One of the many unique challenges of CTI that differentiates it from other forms of threat intelligence, is the need to integrate significantly more pieces of component into CTI assessment as opposed to say a ‘bomb and bullet’ based assessment.
With CTI, the devil really does lie in the details and the amount of the data that is available to a modern analyst is only growing and often overwhelming. The challenge here is this process of integrating data into a larger analytical workflow takes a significant amount of time.
This blog focuses on how Elemendar’s READ. tool can assist in this process and facilitate rather than replace the role of the analyst within the intelligence process.
The Four Step Intelligence Profile
The Intelligence Cycle (Direction->Collection->Analysis->Dissemination) is probably the first thing that you learn on day one, week one in Intelligence School – be it within a military, civilian or private sector context. The power of the four step Intelligence Cycle lies within its simplicity,
- Direction: The Intelligence Requirements (IRs) of the customer
- Collection: Go and get the data that has the potential to fulfil the customers IR’s after the Analysis phase
- Analysis: Turn data, into information and then into intelligence using a range of structured analytical process
- Dissemination: Hand the intelligence back to the customer and elicit feedback
There are other Intelligence Cycles such as the F3EAD Cycle however, the power of the four step Intelligence Cycle lies in its simplicity which translates to clarity at the Strategic, Tactical and Operational levels of the business. However, the cycle is not perfect…
Processing: The missing activity in modern intelligence…
An alternative to the four step Intelligence Cycle is a five-step cycle that inserts the phase of “processing” between the Collection and Analysis phase, shown below:
Figure 1: the five-step intelligence cycle, with the Processing phase highlighted
Calling out the processing phase like this is important as it defines a specific activity within the practice of intelligence that is only growing with sub fields of intelligence like CTI. Processing creates what we call “proto” intelligence products, that we define as products
- Whose purpose is to bridge the gap between the data gathered in the Collection phase – and the intelligence generated in the Analysis phase
- Is informational in nature and acts as a form of ‘middleware’ between data/information and intelligence
- That stop short of fully formed intelligence
To define this concept further, a half-written intelligence report is NOT a proto intelligence product, it’s just an unfinished intelligence report. Instead, a good example of a proto intelligence product is the APT Groups and Operations, a project whose goal is to deconflicts the different naming conventions used by various CTI vendors for nation state related hacking groups. If you check out the APT Groups and Operations document you can see that it conforms to the definition of a proto intelligence product that is outlined above. Notice its more than just data, but does not have the obvious “so what?” of an intelligence product, instead acting as a stepping stone for the analyst towards the final goal of insight through intelligence. This is a great example of a proto intelligence product.
How can Elemendar’s READ. help?
READ. is a tool designed to directly assist in the processing phase of the intelligence cycle to enable the CTI analyst to ingest more data about the cyber underground at a quicker rate. Take as an example, Jon DiMaggio’s awesome white paper on the ransomware group REvil: A History of REvil. The paper is a great piece of work, well written, well researched and well-presented however, at 65 pages it’s not a quick read. Elemendar’s READ. can help the analyst in processing this report. Shown below is the network graph produced in READ. from the History of REvil paper.
Figure 2: History of REvil visualised within READ.
The graphics shown above is a classic proto intelligence product. It is more than data/ information but it is not quite intelligence and it acts as a stepping stone to intelligence. Even a cursory examination of the graph shows the following
- The History of REvil paper is Indicator of Compromise (IOC) heavy and Mitre attack tactic lite- this is fine however, if I was looking for a more Mitre based analysis of REvil then I would need to gather other sources
- There are a number of associations between REvil and other know threat groups i.e. Blackmatter etc, that deserve further investigation (Figure 2 Call out A)
- The Tactics, Techniques and Procedures of REvil are highlighted by READ.s Mitre “TCode” extractions (Figure 2 Call out B) and include key aspects of the groups modus operandie such as Drive-by Compromise (T1189), Privilege Exploitation (T1068) and File Deletion (T1107) being some of the stand out aspects of the graph.
Within the example shown above READ. has not replaced the analyst, far from it, the human analyst is still integral to the analysis process. What READ. has done is to accelerate the Processing of that materials that feed into the production of intelligence.
It can be argued that Modern CTI is at its core about turning unstructured data into structured data and approaches and technologies such as Big Data and Artificial Intelligence are key to this approach. With a veritable explosion of unstructured data like the report that has been examined within this blog, technologies such as Elemendar’s READ. are a natural addition to the analyst’s tool kit.