure of that process so that the consistency and agility we gain will enhance our overall resiliency and our ability to prevent a potential or ongoing attack before it materially affects the business. It will also allow us to check and recheck our zero trust policy compared to the actual deployed configuration on a real time basis. And finally, with DevSecOps again, we can automatically update our evidence collection to support our risk assessment and adjust our probability forecast of a material cyber event in the next three years. Those deployed security bricks constitute a system of systems, an engine so to speak, to reduce the probability of material impact to our organization due to a cyber event. The fuel that drives that engine is intelligence.

What is cyber threat intelligence?

Cyber threat intelligence isn't a new concept. It has been practiced in some form as early as the 2000s by various military organizations in the United States and elsewhere. The idea of it being a best practice for the commercial sector didn’t really start to gain traction until roughly 2015, sometime after the publication of the famous intrusion kill chain paper by Lockeheed Martin. Some commercial organizations were doing it early, but the bulk of the network defender community weren’t.

Cyber threat intelligence operations are really nothing more than regular intelligence operations applied to the cyber landscape. And intelligence operations have been around since the world was young. According to Professor Vejas Gabriel Liulevicius of the University of Tennessee,

“Our earliest evidence of intelligence work comes from the clay tablets of Mesopotamia, and we know from the Bible that spies were used not only by political rivals but also by religious ones in ancient Israel.”

The subject of intelligence—what it is, how to do it, how to measure its effectiveness—is vast. Until the early 2000s, the study of it had mostly fallen to government employees and academics. In the last 20 years, the commercial security sector has started to pick it up because it has a direct impact on how to protect their organizations in cyberspace or improve their own security products. When interested parties search for a definition, though, they are likely to find a wide spectrum of descriptions.

For example, A. C. Wasemiller, writing for the Central Intelligence Agency in 1996, said that intelligence operations produce “reliable information about all those enemies of a country who attack it by stealth.” He also said that those products help the government prepare “passive or static defenses against all hostile and concealed acts.” And finally, he said that they identify specific adversary operations so that they may be countered through penetration and manipulation “so that their thrust is turned back against the aggressor.”

I love that. I think I would like to buy Mr. A. C. Wasemiller a beer one day.

On the academic side, Christopher Gabel, writing for the Scholastic blog, defines intelligence operations this way:

“An intelligence operation is the process by which governments, military groups, businesses, and other organizations systematically collect and evaluate information for the purpose of discovering the capabilities and intentions of their rivals. With such information, or intelligence, an organization can both protect itself from its adversaries and exploit its adversaries' weaknesses.”

I have been a cyber intelligence guy for over 20 years both in the military and in the commercial sector. I like to describe it this way:

“The process of turning raw information into intelligence products that leaders use to make decisions with.”

All of these descriptions are correct to a point. If I had to choose one that most closely hits the mark, I would choose the academic’s definition. But I believe the vast array of opinions about what cyber threat intelligence operations are have slowed their adoption in the network defender community. What is absolutely true is that cyber threat intelligence operations for one organization will likely not look like intelligence operations in another.

How do organizations use cyber threat intelligence?

The reason that the essence of cyber threat intelligence differs across so many organizations is that this essence depends on the leadership’s goals for the team. Across the network defender community, those goals run the gamut from:

Prioritizing incidents as they flow into the security operations center.
Keeping abreast of vulnerabilities discovered within the technology stack of our organization.
Developing indicators to prevent fraud.
Providing the risk team with estimates about how the internal technology stack and security stacks work together.
Synthesizing information about ongoing cyberattacks, events, and campaigns for senior leadership.
Creating an operational picture of what is actually happening in the network based on telemetry collected from network and security stack devices.
And many others.

All of these are valid uses of an intelligence team. Since this series of essays is about first principles, though, I want to focus the intelligence function on tasks that will directly reduce the risk of material impact due to a cyber event. The first brick on our first principle wall that could most use a cyber threat intelligence team is the intrusion kill chain strategy. But to see why that is so, let’s discuss how the intelligence process works.

The intelligence process as applied to cybersecurity.

The intelligence process is not that complicated. It hasn’t changed much in over 50 years:

Get guidance from the boss.
Break that guidance down into smaller manageable questions.
Collect raw information that will help answer those smaller questions.
Process that raw information into intelligence products which answer those questions.
Deliver those intelligence products to key leaders who can make decisions with them.
Seek feedback from the key leaders for improvement suggestions.
Rinse and repeat.

Boss guidance: The CEO’s Information Requirements (CIRs).

