CSOL-580 -Cyber Intelligence, Spring 2019
I was introduced to Cyber Intelligence during Spring 2019 through CSOL-580- Cyber Intelligence course with professor Michelle Moore. The book we used was Graves, M., Jensen III, C., & McElreath, D. (2017). Introduction to Intelligence Studies. ISBN-10:1466500034. ISBN-13: 978-1466500037.
Cyber intelligence is interpreted under double views; the government view and the corporate view. The government defines Cyber Intelligence as a secret state or group activity to influence foreign or domestic entities. Corporate, on the other hand, defines intelligence as an action of defining, gathering, analyzing, and distributing intelligence about products, customers, competitions, and any aspect of the environment needed to support executives and managers making strategic decisions for an organization. For corporate, finding ways to understand what the competitors are up to is a practice called intelligence. In both cases, they rely on cyber threat intelligence, CTI, to reach the goal.
CTI, according to Forecepoint (n.d.) is all "the information an organization uses to understand the threats that have, will, or are currently targeting the organization. This info is used to prepare, prevent, and identify cyber threats looking to take advantage of valuable resources." CTI is an advanced process that enables the organization to gather valuable insights based on the analysis of contextual and situational risks and can be tailored to the organization's specific threat landscape, industry and market.
The primary purpose of CTI is to keep organizations informed of the risks of advanced persistent threats, zero-day threats and exploits, and how to protect against them. Cybersecurity, as I came to realize, is not only about defensive countermeasures. To better protect its assets, organizations need to be proactive in mitigating cyber threats by implementing solutions aiming at protecting their assets and their competitive advantage. And conducting information gathering to assess its vulnerabilities is of great importance and should be part of the overall cybersecurity strategy.
Technically, there are tools, such as the Open Source Intelligence, OSINT tools, to use while performing intelligence gathering. There are also traditional ways to gather intelligence without the use of OSINT. For example when looking to know the CEO of a company. A simple search via a search engine will surely give that information. The issue is when looking to go deeper, but still respecting the rules of engagement during intelligence gathering to act professionally and ethically is all-important.
Here the issue is about how to act professionally and ethically without exposing yourself to ethical violations. The use of Tor browser, combined with other tools when conducting intelligence gathering is good. But while this browser enables a person to stay anonymous, it does not mean he is acting professionally. Some intelligence can be obtained via inference where a combination of different data can establish or reveal effectively identifiable information. Information gathering when the data is not public knowledge, in reality, is ethically wrong to some extent. And there is always a way to conduct cyber intelligence while remaining professional and ethically sound. It is important at least for an organization to learn to protect itself against attacks on its assets by anticipating that there are a plethora of people who are looking to gather some intelligence to their adversaries to seek a competitive advantage.
CIT, in conclusion, feeds the narrative that organizations need current information related to potential attack sources to their businesses to enable them to defend against or be proactive in this ever-evolving world of security. In this section of this ePortofolio, I will comment on what a cyber intelligence plan is all about.
It goes without saying that for the last couple of decades, all entities of different forms have come to depend on information technology (IT) systems. Computer network systems have invaded virtually every aspect of our society, and companies are being affected one way or another. The growth of the Internet, in particular, is driving the inter-connectivity paradigm even further. With this, an intercommunication revolution is underway, and no one can predict with certainty where it will take us.
Governments, Businesses, and Organizations of any size are all now or will at some point connected to the Internet. These entities not only face traditional threats but also face Cyber Threats, which come with the benefit of being connected. While the benefit the Internet brings outweighs the cyber threat risks, companies cannot continue to expose themselves to a stream of threats without fighting. This section is about awareness to companies executive team of the real new environment they are now living in by bringing to their attention the different threats companies face, the threats actors, the capabilities and intentions of these actors, and the potential attack methods of delivery these actors can use to carry out their deeds.
Risks for most companies, if not all, are increasingly becoming too great to ignore, as doing so will certainly lead to security incidents affecting undoubtedly their reputation. Based on this understanding, I’m providing here a cyber defense proposal to mitigate the inevitable risks of cyber threats. This is called a Cyber Threat Intelligence Plan. In this plan, I will propose the acquisition of Cyber Intelligence tools that companies can leverage to anticipate threats and to reduce the time it takes to detect them.
Fig 1: CTI Idea
Image source: https://slideplayer.com/slide/3738519/13/images/14/Cyber+Threat+Intelligence.jpg
Assets to Protect
For a business to better present a good Cyber Threat Intelligence Plan, CTIP, first is to understand its assets that they try to protect against cyber threats. Companies, in general, have assets they need to protect against cyber attacks. A shortlist can include Patents, Software programming codes, Network Infrastructure, Buildings, lab infrastructures, Contracts, Confidential agreements, Marketing strategy, Financial and Customer data, Intellectual property. The reasons why those threat actors will want to come after companies' assets can related to Financial gain, Political Statement, Theft of intellectual property, Disruption of critical infrastructure, Revenge, Fame. The following, based on the comments from Secureworks (2017), is visual presentation of threats, actors, and the different methods of delivery.
