Rise of the Machine; Cyber Intelligence Evolved
July 20th, 2016
While there are many cyber threat intelligence services available, both human and machine based, they tend to be flawed. Due to a reoccurring lack of context, the data is rendered less relevant, thus leaving the customers with limited actionable intelligence.
Introduction to Cyber Intelligence
The Cyber Intelligence field is one of paradox; it is the most “traditional” of all cybersecurity sectors, yet is considered “cutting edge” due to its constant evolvement. Intelligence regarding nefarious cyber operations dates back to the beginnings of cybercrime. Law enforcement agencies noticed an increase in cyber criminal activities, mainly in former Soviet Union countries, and began investigating. They soon realised that cybercrooks operated in an organised manner, trading goods and exchanging information via virtual “marketplaces”, using aliases.
Whilst working undercover allowed law enforcement officers an insight into the complexities of cybercriminal networks, the cybercrooks quickly realised that they were under surveillance from the law, and other independent curious individuals. Consequently, efforts were made to restrict access, appraise participants and ensure that users remained anonymous. Such security efforts to thwart the risk of external infiltration have continued to this very day, however, they are by no means the biggest challenge facing the Cyber Intelligence field.
Their entire dogma is reliant on the age-old art of covert operations and espionage and attempts to adapt this methodology to the digital world is inherently flawed; it relies on extremely (yet limited) professionals meaning limited coverage, outdated information distribution and consumption mechanisms.
Until very recently, collecting information from the cyber world was carried out exclusively by humans, and was extremely difficult to operate. It was labor intensive, required an advanced and varied skill set and was not scalable. Specifically, it required personnel proficient in multiple languages (at the very least- Russian, Arabic, English, French and Spanish- but ideally Portuguese, Chinese and Farsi in addition), individuals trained in working undercover or operating avatars/ sock puppets, with excellent analytical capabilities and some technical understanding.
Even when equipped with the most skilled of workers, Cyber Intelligence teams are looking for a needle in a haystack. According to some studies, the amount of information on the Deep Web is 500 times greater than on the Surface Web, and even the more limited; covert darknet consists of thousands of sites which are not indexed and which change location on a regular basis. No intelligence team has the means to effectively monitor this vast space for threats pertaining to a specific organisation. Moreover, monitoring one individual data source at a time (be it a hacking forum, a carding forum, etc.) means that it is almost impossible to “connect the dots” and see the larger picture. A cybercriminal can operate multiple aliases in multiple forums, yet no human analyst can intercept the connections.
Distribution and Consumption
Assuming that the intelligence team manage to find relevant information, they are usually required to deliver a written report, requiring the employer to hire an analyst to interpret the report and communicate it to IT security team, who can then act upon this information. This method is ineffective to say the least; cyber intelligence analysts are a rare commodity and most of them are employed by cyber intelligence firms, meaning that many CISOs are left to interpret the information themselves, without any help.
Moreover, translating vague intelligence snippets into actions is very difficult. Unless there is a very specific alert (i.e. the company will be targeted by a Denial of Service attack tomorrow at noon), there’s not much that the IT security team can do. The analysis process is time consuming. Manually collecting information, composing reports to be sent to the customer and dialogue between the two parties can take hours, if not days, meaning that any intelligence derived is not delivered in real-time.
Whilst various mechanised solutions have evolved to lessen the required manpower and combat coverage and distribution challenges, most systems are not particularly intelligent. They focus instead on collecting malicious IPs and malware signatures and automatically feeding these into SIEM and firewall systems, providing some security but ignoring more strategic threats. These automated services do not reveal intentions, motivations or post-attack information leakage.
A paradigm shift: Analyst-led Automatic Processing
The time for a paradigm shift has come. Advancements in processing and analysing large quantities of data mean that we can use automated mechanisms to crawl and collect information, distribute relevant information to the customers and their security systems (such as firewalls), and even perform some remediation based on the information gleaned. This could not, however, be achieved without a proficient team of analysts to fine-tune the system, vet new sources and respond to queries from customers regarding the information presented to them. This twofold solution model offers timely information (the collection and distribution are done automatically) which specifically addresses the needs and focus’ of the client. It is the only way to ensure a scalable solution to addressing the diverse and ever-changing needs of the customer, and mitigating the risks lurking in the deep corners of the web.
Stay up to Date!
Subscribe to the blog to stay up to date with all the latest industry news and updates from IntSights.