Start with the organization's leadership. In the military, this is the commander. When combat units begin preparing for the next operation, whether it is defensive or offensive, commanding officers tell their intelligence teams the kinds of processed information they need to plan the campaign. They call these questions the commander’s information requirements or CIRs.

When Lee Marvin, the actor, briefed his commandos on the plan to attack the German chalet in the 1967 movie, “The Dirty Dozen,” where do you think he got the layout of the building? When General Dodonna told his fighter pilots about how to blow up the death star in the 1977 movie, “Star Wars,” how do you think Princess Leia got the engineering plans for the death star’s weakness? Senior leaders told the intelligence team to go get them.

In the commercial sector, it’s the same general idea. The organization’s network defender coordinates information requirements with the CEO. Fortunately, that means we get to keep the same acronym that the military uses: CIRs.

By design, CIRs don’t change that often. In the commercial sector, they might need to be revisited about once a year. They are high level and probably complex. They are likely open ended. As an example, here is a generic list that might apply to any organization:

Risk: What is the probability of a material cyber event in the next three years?
Intrusion kill chains: What are the most likely ways that adversary groups will try to breach our systems and do we have prevention controls in place to stop them?
Zero trust: What are the material systems within our organization and who needs to access them?
Resilience: In the event of a material cyber event, which systems and data sets must be available to continue delivering service to our customers?
DevSecOps: What are the priority DevSecOps projects that will have the greatest impact on reducing the probability of material impact due to a cyber event?

Notice that these CIRs aren’t strictly adversary-based. Many of them revolve around the security posture of the organization. Understanding the underlying security infrastructure is as important as understanding how an adversary might leverage a weakness in the system.

Note that this discussion assumes you have unlimited resources to pursue this endeavor. Nobody has this, I know. Further down, I will offer ideas about how you might get some of this on a shoestring budget. But let’s first discuss what a fully funded cyber threat intelligence operation that has deep-throated support by senior management might look like.

Manageable questions: Priority Information Requirements (PIRs).

The intelligence team takes the CIRs and breaks them down into smaller, more answerable bits. This is classic problem solving; take a big problem and break into smaller and smaller pieces until they get small enough to solve. It is the same with PIRs. Typical CIRs might generate between three and twenty PIRs depending on the complexity. For example, let’s take the intrusion kill chain CIR and break that down into generic PIRs for most organizations:

How many cyber adversary groups run operations on any given day?
What are the most likely adversary groups that would seek our organization as a target?
What are all the attack campaigns that adversary groups run across the intrusion kill chain?
Do we have prevention and detection controls deployed in our security stack for every phase of the intrusion kill chain for these adversary groups?

For your organization, you might have some specific PIRs that you tailor for yourself, too.

Collection.

Once you establish the PIRs, the intelligence team looks at the raw information at its disposal and decides if it can answer them. If they can, that is great. If not, then they need to seek new sources of information that will. This is called collection management, and it is a never-ending process of evaluating the PIRs against the raw intelligence coming into the organization. There are many places you can get this kind of raw intelligence:

Internal network and security stack telemetry
Open source intelligence feeds
Subscription intelligence feeds
Security blogs and news outlets
Intelligence sharing organizations like the FS-ISAC and the Cyber Threat Alliance.
One-on-one sharing arrangements with partner organizations.
Many others.

Process raw information into intelligence products.

This is where the intelligence analysts come in. Their job is to consume the raw information, synthesize it to answer the PIRs, and create a deliverable that leadership can use to make a decision. The conversion of raw information into something useful—actionable intelligence—is the characteristic that distinguishes a news reporter from an intelligence analyst. Both are valuable services. In fact, an intelligence analyst performs many of the samne functions as a news reporter but has the added responsibility of advising the leadership about what specifically to do with the information. And just like a reporter, analysts will also flag whether they think they can answer the PIR with the raw information available or if they need to seek other sources of information.

Distribution of the intelligence product.

This seems like an obvious step, but how you distribute these intelligence products will determine how useful they will be to leadership. Do you push the products via email or Slack or some other mechanism? Do you have the customer pull them from a website, SaaS drive, something else? Or is this intelligence suitable for the DevSecOps infrastructure-as-code engine that can eliminate the human-in-the-loop decision process?

Feedback from the operator.

It goes without saying that if the intelligence products you create are not useful, then maybe you shouldn’t make them. Getting feedback on their usefulness and how you can make them better is essential to the entire intelligence process. Interestingly enough, the government intelligence community and the commercial sector both use the same terminology to describe the service they deliver to their customers. They each call them products. I have no evidence of this, but I believe that the common usage is purely coincidental. Regardless, both groups should treat them the same way, though. In the best case scenarios, each commercial product and intelligence product should have a product manager assigned whose job it is to capture the current state of the product and plan the road map for future changes. A key component of that road map design is polling customers for the features they like, the ones they don’t like, and the features they want in the future.

