The Objective: Operational Cyber Intelligence
Technical and tactical cyber intelligence failed to accomplish their objectives owing to the absence of sufficient manpower. The solution is offered by operational intelligence collected and analyzed automatically
Yotam Gutman
| 26/04/2016
Illustraion: Bigstock
Visitors to the CyberTech 2016 exhibition had the impression that every single exhibitor boasted a cyber intelligence capability. Indeed, cyber intelligence (or threat intelligence) has evolved into one of the hottest trends of the cyber technology industry in the last few years. Even the relatively small Israeli market generates massive demand for intelligence services and some ten product and service companies are involved in this activity, competing one another.
The regulator has not remained idle either. According to Directive #361 of the Banking Supervisor at the Bank of Israel, financial institutions must use intelligence in addition to the other security mechanisms they employ. So, apparently everyone is talking about cyber intelligence and many people would like to know how to consume it, but what, in fact, is cyber intelligence and how does it help users to defend themselves against threats?
Cyber intelligence produces operational insights by looking outside the organization and issuing alerts of imminent and future threats to the organization. The type of intelligence may be categorized according to the manner in which the information is collected and analyzed and the manner in which the final product is used. Roughly, the world of cyber intelligence is divided into three categories: technical intelligence, tactical intelligence and operational intelligence.
Technical Intelligence
Technical intelligence constitutes the overwhelming majority of intelligence sold around the world. This intelligence category is based on a method adopted from military intelligence, known as Signals Intelligence (SigInt), which consists of the interception of electronic signals and deriving information from those signals. In the Internet world, this refers to the characteristics of web traffic (IP address, server locations and so forth), as well as to malware indicators. Combining these data makes it possible to identify suspicious traffic to and from the organization, and to block it.
Organizations and suppliers that collect intelligence of this category deploy networks of sensors to identify suspicious traffic and IP addresses suspected of disseminating malware and junk mail. This information is delivered in a digital format directly to the security systems (Firewalls, Anti-Virus software) and enables them to block undesirable elements. The primary disadvantage of this intelligence category is the fact that it is essentially responsive, namely – it identifies and handles attacks that have already taken place somewhere in the digital space. It cannot effectively identify new attacks that have not been documented, analyzed and translated into 'signatures'.
The various approaches that attempt to solve this problem through mathematical/statistical analysis of behavior patterns are plagued by a high percentage of false positive 'noise' messages. Additionally, these technical intelligence models do not normally produce insights regarding potential attacks, and no conclusions may be derived from them for the purpose of making tactical or strategic security decisions. Additionally, the widespread use of robotic networks (botnets) for offensive purposes makes spotting and prevention extremely difficult.
Tactical Intelligence
The second intelligence category is tactical intelligence. This category is about spotting and identifying preparations for an attack, identifying information that leaked from the organization and analyzing the technological capabilities and motivation of the attackers, as well as their development methods and attack vectors, with the intention of providing early warning prior to the attack. This intelligence category relies on Human Intelligence (HumInt) or the translation thereof to the web world – WebInt – plus complementary technical intelligence.
This intelligence activity is similar to the ages-old methodology of operating agents who collect information directly and pass it on to their operators for analysis, processing and subsequent action, combined with field intelligence specialists who analyze the 'combat doctrines' of the various opponents, their possible attack objectives, methods for extensive cyber warfare operations and so forth.
HumInt in the cyber world includes the creation of virtual personae, or 'Avatars', planting them in attacker groups or in organized crime forums, passively 'monitoring' their discussions and reporting the information to the operator. The product of this intelligence-gathering effort is normally a report that concludes the activity and offers recommended courses of action, or in more uncommon cases – a concrete early warning of an intended attack.
This intelligence category suffers from a dual disadvantage – as it involves entities operated by humans, the coverage span of the intelligence being collected is limited. A good cyber analyst can operate 2-5 entities simultaneously, but there are dozens of forums in which he should operate. After the intelligence has been produced, it is submitted to the end user as a report that he should read, analyze and then make decisions regarding possible courses of action. Naturally, this burdens the end user (normally the Chief Information Security Officer – CISO) who suffers from substantial manpower gaps to begin with.
"Most of the Intelligence being produced is not utilized"
The objective of intelligence is to support the security layout. Without such a layout, intelligence is of no significance. For this reason, only mature organizations seek intelligence after they had already deployed the standard solutions and as they now wish to enhance their security. For these organizations, the intelligence should provide a sort of early warning against attacks. In reality, however, technical intelligence does not produce such alerts and tactical intelligence produces generalized alerts.
