Contents
1 Abstract 3
2 The Role of Intelligence in Computer Network Defence 4
2.1 Background 4
2.2 What is Intelligence? 4
2.3 Using Intelligence 5
2.4 Monitoring and Sharing for Intelligence Gain 6
2.5 Poking the Bear (or the Panda) 7
2.6 Intelligence Cycle 8
2.7 Understanding Your Data 9
2.8 Sources of Threat Intelligence 9
2.9 The Financial Case for Threat Intelligence 10
2.10 Sharing Intelligence Securely 11
2.11 Conclusion 11
3 Examples 13
3.1 ‘Reconnaissance’ 13
3.2 ‘Detecting Signatures’ 13
1 Abstract
The purpose of this white paper is to educate the reader on how threat intelligence can add substantial value to the security of a computer network as part of a wider cyber security strategy.
The paper deals with understanding intelligence requirements, risks to an organisation’s data, differentiating between threat intelligence vendors and implementing the intelligence feed to detect and investigate nefarious activity. Intelligence differs from data and information substantially. Intelligence is assessed information; it highlights detail and allows the consumer to make tactical and strategic decisions in the context of the operating environment. Just as governments gather intelligence to better understand the threats and opportunities to the stability and security of a country, so too can organisations gather intelligence to help improve the security of their IT network and understanding of the threat landscape.
In order to consume intelligence effectively, an organisation should have an
understanding of the activity on its network, the threat actors who will be targeting data on the network, and the gaps in network security which could be exploited by attackers. Only if the organisation has a developed view of what it is most worried about can it develop an effective intelligence strategy to address those requirements. Threat intelligence is a key part of any comprehensive cyber security strategy, though it is in no way a panacea to targeted attacks. Understanding the malware and
methodologies being used by attackers against organisations operating in the same sector allows for early identification of attacks and effective remediation, potentially limiting damage done.
Threat intelligence feeds should also educate senior decision makers about the threat landscape, allowing for a better understanding of how attackers are targeting data, which data is most at risk and the range of measures which a responsible organisation should consider in order to safeguard that data. There are significant differences in what threat intelligence vendors provide in this area and organisations should consider whether the various offerings address their needs for intelligence on specific actors. There is a financial case for investing in threat intelligence to mitigate attacks or limit the damage caused by attacks through early identification of nefarious activity. Targeted attacks are not solely an IT issue, they are a business risk. A cyber security strategy is essential if organisations are to understand the risks and threats to their data.
2 The Role of Intelligence in Computer Network Defence
2.1
Background
It was only in 1994 with the Intelligence Services Act that the existence of the UK intelligence agencies, Security Service, Secret Intelligence Service and GCHQ was officially acknowledged. Two decades later hardly a day goes by without the role and activities of the intelligence services mentioned in the news and coming under a level of scrutiny. Never has the public had greater exposure to the work of the intelligence services – and yet there is still a very poor understanding, even among those working in security roles within business, about what intelligence is and how it can be used in a business context.
While the intelligence requirements and collection capabilities will in most cases be radically different from those used by government agencies, there is a role for intelligence and an intelligence strategy in most organisations. In particular, any organisation with a computer network within which commercially sensitive or business critical data are stored should consider very carefully how an intelligence function could work for them.
This paper seeks to educate the reader on the benefits of employing an intelligence strategy to aid computer network defence, focusing on the role threat intelligence can play in proactive detection of attacks and assurance of network health.
2.2
What is Intelligence?
‘Intelligence’ is a commonly misunderstood term and used by many product vendors when ‘information’ would be far more appropriate. The difference is simple:
intelligence is information which has been assessed.
Data are the facts and figures, the masses of raw, unprocessed output of, for example in IT terms, device logs. ‘Data’ in this context is what is frequently now referred to as ‘Big Data’. It is very difficult to draw any meaningful conclusions and impossible to make tactical, let alone strategic decisions, using data alone. Information is different; information is data which has undergone a level of processing to give it meaning and structure. If data is roads, rivers, mountains and oceans, then information is a map. Information conveys a picture of what the data represents.
