Intel-Based Defenses and Cyber Intelligence
In my last post I talked about the six capability areas that comprise active cyber defense. In this post, I will begin to break down one of the key elements of an ACD capability – i.e., how cyber intelligence and intel-based defenses can enable an adaptive security posture.
Take a holistic approach to cyber intelligence collection and analysis
Enterprises should take a holistic view of the cyber threat landscape and how their assets may be impacted by threats. Such a holistic view should accommodate three levels of cyber intelligence: strategic, operational, and tactical. Each level participates in an OODA loop and the loops cascade from the strategic to the tactical level. See OODA loop graphic below.
Cyber intelligence maps to the observe and orient phases of the OODA loop. At the strategic level, this translates to having a better understanding of the overall threat context, resulting in (hopefully) setting better policies, priorities, and creating better budgets for protection capabilities. Cyber intel strategists must look beyond the attack kill chain to the entire ecosystem of hacker behavior and their own enterprise dependencies for information and communication. For example, who is my cyber adversary and how does my adversary obtain value from exploited gains? Can I diminish this ability to “monetize” any gains taken from my enterprise? Is my extranet secure – can an attacker gain access through my partner network? Have trade-offs in my mobility policies weakened my defenses and are adversaries targeting mobile platforms? At the operational level, cyber intelligence is used to gain detailed knowledge of adversary TTPs so as to inform Courses of Action (COAs). Cyber intel analysts must be cognizant of specific attack vectors and threats that impact their organization, while being able to architect flexible defenses to mitigate these threats. This requires constant updating on new vulnerabilities, post-mortem analysis of previous incidents, monitoring of underground forums for updates to TTPs, and review of the latest threat intelligence sources. Additionally, cyber intel analysts must review the efficacy of their controls to combat the threats that they face. At the tactical level cyber intelligence is used to inform security operators about the current security state and activity of endpoints, to identify anomalous behavior or malicious activity on the network and at endpoints, and provide actionable intelligence that can be executed by appropriate response COAs. Using these three levels of cyber intelligence, enterprises can observe relevant threats, orient their defenses, and develop flexible countermeasures that are fine-tuned to the threats that they face.
Align intelligence collection and analysis to the cyber kill chain
One of the most damaging types of threats is known as Advanced Persistent Threats (APTs). APTs are characterized as targeted attacks where the life cycle of an attack can take weeks to months or longer. See APT Life Cycle graphic.
APT Life Cycle – courtesy of Dell SecureWorks
The APT life cycle figure depicts an intrusion kill chain. The kill chain model provides a structure for organizing cyber threat intelligence to analyze intrusions, extract indicators and drive defensive courses of actions. Furthermore, this model helps to prioritize investment for capability and intelligence gaps, and serves as a framework to measure the effectiveness of the defenders’ actions. For example, strategic intelligence can help identify specific targets that attackers are arranging a campaign to go after, such as the intellectual property of a new product under development. As a defensive measure, a defender may want to reduce any public information that would help an attacker to understand the infrastructure, employees involved, or business processes that are being targeted. Operational intelligence should focus on developing intelligence on attack vectors and specific methods by which sensitive data could be exfiltrated. Attack vectors for APTs range from targeted phishing attacks to drive-by exploits (watering hole attacks). APTs often leverage deceptive and stealthy tactics to gain access to victims’ systems and use botnet systems or remote access Trojans (RATs) to exfiltrate sensitive data. Shared tactical intelligence combined with multi-level monitoring systems can identify botnet domains that are used to exfiltrate information. Firewalls and other network flow enforcement mechanisms can be updated to block these domains as they are identified. As you can see, by understanding the attacker’s approaches at each point in the APT life cycle through the use of cyber intelligence, specific courses of action can be developed that can intercept and mitigate the threat.
Implement multi-level intelligence sensors and analysis techniques that are fine-tuned to the threats you face
One example of an APT is the massive and long-lasting Operation Harkonnen cyber attack that has recently been discovered. This APT allegedly exposed the data of 300 leading European organizations since 2003. In this hack, an adware application was camouflaging a highly-sophisticated APT that used unsigned trojans adapted for this particular purpose. Remote access trojans (RATs) were embedded in the infected system and used to copy data from the target computers to an external domain. The attack strategy relied on the RATs being well-hidden and back-doors were used only infrequently and for short periods of time; thus defeating security based on AV signature scans and analysis of logs to identify suspicious events. Since conventional, vulnerability-focused processes are proving insufficient in combating APTs such as the Harkonnen Hack; understanding the threat itself, its intent, capability, doctrine, and patterns of operation is required to establish protection approaches.
Attackers in low and slow APT exploits such as the Harkonnen Hack alter their tactics over time while trying to evade detection by hiding their actions within the noise of normal system operation. A low signal-to-noise ratio combined with the use of stolen credentials to create multiple attack launch points makes conventional defenses against such attacks almost useless. Therefore, detection of APTs requires multi-level monitoring systems – from the application to user space to process to system resource to data packet levels – to derive tactical intelligence. Operational intelligence can help inform defenders on what type of monitoring systems are needed, and guide these monitoring systems where to look and what to look for.
In the next post, I look into how sharing threat intelligence information can lead to more proactive defenses, and how standards are crucial to the sharing of this information. I explore some of these standards efforts.