This is the reason why most of the intelligence being produced for cyberspace is not utilized – it does not pertain to the organization directly. Clients who gain experience using cyber intelligence services stop consuming those services after a while, as they find no direct value in them and as they do not have available, skilled personnel for assimilating and implementing the intelligence they are provided with. Consequently, the world is becoming disillusioned with cyber intelligence as a sub-activity of the cyber technology world. In a very short period of time, numerous companies were acquired or stricken off the market (Sight Partners and IID were acquired by FireEye and Norse has ceased to operate recently). Apparently, the market is maturing and now seeks tactical solutions with a high degree of automation.
Operational Intelligence
The third category of cyber intelligence, which begins to stand out as a separate activity, is operational intelligence. It derives from the change in the security concept. Instead of securing the peripheral boundaries of the organization, which means primarily deploying security assets for the purpose of identifying and stopping the attack or the attacker – developing prompt capabilities for identifying an attack and neutralizing the damage it attempts to inflict. This approach is an adaptation to the cyber threats of the active routine security concept used in the field of national security.
One of the companies that offers an operational intelligence solution is the Sixgill Company of Yokne'am, Israel. This company develops a platform capable of producing intelligence effectively as it allows a small number of analysts to 'dominate' an extensive pool of sources in the Darknet – forums, 'stores' that sell credit cards and 'Dumps' (websites that publish large amounts of data stolen from various elements).
As the system produces alerts automatically, it directs the analysts to analyze the information and derive operational insights. The CEO of Sixgill, Avi Kashtan, told us that the system was developed in cooperation with one of the world's leading banks that uses it daily to spot preparations for attacks, employee and customer data that leaked or was stolen and more general information about future trends.
The operational intelligence approach calls for information that consists primarily of methods, processes and combat and active defense doctrines. It empowers the doctrinal and technical elements cyber intelligence can extract from the space where the opponents organize and conduct their administrative activities. Instead of searching for information regarding a specific attack against the organization, operational cyber intelligence focuses on analyzing the opponents' combat doctrines, weapon systems and attack and operational scenarios. This approach shifts the center of gravity from advance identification and blocking – which were proven to be ineffective, to the ability to respond and block the outcome of the attack within the organizational environment or in its immediate vicinity.
Yotam Gutman is a marketing and business development consultant to start-up companies in the field of cyber technology. In his previous positions he served as marketing and sales manager in the field of intelligence and cyber technology
Technical and tactical cyber intelligence failed to accomplish their objectives owing to the absence of sufficient manpower. The solution is offered by operational intelligence collected and analyzed automatically
Illustraion: Bigstock
Visitors to the CyberTech 2016 exhibition had the impression that every single exhibitor boasted a cyber intelligence capability. Indeed, cyber intelligence (or threat intelligence) has evolved into one of the hottest trends of the cyber technology industry in the last few years. Even the relatively small Israeli market generates massive demand for intelligence services and some ten product and service companies are involved in this activity, competing one another.
The regulator has not remained idle either. According to Directive #361 of the Banking Supervisor at the Bank of Israel, financial institutions must use intelligence in addition to the other security mechanisms they employ. So, apparently everyone is talking about cyber intelligence and many people would like to know how to consume it, but what, in fact, is cyber intelligence and how does it help users to defend themselves against threats?
Cyber intelligence produces operational insights by looking outside the organization and issuing alerts of imminent and future threats to the organization. The type of intelligence may be categorized according to the manner in which the information is collected and analyzed and the manner in which the final product is used. Roughly, the world of cyber intelligence is divided into three categories: technical intelligence, tactical intelligence and operational intelligence.
Technical Intelligence
Technical intelligence constitutes the overwhelming majority of intelligence sold around the world. This intelligence category is based on a method adopted from military intelligence, known as Signals Intelligence (SigInt), which consists of the interception of electronic signals and deriving information from those signals. In the Internet world, this refers to the characteristics of web traffic (IP address, server locations and so forth), as well as to malware indicators. Combining these data makes it possible to identify suspicious traffic to and from the organization, and to block it.
Organizations and suppliers that collect intelligence of this category deploy networks of sensors to identify suspicious traffic and IP addresses suspected of disseminating malware and junk mail. This information is delivered in a digital format directly to the security systems (Firewalls, Anti-Virus software) and enables them to block undesirable elements. The primary disadvantage of this intelligence category is the fact that it is essentially responsive, namely – it identifies and handles attacks that have already taken place somewhere in the digital space. It cannot effectively identify new attacks that have not been documented, analyzed and translated into 'signatures'.
