The use of conventional intelligence methodologies in Cyber Threat Intelligence
Rob Dartnall | Director – Cyber Intelligence
CONTENTS
Rob Dartnall
Director – Cyber Intelligence
Rob is a CREST Certified Threat Intelligence Managers (CCTIM) and Cyber Intelligence Director of SecurityAlliance - a Bank of England certified Cyber Threat Intelligence provider under the CBEST framework. Withspecialist interest areas of Insider Threat and Nation State Fusion Warfare, Rob has unique experience andinsight into the threat landscape. In his role as the Associate Director of Cyber Threat Intelligence to Gartner,Rob and Security Alliance are the global providers of Threat Intelligence services to Gartner consulting.
From a conventional Military Intelligence background Rob has been creating cyber threat assessments andtesting programs for some of the largest organisations in Europe, North America, the Middle East and Africa.
Rob Dartnall
Director – Cyber Intelligence
CREST certified Threat Intelligence Managers (CCTIM) Cyber Intelligence Director of SecurityAlliance Bank of England CBEST
Insider Threat Nation State Fusion Warfare,Associate Director of Cyber Threat
Intelligence to Gartner,
From a conventional Military Intelligence background
WHEEL
NOT A WHEEL
THE BRIEFEST HISTORY OF INTELLIGENCE YOU WILL EVER SEE…
CONE OF PLAUSIBILITY
CONE OF PLAUSIBILITY - BASELINE
Russia continues to play upon internal political divisions due to economic
stagnation & political differences. Poor security of country X firms and gov
department allows Russian hackers to continue almost unimpeded. SM remains
an open forum for misinformation operations conducted by Russian assets who have additional resources due to an
increased focus on NATO targets post turn down of Syrian Ops.
TECHNOLOGY
MILITARY
POLITICAL
ECONOMIC
SECURITY
RELIANCE ON SM –INTERNAL DIVISIONS
POOR CYBER SECURITY REMAINS
RUSSIA DECREASES SYRIA –INCREASES NATO
COUNTRY X PLAYS NICELY WITH VLAD
REMAINS STAGNANT
GLOBAL DETERIORATION
SOCIAL
20212017
CONE OF PLAUSIBILITY - PLAUSIBLE
TECHNOLOGY
MILITARY
POLITICAL
ECONOMIC
SECURITY
INCREASED AWARENESS OF FAKE NEWS
SECURITY RAPIDLY IMPROVESGov., Corp & Persons
RUSSIA DECREASES SYRIA –INCREASES NATO
COUNTRY X PLAYS NICELY
REMAINS STAGNANT
GLOBAL DETERIORATION
SOCIAL
20212017
CONE OF PLAUSIBILITY - WILDCARD
Conventional diplomacy is side-lined as country X plays hard ball with Russia, both
in public and in private. Offensive cyber operations and international sanctions
against Russia increase tensions. Russian Cyber Ops increase in frequency and
severity. With Russia's increased NATO focus a new cold war ensues. Russia's
economy becomes unstable and pressure mounts on the President’s position.
TECHNOLOGY
MILITARY
POLITICAL
ECONOMIC
SECURITY
RELIANCE ON SM –INTERNAL DIVISIONS
POOR CYBER SECURITY REMAINS
RUSSIA DECREASES SYRIA –INCREASES NATO
COUNTRY X PLAYS HARD BALL
REMAINS STAGNANT
GLOBAL DETERIORATION
SOCIAL
20212017
CONE OF PLAUSIBILITY - MOSTLY STRATEGIC
- SOMETIMES OPERATIONAL
- RARELY TACTICAL
BASELINE SCENARIODRIVERS ASSUMPTIONS
PERIOD OF TIME
PLAUSIBLE SCENARIO
WILDCARD SCENARIO
PLAUSIBLE SCENARIO
WILDCARD SCENARIO
BACKCASTING – TIMELINE ANALYSIS
ASSUMPTIONS:
WE HAVE IP OF INTEREST TO AN ADVANCED ACTOR / NATION STATE
WE ARE AWARE OF THE BREACH
THE BREACH BECOMES PUBLIC KNOWLEDGE
SCENARIO:
WE, PHARMACEUTICAL COMPANY X, WILL HAVE SUFFERED A SIGNIFICANT BREACH
OF IP THIS YEAR, WHICH LEADS TO A FALL IN OUR SHARE PRICE AND THE COLLAPSE
OF OUR MERGER.