But information alone doesn’t help a business make decisions. That information needs to be assessed if it is to add value. So, for example: an IP address appears in log files (data), that IP address communicates daily at 13:00 with your network (information), the IP address is related to a command and control server with links to a state sponsored hacking group and similar activity has been seen across your industry (intelligence). Intelligence is essential if an organisation is to attain knowledge upon which it can base informed decisions.
2.3
Using Intelligence
Organisations like Context constantly generate intelligence. Our managed service and ad hoc network compromise assessments find malware on networks, while our
investigations build a picture of how the malware got there, who put it there, why they did so and its likely impact.
Reverse engineering malware is the key source of this information, as well as providing the indicators which allow us to find other instances of the same attack. State
sponsored actors usually have multiple targets within the same sector, or across multiple sectors. Malware, methodology and infrastructure are shared across these targets – this is an industrialised process, implemented on a grand scale. Malware evolves as requirements and targets change, but through a form of genealogy we can link strains of malware to previous versions. That then allows us to link victims, infrastructure and attackers which may have appeared distinct previously.
This can give us the ability to predict how that threat actor works in the event of a compromise. But other service providers are likely to be working to protect other organisations from the same threat and may have a different - although probably over-lapping – view of the same threat actors. Other government or commercial
organisations could take decisions which could impact our investigation: infrastructure could be dismantled, malware reported to anti-virus vendors, or signatures released. When Mandiant released its APT1 report in early 2013 it detailed around 3000
indicators of compromise. But Mandiant was not the only company tracking those attacks. They had been so widespread that dozens of security companies and government agencies had been working to understand the same campaign, in some cases for several years, and had grasped different pieces of the same puzzle. Following publication of Mandiant’s report, the attackers ceased activity almost completely for several months, presumably while they examined their operational security procedures, replaced infrastructure and questioned the extent of third party knowledge about their operations. Meanwhile, the overwhelming evidence linking the attack to China caused its government political embarrassment and almost certainly increased operational costs.
The signatures released in the report were of interest to other security companies and government agencies investigating the same attack campaigns, although very few private organisations were able to make use of them for detection purposes because there was no context around the discrete pieces of information. That said, Context is broadly in favour of sharing reporting on campaigns and feels the net benefit is positive. The attackers will keep coming back to compromise organisations because they have a standing requirement for a certain type of data. Finding them again without any clues is difficult, but not impossible and managed security service providers should be constantly looking for new attack activity anyway, regardless of whether one attack methodology has been identified.
Attackers understand that their targets have internal security teams and work with external contractors who monitor and protect their networks. Attack activity will occasionally be disrupted for any number of reasons – victim machines are routinely upgraded or switched off for a few weeks while the user is on leave, anti-virus cleans an
infection or compromised command and control machines are lost. Attackers are dealing with a large number of variables and expect hurdles in their way.
However, when a number of infected machines are taken offline simultaneously and – for example – multiple passwords have been changed as part of a coordinated effort to raise security, attackers will conclude that they have been discovered. They then simply start over again, attempting to restore access. In the case of state-sponsored attackers, the individuals who access compromises to try and steal data are unlikely to be the same individuals who compromised the victim’s network originally, meaning the equivalent of a ‘support ticket’ will be generated to inform the appropriate team that they need to restore access. As we have stated many times, this is an industrialised process.
2.4
Monitoring and Sharing for Intelligence Gain
Allowing an attack to continue for a while can be fantastically important and allows investigators to build a picture of who, what, where, when and how; knowledge that may prove crucial in achieving longer term mitigations. Most organisations take some time to become comfortable with this approach and rightly so, there has to be a high level of confidence that data is not being recklessly put at risk and that the
investigators are capable of carrying out such an approach and knowing when to ‘pull the plug’. Longer term mitigations only come through fully understanding who the attackers are, how they work, and what data is being targeted.
It is also possible for network defenders to pro-actively compromise machines with hostile malware in order to try and entice attackers into uploading tools and tasking, giving away part of their methodology in the process. This approach needs careful management of risk, but these ‘incubators’ can provide unique insights into attacker behaviour.
