In light of APT, a new Cyber Intelligence model is called for
Last Updated on Monday, 1 February 2010 03:43 Written by Jeffreycarr Monday, 1 February 2010 03:43
The Computer Network Exploitation (CNE) process which Mandiant has identified as “Advanced Persistent Threat” has helped open more than a few eyes in Government and private industry. This is both distressing and heartening. It’s distressing because there is nothing new in APT except awareness on the part of the organizations who didn’t know it was happening to them. It’s heartening because that awareness is freeing up time and resources to address the problem in a serious way, which brings me to the point of this post.
Around the same time that Mandiant released M-Trends: Advanced Persistent Threat, Deloitte issued its report “Cyber Crime: A Clear and Present Danger“. It sheds light on the same methodology that Mandiant addresses – “persistent and sustained access” – although it doesn’t use the term APT to do it. What Deloitte does do, however, is dedicate a section to “Developing Actionable Cyber Threat Intelligence“. In it, Deloitte discusses the need for “a cyber risk management process prioritizes threats, analyzes threats, detects a threat before, during, or after actual occurrence, and specifies the proper response.” 
This diagram shows Deloitte’s “cyber intelligence acquisition and analysis” model. The graphic below is a blow-up of the left side of the diagram which identifies a comprehensive list of open sources for intelligence gathering:
Intelligence is only as good as the raw data an analyst can extract it from. So what’s missing from Deloitte’s model? Quite a bit if you’re concerned about State and Non-State actors getting access to your critical information. Why? Because they won’t be holding strategy sessions on hacker forums that can be accessed by law enforcement or intelligence agencies. And if they were stupid enough to do that, it wouldn’t be in English. Instead, you need a patient, persistent, and sustained effort to find the private forums, IRC channels and other places where these conversations do take place. Think of it as a reverse-APT.
A second major flaw with this collection effort is that it completely ignores State-sponsored R&D projects. If you know what widget a State is interested in (because they are investing in research to develop it), and your company makes that widget, you know where to focus your protection efforts.
This is actionable intelligence, and even better, it has a fast “time on target”; meaning you aren’t collecting a tsunami of data, most of which only results in slowing down your intelligence gathering efforts. You cannot protect everything, therefore, you need to identify your critical data, identify who outside of your agency or company wants that data, and focus your intelligence assets on identifying and researching those potential adversaries.
Contact me for a consultation on how to implement this for your company or agency if you’d like more information. In addition, I’ll be offering a two-day course at the IO Institute called “OSINT Hacks for Mining the Russian Internet” following InfoWarCon on May 17 and 18th. A separate course is in development which focuses on the Chinese Internet. More information will be forthcoming as the date gets closer but feel free to shoot me an email if you’d like to attend.
Jeff, I understand your points, but I think you are misunderstanding the target audience of the Deloitte model. You also presuppose that the model can not be utilized in the “patient, persistent” manner that you suggest. I do not see any reason, why, or suggestion in the Deloitte paper that suggests that they are not endorsing a continued approach. It is an unfortunate fact though that many organizations (financial services et al), do not have the resources, or need to engage in a continuous effort – that’s what companies like your own, iDefense and iSight Partners are for. The needs of Deloittes unclassified client base are generally more interrupt driven due to a specific emerging threat, or network level anomaly which needs to be handled.
Regarding the need for an improved cyber intel model – you specifically call out the cyber intel efforts of law enforcement models and the IC. As someone that has never entered into the classified realm, you should perhaps tread a little more carefully in assuming that such a model doesn’t already exist – especially if those are communities that you wish to maintain credibility with.
Cheers.
Thanks, Tom. You brought out some points that I should have made clearer. Deloitte’s model will have limited effectiveness because of its limited collection scope. They could certainly find *some* targets with it, and engage in what I called “reverse APT” but they’d almost never get in front of emerging threats.
Yes, a cyber intelligence operation would most likely be a contract service by a vendor.
Regarding your 2nd paragraph, I have high confidence in the value of what I propose because it stems from my and my company’s OSINT work for those very agencies.
I understand that you work with those agencies in an unclassified manner Jeff – and that many of them hold your OSINT work in high regard, however that doesn’t change that you are not and never have held a clearance or (should have) had authorized access to currently classified data, or data models. I’m not trying to detract from your point regarding the need for new intelligence models for certain environments; rather that you should perhaps exercise a little more care when assuming the state of affairs in environments that you have no experience within.
Tom, as you know, I’m happy to argue points with my critics on this blog, and I’m happy to do so with you, but the points need to be both relevant to the post and factually based. Yours is neither. You pronounce that I’ve never had a clearance, which is factually incorrect. You’ve created a straw man about classified collection schemes which is not the focus of this post and then you caution me to not talk about what I didn’t talk about to begin with.
You write: “they won’t be holding strategy sessions on hacker forums that can be accessed by law enforcement or intelligence agencies. And if they were stupid enough to do that, it wouldn’t be in English. Instead, you need a patient, persistent, and sustained effort to find the private forums, IRC channels and other places where these conversations do take place.”
How might you propose doing this and in what quantifiable ways would your proposed method be superior to existing methods?
Also you do realize that obtaining non-authorized access to another country’s computer resources would likely be considered an act of war or espionage – given that, how might you scale such activities to mitigate on-going and ambiguous threats?
You later write “Yes, a cyber intelligence operation would most likely be a contract service by a vendor”, I’m going to agree with Tom. A “reverse-apt” against another state or resources within another state as a “contract service by a vendor” speaks volumes about your experience in this space.
How might I propose doing that? Well, it’s a complex process but I’ll be teaching a class on it at the IO Institute following InfoWarCon.
Then you wrote: “obtaining non-authorized access to another country’s computer resources would likely be considered an act of war or espionage”. Wow, this is wrong in so many ways. Did my post advocate what you just claimed it did? Not that I can see. Would such an act be considered an act of war? Not according to the LOAC. Would it be espionage? Well, what YOU described would be. What I wrote in my post, however, would not be.
And finally you write “a reverse-APT against another state or resources within another State as a “contract service by a vendor” speaks volumes about your experience in this space.”
The first part of that sentence is so completely hosed that I’m not surprised at your snarky comment at the end of it. Regarding the use of contract services, about 70% of the work that’s done in the IC is done by contractors. Tysons Corner might as well be called ‘Contractor Row’.