With 2015 wrapped up, I wanted to reflect on some of the changes I noticed in the cyber threat intelligence (CTI) field over the course of the year. I originally had (overly) ambitious plans for this post, hoping to offer a sweeping and comprehensive review on threat intelligence. But alas. Time has expired–it’s already 2016! Instead, I decided to focus on two aspects of CTI that I’m passionate about: technology and tradecraft.
An Explosion of Intelligence Technology
An abundance of intelligence-enabling tools emerged in 2015. The open source community turned out some great projects: Brian Warehime’s threat_note, a lightweight indicator database; dnstwist, a handy script for mutating domain names; Chris Doman’s ThreatCrowd, a threat search engine; ioc-parser, a script to mine IOC; AlienVault’s Open Threat Exchange, a simple application for sharing threat information; and many more. Some of these tools found a spot on my toolbelt. Others queued up on my GitHub stars list collecting dust. But, not because they didn’t add value–there were just too many. Tom Lancaster had a good perspective on this open source explosion:
There are far too many os tools for analysts' for me to ever understand which one I should use above the 999 others in the same category.
— Tom Lancaster (@tlansec) November 23, 2015
And that’s the just open source side. Commercial offerings similarly exploded. PassiveTotal beefed up its offerings (while still managing to maintain analyst friendliness); DomainTools launched IRIS; Palo Alto Networks debuted Autofocus; Paterva released it’s latest version of Maltego called Chlorine; the marketing trains for threat intelligence platforms (TIP)–probably the hottest of CTI tool categories–steamed along aggressively; and EclecticIQ officially entered the TIP market.
While these tools all help to solve security and intelligence challenges, they’ve paradoxically created another challenge: determining what combination of tools and workflow are “right” for you the analyst and the organization you’re working to defend.
Importantly, testing these tools and integrating them into existing workflows, or creating new workflows, takes time. Even still, the practice of CTI is rapidly maturing. In short time, a tool may not meet the growing requirements of a CTI team, which could result in lost ROI. This is probably more of an issue for COTS tools, where significant investment is more likely to be made to deploy a tool and train analysts to use it. However, even “free” open source solutions typically demand costs in terms of additional development time to tune them to your needs.
The lesson I learned this year from researching and PoC’ing a variety of tools was this: start with use cases and requirements (i.e., the information needs of your intelligence customers) first. Knowing what questions you need to answer helps to narrow the focus of what tools you need and how to evaluate them during PoC cycles.
A Path for Tradecraft Standards
Tradecraft is tricky. Poor tradecraft can manifest in imperceptible, but consequential ways. Poor sourcing and citations for example, can lead a consumer to question the analyst’s conclusions and logic chain. Or, a failure to consider how information at hand supports more than one alternative scenario can lead to a misrepresentation of the likelihood of something happening, and thus how security managers draft possible actions.
Fortunately, this year the security and intelligence community took steps to formalize CTI tradecraft. Notably, the SANS Institute debuted FOR578, a course specifically designed to teach students about traditional intelligence tradecraft (the intelligence cycle, awareness of biases, ACH), the application of tradecraft to cyber intelligence, and the operationalization of intelligence. Looking at the syllabus, the course also appears to heavily emphasize the Kill Chain which, to date, probably stands as the most important framework for threat intelligence. It is not only an important cognitive framework, but it is also a means by which analysts can operationalize intelligence and enable network defense.
ThreatConnect penned an entertaining blog post on the Diamond Model by applying it to the Rebel attack on the Death Star. It was a clever way of promoting the Diamond Model as a structured analytic method. Next to the Kill chain, the Diamond Model is another important framework for analysis. I also appreciated ThreatConnect’s “evilness rating” cheat sheet. Every CTI shop should have clear rubrics and standards for threat assessment and confidence level rating. You don’t need to be a ThreatConnect customer to apply these rating standards to your analysis and intelligence products.
PassiveTotal also published a great blog series called Know Your Foe. This series provided analysts with tips on how to effectively pivot through malicious infrastructure along with cautions on analytic pitfalls. I cannot think of another resource that has done such an excellent job of advancing tradecraft standards.
In 2016, I hope to see more emphasis on traditional tradecraft techniques. CIA has been examining tradecraft practices for decades and offers a library of resources covering all aspects of intelligence from cognitive awareness, to handling relationships with intelligence customers, and analytic failures. I highly recommend checking out some of the Studies in Intelligence Journal publications. Some of my favorites from CIA library are on my resources page as well under “traditional intelligence tradecraft.”
Onward into 2016!
This is going to be an exciting year.
There will no doubt be more shiny intelligence tools coming to market along with continued development from the open source community. Defined use cases and requirements, perhaps along with established proof of concept and testing cycles, can help CTI teams to manage the flood of tools.
With respect to tradecraft, I believe that CTI teams that focus on foundational analysis tradecraft, which CIA has been exploring and writing about for decades, will be the most successful teams.
Tradecraft emphasis plus requirements-driven technology decisions could be a good formula for success in 2016.
Happy hunting in 2016! I’ll see you in cyber trenches : )