The security community has very little evidence to show that attackers actively monitor the IT press to see which of their attacks have been found and what they can learn from reports published online. While it is inconceivable that the Chinese state doesn’t look through the reports which attract a higher level of media coverage, there is nothing to suggest attackers read every blogpost from every security company commenting upon these attacks, meaning that publicising an attack does not necessarily raise any risk to the victim.
Organisations should bear in mind that sooner or later details of the attack are likely to emerge. Another victim may decide that they cannot tolerate the attack any longer and (directly or indirectly) publish details. When that happens we, as investigators, have lost the opportunity to tell our story, but it is also a blow to our intelligence gathering operations.
Through publishing the story of a compromise, one significant positive outcome is that other researchers (individuals or companies) share their findings and provide other parts of the puzzle. They may even be able to add substantial value resulting in a more comprehensive view of the attack which benefits both the investigators and the victims. Sharing the story provides an opportunity to educate others, to give other victims a chance to detect the compromises and understand them in context.
2.5
Poking the Bear (or the Panda)
It is important to remember that within the working culture of Russian and Chinese espionage and the military more broadly, allowing intelligence or military activity to go on unchallenged is seen as a sign of weakness, whereas taking decisive action is respected. In all the investigations Context has conducted into state sponsored espionage on computer networks, regardless of size, sector or value of information being stolen, our work with the client to disrupt and mitigate attacks has never resulted in any ‘offensive’ action from the attacker; the attacker has never caused damage to the network or data which it resides on it. Attackers accept that they will be found, that access will be lost and that their tools, techniques and procedures (TTPs) will be compromised and may be published for all to see. For the attackers it is a ‘business risk’.
Instead, in the majority of cases, the attackers go back to square one and start trying to rebuild their access. Their requirement for stolen data is unchanged. When we have had the opportunity to intensively monitor networks after a compromise, in many cases we do not see the attackers return for weeks or in some cases, at all. This may be because the particular group carrying out the attack is more risk averse than others, or because the attackers have all the data they require to fulfil their objectives and their presence was there simply as a backdoor for future access. Or it may be because they have found an alternative method to extract the same data.
That doesn’t necessarily mean that they have developed an attack which is
undetectable. It may mean that another part of the intelligence apparatus is able to provide better access, perhaps through an attack on (for instance) the target’s law firm, or through a human source, or even through a different technical attack such as
eavesdropping telephone communications.
If we are talking about ‘APT’, this aspect highlights the ‘A’ – an ‘Advanced’ attacker will have different options it can use to achieve its goals. Data security is not simply a problem for the IT team, but an issue for the whole of the business. For example, a remote office in a hostile foreign state will raise the risk of compromise substantially, as locally engaged staff could be used – either willingly or under coercion – to steal data or enable an attack by browsing to a compromised website or by plugging in a USB device. This ‘facilitator’ may not even understand the consequences of their actions.
2.6
Intelligence Cycle
In the Context Whitepaper on Chinese sponsored cyber attacks – Crouching Tiger,
Hidden Dragon, Stolen Data – we discussed the intelligence cycle at length. Here, for
the sake of brevity, it is summarised in the above diagram. Governments have intelligence requirements which always include gathering intelligence on individuals, groups or states which pose a threat to national security or internal stability (terrorists, political extremists, military foes, and in some cases dissidents or minorities). But intelligence requirements can also include the gathering of intelligence to give the state an advantage, including political, economic or commercial intelligence.
These requirements are passed to government agencies with a remit to gather
intelligence, such as the military, a domestic security service or police force, an external intelligence service, or a signals intelligence agency. Each has a set of capabilities it can apply to collection of information to address these requirements.
Once information is collected, it must be processed to understand its value, potentially translated, analysed for reliability and value, collated into reports and disseminated to appropriate parties. The feedback from the cycle helps to refine and develop
requirements, and so the cycle continues. For a nation with a developed intelligence capability and complex requirements there could be thousands or even tens of thousands of individuals involved at each stage.