STRATGICTACTICALOPERATIONAL
BACKCASTING – TIMELINE ANALYSIS
WE, PHARMACEUTICAL COMPANY X, WILL HAVE SUFFERED A SIGNIFICANT BREACH OF IP THIS YEAR, WHICH
LEADS TO A FALL IN OUR SHARE PRICE AND THE COLLAPSE OF OUR MERGER.
THE ATTACK
RECONNAISSANCE WEAPONISATION DELIVERY EXPLOITATION INSTALLATION C2C ACTIONS ON
MERGER
COLLAPSES
DFIR
INFORM – BOARD
REGULATORS
AUTHORITIES
STATE
DISCOVERY
POOR MESSAGING MEDIA COVERAGE
PRESS RELEASESSIMPLE INTRUSIONNATION X
INCREASE IP
COLLECTION
Ops VIA
PROXYEXFILTRATE
EXPOSITION RISING ACTION CLIMAX FALLING ACTION
DENOUEMENT
INITIAL RECON
RECONNAISSANCE WEAPONISATION DELIVERY EXPLOITATION INSTALLATION C2C ACTIONS ON
METHOD CONSTRUCTTARGET ID
ASSET ID
INITIAL RECON
EXPLOIT ID ETC
ETC ETC
ETC
COMBAT INDICATORS (FLAGS AND SIGN POSTS)
WE, PHARMACEUTICAL COMPANY X, WILL HAVE SUFFERED A SIGNIFICANT BREACH OF IP THIS YEAR, WHICH
LEADS TO A FALL IN OUR SHARE PRICE AND THE COLLAPSE OF OUR MERGER.
METHOD CONSTRUCT
RECONNAISSANCE WEAPONISATION DELIVERY EXPLOITATION INSTALLATION C2C ACTIONS ON
TARGET ID
ASSET ID
INITIAL RECON
EXPLOIT ID ETC
ETC ETC
RECONNAISsANCE WEAPONISATION DELIVERY EXPLOITATION INSTALLATION C2C ACTIONS ON
ETC
METHOD CONSTRUCTTARGET ID
ASSET ID
INITIAL RECON
EXPLOIT ID ETC
ETC ETC
RECONNAISsANCE WEAPONISATION DELIVERY EXPLOITATION INSTALLATION C2C ACTIONS ON
ETC
CRITICAL PATH ANALYSIS
BACKCASTING - ALWAYS STRATEGIC
- ALWAYS OPERATIONAL
- ALWAYS TACTICAL
What is the – Most Likely Course of Action (MLCoA)?
- Most Dangerous Course of Action (MDCoA)?
- What sits between?