The various approaches that attempt to solve this problem through mathematical/statistical analysis of behavior patterns are plagued by a high percentage of false positive 'noise' messages. Additionally, these technical intelligence models do not normally produce insights regarding potential attacks, and no conclusions may be derived from them for the purpose of making tactical or strategic security decisions. Additionally, the widespread use of robotic networks (botnets) for offensive purposes makes spotting and prevention extremely difficult.
Tactical Intelligence
The second intelligence category is tactical intelligence. This category is about spotting and identifying preparations for an attack, identifying information that leaked from the organization and analyzing the technological capabilities and motivation of the attackers, as well as their development methods and attack vectors, with the intention of providing early warning prior to the attack. This intelligence category relies on Human Intelligence (HumInt) or the translation thereof to the web world – WebInt – plus complementary technical intelligence.
This intelligence activity is similar to the ages-old methodology of operating agents who collect information directly and pass it on to their operators for analysis, processing and subsequent action, combined with field intelligence specialists who analyze the 'combat doctrines' of the various opponents, their possible attack objectives, methods for extensive cyber warfare operations and so forth.
HumInt in the cyber world includes the creation of virtual personae, or 'Avatars', planting them in attacker groups or in organized crime forums, passively 'monitoring' their discussions and reporting the information to the operator. The product of this intelligence-gathering effort is normally a report that concludes the activity and offers recommended courses of action, or in more uncommon cases – a concrete early warning of an intended attack.
This intelligence category suffers from a dual disadvantage – as it involves entities operated by humans, the coverage span of the intelligence being collected is limited. A good cyber analyst can operate 2-5 entities simultaneously, but there are dozens of forums in which he should operate. After the intelligence has been produced, it is submitted to the end user as a report that he should read, analyze and then make decisions regarding possible courses of action. Naturally, this burdens the end user (normally the Chief Information Security Officer – CISO) who suffers from substantial manpower gaps to begin with.
"Most of the Intelligence being produced is not utilized"
The objective of intelligence is to support the security layout. Without such a layout, intelligence is of no significance. For this reason, only mature organizations seek intelligence after they had already deployed the standard solutions and as they now wish to enhance their security. For these organizations, the intelligence should provide a sort of early warning against attacks. In reality, however, technical intelligence does not produce such alerts and tactical intelligence produces generalized alerts.
This is the reason why most of the intelligence being produced for cyberspace is not utilized – it does not pertain to the organization directly. Clients who gain experience using cyber intelligence services stop consuming those services after a while, as they find no direct value in them and as they do not have available, skilled personnel for assimilating and implementing the intelligence they are provided with. Consequently, the world is becoming disillusioned with cyber intelligence as a sub-activity of the cyber technology world. In a very short period of time, numerous companies were acquired or stricken off the market (Sight Partners and IID were acquired by FireEye and Norse has ceased to operate recently). Apparently, the market is maturing and now seeks tactical solutions with a high degree of automation.
Operational Intelligence
The third category of cyber intelligence, which begins to stand out as a separate activity, is operational intelligence. It derives from the change in the security concept. Instead of securing the peripheral boundaries of the organization, which means primarily deploying security assets for the purpose of identifying and stopping the attack or the attacker – developing prompt capabilities for identifying an attack and neutralizing the damage it attempts to inflict. This approach is an adaptation to the cyber threats of the active routine security concept used in the field of national security.
One of the companies that offers an operational intelligence solution is the Sixgill Company of Yokne'am, Israel. This company develops a platform capable of producing intelligence effectively as it allows a small number of analysts to 'dominate' an extensive pool of sources in the Darknet – forums, 'stores' that sell credit cards and 'Dumps' (websites that publish large amounts of data stolen from various elements).
As the system produces alerts automatically, it directs the analysts to analyze the information and derive operational insights. The CEO of Sixgill, Avi Kashtan, told us that the system was developed in cooperation with one of the world's leading banks that uses it daily to spot preparations for attacks, employee and customer data that leaked or was stolen and more general information about future trends.
The operational intelligence approach calls for information that consists primarily of methods, processes and combat and active defense doctrines. It empowers the doctrinal and technical elements cyber intelligence can extract from the space where the opponents organize and conduct their administrative activities. Instead of searching for information regarding a specific attack against the organization, operational cyber intelligence focuses on analyzing the opponents' combat doctrines, weapon systems and attack and operational scenarios. This approach shifts the center of gravity from advance identification and blocking – which were proven to be ineffective, to the ability to respond and block the outcome of the attack within the organizational environment or in its immediate vicinity.
Yotam Gutman is a marketing and business development consultant to start-up companies in the field of cyber technology. In his previous positions he served as marketing and sales manager in the field of intelligence and cyber technology