In order to start understanding whether and how your organisation may be at risk from attacks launched by such sophisticated threat actors, the first step is to fully
understand the value of data your organisation holds. Where does the data reside and who has access to it? Who might want to take it, how could a competitor or state use it to gain an advantage and what might be the impact of losing your most valuable data:
Planning /
Direction
Collection
Processing /
Exploitation
Analysis /
Production
Dissemination
/ Evaluation
short term financial loss or business ruin? What would the impact of data loss be on your customers and your reputation?
2.7
Understanding Your Data
To understand the data your organisation holds you need to engage the wider
business. The board will have a great overview of what the business considers sensitive at a given point in time, including the findings of research being undertaken which could become sensitive at a later stage. It is then necessary to identify where the data resides and who has access to it; and to work towards gaining an understanding of the duration of sensitivity (for example, the design sensitivity of a product may end as soon as it goes on sale). It is also essential to understand which third parties hold data of value to the organisation: service providers and data aggregators may have lower (or higher) levels of protection than your organisation.
Once the data is identified, it is worth trying to develop a better understanding of how well protected your network is through a gap analysis exercise looking at network defences against the Sans Critical Controls or use of the BIS/CESG/CPNI/Cabinet Office
Ten Steps to Cyber Security guide. This exercise should be conducted with the
assistance of a third party able to provide an independent view of security and recommend actions that can be taken to improve it.
This step should consist of a review of the full range of threat actors with the potential to attack; and an assessment of the likelihood of a successful attack in the context of the data considered sensitive and the network security already in place. Methodologies of the threat actors considered most likely to attack should be analysed, to assess the likelihood of an attack succeeding and the potential for impact should the data targeted by attackers be compromised.
A full review of potential threat actors and their capabilities could be completed internally, or could be facilitated by an external provider, such as Context or another Cyber Incident Response provider (see a list of suitable providers at
http://www.cpni.gov.uk/advice/cyber/cir).
2.8
Sources of Threat Intelligence
Once the organisation understands how well (or poorly!) defended it is and where attacks may originate, it is time to tip the odds in your favour. Network defence is a constant game of cat and mouse: attackers find holes, defenders plug them, and so on, meaning the defender is always playing catch up. The value of threat intelligence is that it offers an opportunity to get one step ahead of the attackers. While that may not happen every time, even detecting one attack before any damage is sustained could deliver huge benefits to the organisation.
There is no shortage of vendors of threat intelligence. Some vendors supply feeds covering single threat actor groups, such as Anonymous, others cover the broader spectrum of criminal malware or, in Context’s case, state-sponsored/targeted/ sophisticated malware. Understanding how each vendor generates these feeds (and why) will also be of value in assessing whether it is the right product for you. Some
generate intelligence from (and for) their product, whether through the use of intrusion detection technology or next-generation APT detection hardware. Others generate intelligence by conducting incident response investigations and reverse engineering of malware connected to groups in an attempt to identify or mitigate future activity against different targets.
Knowing which groups of attackers are more likely to pose a threat to your data will allow you to narrow down the vendors significantly, as will in-depth discussion of the products with vendors. Anyone can supply large lists of IP addresses to block – but that is information, not intelligence. This isn’t about quantity, it’s about quality; The IPs may very well be worthy of blocking, but if they are related to financial crime and your organisation is a non-profit, that information offers no value.
A good threat intelligence feed has three functions: to provide specific intelligence on cyber threats likely to affect your sector, allowing identification and remediation of threats before they impact the network; to paint a detailed picture of the changing cyber threat landscape and how threat actors’ methodologies and capabilities are evolving; and to provide assurance to senior management that proactive steps are being taken to counter cyber threats which could seriously impact the business.
2.9
The Financial Case for Threat Intelligence
Currently the threat intelligence market varies massively. In the past the number of vendors was small, but this is changing as more specialist companies find themselves sitting on rich seams of knowledge about threat actors. Service costs also vary widely, with some vendors charging many thousands of pounds for a single report while others charge only a few thousand pounds for a subscription. Value will only be derived if the client understands which threats are of greatest significance to them and is certain the vendor can supply intelligence that will assist in countering that threat. Only by
comparing several feeds will an organisation be able to make an informed judgment on the cost of a service against the value it provides.