BACKCAST THEM ALL
ANALYSIS OF COMPETING HYPOTHESES (ACH)
• PROSPECTIVE OR RETROSPECTIVE
• SOME SPECIALIST SOFTWARE AVAILABLE
• CAN BE LONG, COMPLEX AND RESOURCE HEAVY− BUT…IT CAN BE QUICK AND DIRTY
ANALYSIS OF COMPETING HYPOTHESES (ACH)
ASSET, A. WILL BE COMPROMISED BY
ACTOR (X)
EVIDENCECREDIBILIT
Y
HYPOTHESIS
NS NS – PROXY OCG HACKER HACTIVIST
ACTOR HAS
MOTIVATIO
N
4 4 4 3 4
ACTOR HAS
CAPABILITY4 3 3 3 2
ACTOR HAS
OPPORTUNI
TY
4 4 3 3 3
ACTOR HAS
PREVIOUS4 4 4 2 2
SCORE: 16 15 14 11 11
ANALYSIS OF COMPETING HYPOTHESES (ACH)
ASSET, A. WILL BE COMPROMISED BY
ACTOR (X)
EVIDENCECREDIBILIT
Y
HYPOTHESIS
NS NS – PROXY OCG HACKER HACTIVIST
ACTOR HAS
MOTIVATIO
N
4 4 4 3 4
ACTOR HAS
CAPABILITY4 3 3 3 2
ACTOR HAS
OPPORTUNI
TY
4 4 3 3 3
ACTOR HAS
PREVIOUS4 4 4 2 2
SCORE: 16 15 14 11 11
TIP: START BIG – go
small
ANALYSIS OF COMPETING HYPOTHESES (ACH)
ASSET, A. WILL BE COMPROMISED BY
ACTOR (X)
EVIDENCECREDIBILIT
Y
HYPOTHESIS
NS NS – PROXY OCG HACKER HACTIVIST
ACTOR HAS
MOTIVATIO
N
4 4 4 3 4
ACTOR HAS
CAPABILITY4 3 3 3 2
ACTOR HAS
OPPORTUNI
TY
4 4 3 3 3
ACTOR HAS
PREVIOUS4 4 4 2 2
SCORE: 16 15 14 11 11
ANALYSIS OF COMPETING HYPOTHESES (ACH)
ASSET, A. WILL BE COMPROMISED BY
ACTOR (X)
EVIDENCECREDIBILIT
Y
HYPOTHESIS
NS NS – PROXY OCG HACKER HACTIVIST
ACTOR HAS
MOTIVATIO
N
4 4 4 3 4
ACTOR HAS
CAPABILITY4 3 3 3 2
ACTOR HAS
OPPORTUNI
TY
4 4 3 3 3
ACTOR HAS
PREVIOUS4 4 4 2 2
SCORE: 16 15 14 11 11
ANALYSIS OF COMPETING HYPOTHESES (ACH)
ASSET, A. WILL BE COMPROMISED BY
ACTOR (X)
EVIDENCECREDIBILIT
Y
HYPOTHESIS
NS NS – PROXY OCG HACKER HACTIVIST
ACTOR HAS
MOTIVATIO
N
4 4 4 3 4
ACTOR HAS
CAPABILITY4 3 3 3 2
ACTOR HAS
OPPORTUNI
TY
4 4 3 3 3
ACTOR HAS
PREVIOUS4 4 4 2 2
SCORE: 16 15 14 11 11
ANALYSIS OF COMPETING HYPOTHESES (ACH)
ASSET, A. WILL BE COMPROMISED BY
ACTOR (X)
EVIDENCECREDIBILIT
Y
HYPOTHESIS
NS NS – PROXY OCG HACKER HACTIVIST
ACTOR HAS
MOTIVATIO
N
4 4 4 3 4
ACTOR HAS
CAPABILITY4 3 3 3 2
ACTOR HAS
OPPORTUNI
TY
4 4 3 3 3
ACTOR HAS
PREVIOUS4 4 4 2 2
SCORE: 16 15 14 11 11
ANALYSIS OF COMPETING HYPOTHESES (ACH)
ASSET, A. WILL BE COMPROMISED BY
ACTOR (X)
EVIDENCECREDIBILIT
Y
HYPOTHESIS
CHINA RUSSIA IRAN US UK
ACTOR HAS
MOTIVATIO
N
4 4 4 3 4
ACTOR HAS
CAPABILITY4 3 3 3 2
ACTOR HAS
OPPORTUNI
TY
4 4 3 3 3
ACTOR HAS
PREVIOUS4 4 4 2 2
SCORE: 16 15 14 11 11
ANALYSIS OF COMPETING HYPOTHESES (ACH)
ASSET, A. WILL BE COMPROMISED BY
ACTOR (X)
EVIDENCECREDIBILIT
Y
HYPOTHESIS
APT 28 APT 29 APT 1 APT 3 APT 12
ACTOR HAS
MOTIVATIO
N
4 4 4 3 4
ACTOR HAS
CAPABILITY4 3 3 3 2
ACTOR HAS
OPPORTUNI
TY
4 4 3 3 3
ACTOR HAS
PREVIOUS4 4 4 2 2
SCORE: 16 15 14 11 11
WHAT ABOUT RETROSPECTIVLEY ?