Table 1: A visual representation of the threats
Risk Reduction Plan, outlining a Risk Mitigation
Despite the ever-improving network defenses, the diverse possibilities available through remote hacking intrusion, supply chain operations to insert compromised hardware or software, actions by malicious insiders, and mistakes by system users will hold nearly all company networks and systems at risk for years to come. In short, the cyber threat cannot be eliminated; rather, cyber risk must be managed.
The following is proposal of a mitigation plan that can be implemented and improved as a company moves along. It is far from being a panacea, rather a starting point. This proposal ensure the professional aspect of intelligence gathering is respected, and the process is ethical.
1. A tool for advanced breach detection and threats
I explored a plethora of products in this family and taking into account the total cost of ownership and the return on investment of the different candidates; CrowdStrike or FireEye are good propositions depending on the budget. CrowdStrike is one I found to be more affordable while accomplishing a lot a task inherent to Cyber Threat Intelligence. Apart from providing indicators of compromise, IOC, feature, I love the fact that it provides this unique feature called IOA (n.d.) or Indicator of Attack which helps in identifying adversarial activity and behaviors across the entire attack timeline, all in real-time, but FireEye is also a good contender and a better product than CrowdStrike, but it is a bit overpriced.
2. Acquire software for log analysis instead of doing manual
3. Review firewall rules, review the network infrastructure and increase layers of access
4. More than two tools for scanning network to help in detecting any unusual traffic
5. A top-notch mechanism to update software is in place.
6. A robust backup system of the most critical data to recover from any disaster in a matter of few days versus weeks.
7. Educate employees, partners, and stakeholders on cybersecurity best practices and assign roles
8. Put in place an Incident Response process so that people would know what to do when an attack happens
9. Conduct a post-mortem session to go over the incident, to assess our weakness and adjust as appropriate.
10. Document threat intelligence sources. Since there are so many sources of information out there, it is important to filter out those unnecessary and establish a list of source that provides better, actionable intelligence
Crowdstrike (n.d.), Indicators of Attack versus Indicators of Compromise, Retrieved from Crowdstrike website:Indicators of Attacks
Forcepoint (n.d.). What is Threat Intelligence? Threat Intelligence Defined and Explored, Retrieved from Forcepoint website: What is Threat intelligence
Secureworks (2017, May 12), Cyber Threat Basics, Types of Threats, Intelligence & Best Practices, Retrieved from Secureworks website: Cyber Threats Basics
I opted to include the Cyber Threat Intelligence Plan (CTIP) artifact as part of this capstone because of the role it plays in the overall network defense to the organization's survival. With no intelligence, a business can lose its competitive edge easily for one reason or the other that may lead them to go under. Cyber intelligence up to that point was new learning to me and wanted to isolate the part that I think was the first to master; Cyber Threat Intelligence Plan was meeting the criteria. Anyone involved in cyber intelligence should be aware of a plan on how intelligence is to be done professionally and ethically. In the CTIP plan, a scope is defined, what is being searched for is determined, the limit of what is permissible is revealed, and the appropriate tools are proposed to conduct both adversarial attacks and to implement cybersecurity countermeasures. These countermeasures are necessary to mitigate business risk exposure to information theft.
This cyber intelligence was one of those courses that strike at the core of the ethical conversation as a cyber professional. The reason is that the actions involved in cyber intelligence can quickly fall into the territory of illegality. During the course, the professor will specifically tell to do more research and that students were not allowed to use methods that would be considered in violation of applicable laws and statutes regarding integrity and ownership of data and information. This status does not mean to be afraid of doing its due diligence, it just to be alerted at all time of things to be done, the information to be gathered, and the methods to use.
Some information can be public but can be difficult to unearth and may require special tools to dig into the deep of the world wide web. This is where I learn that anything to report must be gathered through the use of open-source intelligence so that the information is verified to be publically accessible.
The sens of professional is required so that personal integrity to do the work legally is at all-time observed. Some information such as C-suite of an organization can be easily found using a search engine, and for the most part, this information is publically accessible, but some other information such us C-Suite email addresses can be public, but difficult to locate.
And the rule of engagement highly forbids to hack a company to gain intelligence and that when conducting an intelligence gathering, the adversary must be an organization, not an individual. The learning of these details is so important to act professional, to be held accountable for his actions, and to act ethically.