In making the financial case for subscribing to a service organisations should also consider the cost of incidents, which may be difficult to estimate. Various surveys by the security industry and governments put the cost of cyber crime in the UK at billions of pounds annually – but the data behind these numbers can be misleading and could be inaccurate.
The Ponemon Institute's 2013 Cost of Cyber Crime study found the average cost to businesses of cyber crime is now more than $7 million per year – a 30% increase over 2012. The average number of attacks per company grew by 20% to 73 successful attacks per year. The study also shows that companies which implemented security intelligence systems reduced costs by an average of $2 million. In Context’s experience only a minority of incidents are investigated to the point of a financial impact
assessment being possible. But costs certainly can be significant: according to MI5, one London-listed company lost £800 million as a result of an intrusion in 2012.
In understanding the cost of an incident, organisations should consider first the immediate cost of recovery. Does the organisation have an internal incident response team able to deal with the incident effectively? If not, the organisation will have to meet the costs of external incident response consultancy, which could run into tens of
thousands of pounds for analysis, investigation and remediation. Replacing hardware or taking the network offline for a larger remediation event will add further costs.
Then there are the direct and indirect costs relating to lost data. If a financial company suffers the theft of credit card data it faces the cost of replacing customer cards and the cost of fraudulent purchases, both of which are relatively easy to calculate. Much harder to assess is the cost of stolen IP, because it may be unclear how this data could be [ab]used. But if an organisation has no idea that its network has been compromised and that data is being exfiltrated, it will be completely unable to make an impact assessment. Finally there is the cost of implementing network hardening measures in order to prevent a similar attack in the future.
2.10
Sharing Intelligence Securely
Another aspect of threat intelligence is community. As consumers of threat intelligence feeds which may prevent network compromises become more aware of threats and of the value of intelligence, organisations could contribute to the collective security of other organisations in their sector and beyond by sharing details of attacks or incidents that have affected them or investigations they have undertaken. Sharing details of malware and signatures pertaining to attacks could help others detect and disrupt attacks on their network – and they may then feed more intelligence back.
Not all companies will wish to share intelligence, and others may only do so after a long process of ensuring that the organisation is comfortable doing so. Where required, third party specialists like Context can facilitate this sort of information exchange and manage the associated risks through a process of obfuscation and anonymisation: communicating vital information but concealing anything which may be seen as sensitive.
Taking collective responsibility for cyber security in this way benefits ‘UK plc’ and ultimately makes life harder for the attackers. The point at which it becomes too difficult, too expensive or too risky to conduct cyber attacks, is the point when the attackers will revert to use of more expensive HUMINT (human intelligence) methods.
2.11
Conclusion
Threat intelligence should be a significant part of any comprehensive cyber security strategy. Threat intelligence should raise awareness among decision makers, inform the IT security team about the latest attack evolutions and, if the threat intelligence feed is tailored to the threat actors the organisation faces, could stop damaging attacks before they happen.
By understanding the way the attackers work, an organisation has the potential to reduce risk through managing security vulnerabilities and by putting the organisation in a position where it is able to detect attacks before any impact occurs. Looking at the entire threat landscape and trends in methodologies used by threat actors, whether state sponsored or hacktivist, provides organisations with an opportunity to get ahead of those seeking to cause harm.
With a cyber security strategy in place, and buy-in at board level, organisations should be able to make threat intelligence play a valuable role in network defence. But this is
internet, and the downside to operating in an online world is that individuals, groups, criminals or nation states can seek to compromise your network and steal your data. There are no easy fixes; the tools the organisation has invested in may mitigate many lower level risks, but not offer protection against more complex attacks carried out by motivated, sophisticated actors. To effectively protect the most sensitive data, users may have to accept a degree of inconvenience – particularly the most senior users who often have the most access to sensitive data.