ANALYSIS OF COMPETING HYPOTHESES (ACH)
EVIDENCECREDIBILIT
Y
HYPOTHESIS
APT 28 APT 29
MALWARE A
RECOVERED4 2
MALWARE B
RECOVERED4 2
TOOL A 4 4
TOOL D 4 4
RUSSIAN
LANGUAGE4 4
IP XXX.X.XX.XXX 0 0
STATEMENT A 3 3
STATEMENT B 3 3
ASSET A IS… 4 1
ASSET C LEFT 3 2
TTP X 3 1
SCORE: 36 24
MURDER BOARDMurder boards are used to aggressively review, without constraint or pleasantries, a situation's problem, assumptions, constraints, mitigations, and the proposed solution.
TH
HORIZON SCANNING
What people don't realise is that professionals are sensational because of the fundamentals.
-Barry Larkin, US Athlete
DON’T FORGET THE BASICS
Open / closed /
leading
What people don't realize is that professionals are sensational because of the fundamentals.
-Barry Larkin, US Athlete
DON’T FORGET THE BASICS
REFINE
THE
QUESTION
CLARIFY
FOCUSING
WIDENING
Is the question clear?
Can you answer it?
Is it the right
question?Are there assumptions?
One or two questions
What information do
they want?In what way does it
need answering?
WHAT ARE WE ULTIMATELY LOOKING TO ACHIEVE?
“…IPB is a systematic, continuous
process of analysing the threat and
environment in a specific geographic
area.”
INTELLIGENCE PREPARATION OF THE BATTLEFIELD
There are four main steps:
• Define the battlefield environment
• Describe the battlefield’s effects
• Evaluate the threat
• Determine threat COAs
INTELLIGENCE PREPARATION OF THE BATTLEFIELD
• Define the battlefield environment.
• Describe the battlefield’s effects.
• Evaluate the threat.
• Determine threat COAs
INTELLIGENCE PREPARATION OF THE BATTLEFIELD
WE ALL HAVE BIAS…
…but professionally trained analysts – using methodologies – know how to deal with it
Evoked Set reasoning
Mirror-Imaging
Lack of empathy
Authority principle
Premature conclusions
Worse Case analysis
Ruling Theory
Excessive secrecy
Parochialism
Ruling Party
Anchoring
Congruence bias
Confirmation bias
Choice supportive bias
Bias blind spots
Belief Bias
Bandwagon effect
Loss Aversion Effect
Just-world phenomenon effect
Information bias
Impact bias
Illusion of control effect
Hyperbolic discounting effect
Endowment effect
Disconfirmation biasContrast effect
Pseudocertainty Effect
Planning bias
Colour Psychology bias
Mere exposure effectAND THAT IS JUST
HALF OF THEM
‘Intelligence without communication is
irrelevant.’ - General A M Grey, US Marine Corps
TERMINOLOGY
TERMINOLOGY
Statement Probability rangeRemote or highly unlikely <10%
Improbable or unlikely 11-25%
Realistic possibility 26-50%
Probable or likely 51-75%
Highly probable/likely 76-90%
Almost certain >90%
TERMINOLOGY
LET’S NOT FORGET WHAT INTELLIGENCE IS…
“…The directed and
coordinated acquisition
and analysis of
information to assess
capabilities, intent
and opportunities for
exploitation by leaders
at all levels.
Information is defined as
unprocessed data of
every description that
may be used in the
production of
intelligence.”
A FINAL POINT ON CTI…
DISSEMINATION‘The timely conveyance of intelligence, in an appropriate form and by any suitable means, to those who need it’
ADD VALUE
SO WHAT?
CONSISTENTCLARITY
BREVITY
USABILITY
QUESTIONS
CRITICAL PATH
SORRY, WHO ARE YOU AGAIN?
DO YOU EVEN TWEET BRO?
WIKI LINK ROB DARTNALL @CYBERFUSIONTEAM