The intelligence process on a shoestring budget.

The generic process described above for the intrusion kill chain strategy assumes unlimited resources. Most of us don’t have that especially if we run a small to medium-sized business. What is a network defender to do in that circumstance?

Regardless of the size of your organization, seek security vendors who are already doing this for you. I would focus on the mainstream security platforms and endpoint products. These vendors invest heavily in their intelligence teams, both to improve their product sets and to demonstrate to the world how smart they are about the security landscape. Pursue those that have already bought into the intrusion kill chain strategy. They should be tracking adversary campaigns and building prevention controls for their products to defeat them. Influence them with your checkbook. Don’t buy them unless they directly support your first principles infosec program and specifically your intrusion kill chain strategy. Point them to the MITRE ATT&CK Evaluation website.

The MITRE nonprofit company is this strange hybrid that is kind of a government organization and kind of a commercial organization, but not really one or the other. The U.S. government calls them federally funded research and development centers, or FFRDCs, and they fund them to “assist the United States government with scientific research and analysis; development and acquisition; and systems engineering and integration.” The good news for the network defender community, because of their unique FFRDC status, is that much of the MITRE work product is available to the public at no cost.

The MITRE cyber threat intelligence team has been tracking adversary campaigns for years and has been the brain power to formalize how network defenders standardize adversary campaign information and how to share it with their sharing partners. They originated the de facto network defender language, STIX or Structured Threat Information eXpression, to do just that. They also originated the MITRE ATT&CK framework. According to the website, “MITRE ATT&CK® is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations.” This is one of the most complete open source collections of adversary campaign intelligence across the intrusion kill chain in the world.

The MITRE ATT&CK Evaluation program is relatively new. The team has begun to evaluate security products based on their effectiveness against every aspect of an adversary’s attack sequences. As of this writing, they have only done two groups so far: APT3 and APT29. You will recall from previous essays in this series that the network community believes that there may be upward of 100 groups active on the internet on any given day—so they have some work to do. But do yourself a favor, go to their website and see just how well-known security products perform against the campaigns of some of our most infamous adversary groups.

Better yet, seek vendors who belong to the Cyber Threat Alliance. As of this writing, it is a group of some twenty-six vendors who have agreed to share adversary playbook intelligence with each other so that their customers don’t have to do the work themselves. They have all agreed that they wouldn't’ compete on the quality of intelligence collected, processed, and shared. Instead, they’d compete on how well their product sets used that intelligence to prevent the success of adversary campaigns. The thing that makes them different from other sharing organizations is that all members have to share or they can’t be in the club, and there is a minimum daily quota. If you buy and install one of these vendors’s products, you not only get the adversary campaign tracking from their intelligence team, you get the work of all twenty-six vendors combined. The CTA’s collection of adversary campaign intelligence is likely the most comprehensive and useful in the industry and can compete head to head with what the U.S. government collects with its intelligence agencies. They have standardized on the STIX language and the MITRE ATT&CK framework to build their sharing platform.

In other words, if you don’t have the resources to build an intelligence team that can track all known adversary campaigns, buy and install security products from vendors who do. Use your checkbook to encourage your security vendors to participate in programs like the MITRE ATT&CK Evaluation program and the Cyber Threat Alliance. It costs you nothing to do so, but it makes the entire community safer. The best part is that you get to leverage those high-end intelligence teams to support your intrusion kill chain strategy.

Cyber threat intelligence operations is a journey.

In the early days of the internet, building a fully functional intelligence team felt like a luxury to most network defenders. In light of a first principle analysis of our infosec program though, we have learned that we can’t pursue our key strategies of zero trust, intrusion kill chains, resilience, DevSecOps, and risk assessment without it—but it is a big ask. For many, they don’t have the resources to do it. But remember, strategies are a direction. You don’t have to build the equivalent of the NSA, ala A. C. Wasemiller, today to get the benefit of this work. It is something we should all be building toward. In the meantime, seek vendors who are doing the work for you. Encourage them with your checkbook to support your first principle programs. Take advantage of the good work that the MITRE ATT&CK Evaluation program and the Cyber Threat Alliance is doing for the community. Support it whenever you can. These efforts make the entire community safer and provide you a cheaper way to pursue your first principle infosec wall that won’t break the bank. And, if you see Mr. Wasemiller wandering around somewhere, tell him I am buying the first beer.