It is impossible to protect everything, but in most cases only a tiny minority of a company’s data really requires the extra level of security. Above all, it is essential to recognise that cyber security is not just an IT problem – it is an issue for the whole business. And it is an issue that is not going away any time soon.
3 Examples
3.1
‘Reconnaissance’
Intelligence:
A Chinese APT Group makes use of 'The Harvester' tool in order to perform large-scale, automated open source research into target organisations. The group uses
infrastructure to conduct reconnaissance that does not overlap with known implant command and control infrastructure.
Suggested Action:
Perform similar reconnaissance on own organisation, examine output of tool to gauge exposure and specific details actor may possess.
Application of Intelligence:
A phishing campaign is detected. Analysis of the emails reveal that the 'To' addresses contain contiguous blocks of addresses taken directly from 'The Harvester'
output. This implicates the use of this tool and thus the Chinese APT actor becomes a likely candidate in this attack. Knowledge of the specific attacker allows for a more targeted and effective response. Affected users can be briefed that they may be subjected to future attacks.
Summary:
Intelligence from Reconnaissance phase of an attack can be used to detect the Delivery phase. Not ideal for stopping attacks sooner, but shows how attribution can assist in preparedness for attacks. This can then be used to understand the effectiveness of defences in place. Would current network sensor deployments have visibility of this activity? Would they detect and alert upon this type of behaviour?
3.2
‘Detecting Signatures’
Information:
Previous attacks by an APT actor have leveraged 'content delivery', where a weaponised document is created using a binding tool. The tool has also been used by other groups, all of which have been categorised as Chinese APT actors. Knowledge of previous attacks by multiple groups has been mapped to targeted industry sectors.
Suggested Action:
Analysis of weaponised documents from previous campaigns is used to derive
signatures that assist in the collection of further samples and implementation of IOCs that can be deployed to network and host-based detection capability.
Application of Intelligence:
Documents are scanned by a Network Intrusion Detection System (IDS) configured to examine HTTP downloads and SMTP attachments. The signatures for the weaponised document metadata are deployed to this IDS and therefore the SOC analysts are alerted to the malicious file, even though the exploit and payload are as yet unknown and
undetected. The malicious document is retrieved and malware analysis can result in additional signaturing mechanisms for the exploit and payload. This may in turn assist attribution to one of the identified potential groups who share the binding tool.
Summary:
Weaponisation phase used to detect in Delivery phase, choosing the correct route along the Kill Chain, so stopping attacks sooner. Again, current defensive gaps can be
identified. Would current network sensor deployments have visibility of this activity? Would they detect and alert upon this type of behaviour?
Effective signaturing mechanisms and centralised alerting is paramount. Knowledge of attacker TTPs needs to extend beyond own organisation. Simple IDS is not necessarily effective unless configured to perform additional processing (extraction).
4 About Context
Founded in 1998, Context is an independently operated cyber security consultancy which specialises in providing highly skilled technical consultants to support
organisations with their ever-evolving information security challenges. We work with some of the world’s highest profile blue chip companies and government organisations. Our comprehensive service portfolio incorporates penetration testing and security assurance services, incident response, forensic investigations, and technical security research projects. In the UK, we are certified by CESG and CPNI for the Cyber Incident Response scheme to assist organisations respond effectively to sophisticated cyber-attacks. We are a founder member of CREST and its associated standards, and continue to hold leadership positions within CREST in the UK and Australia. We are also a ‘Green Light’ CESG (CHECK) service provider. Context is actively involved with the UK Security Researchers Information Exchange (SRIE), and we are particularly active within the Open Web Application Security Project (OWASP) and regularly present the results of our research at international industry events and closed forums.
With offices in the UK, Germany and Australia, we are well placed to work with clients worldwide. In the ever-changing world of security, our clients choose to retain our services year after year.
An exceptional level of technical expertise informs all of our consultancy work, while a comprehensive approach and input from our dedicated Threat Intelligence and
Research departments means we can help clients attain a deeper understanding of security vulnerabilities and threats. Our reputation is based above all on the technical skills, professionalism, independence and integrity of our team.
