The last story hacking into Uber or reappearing reports on Emotet's activity may raise questions about the validity of individual functions in the overall security organization of an organization. After all, why advanced forensics teams to produce threat intelligence or threat hunting when the problem is underlying? This is a very legitimate question, but the answer to it is not easy, taking into account the multitude of situations that a given entity may face.
We will use two models to structure our assessment of the situation. The first is Sliding Scale of Cyber Security by Robert M. Lee. This model describes how the different elements of a safety organization contribute to the overall safety level of the organization and what return on investment each function brings. The scale is illustrated by the following graphic:
Moving from left to right, further features are becoming more expensive to implement and bring lower returns on investment. To maximize benefits, organizations should start from scratch (architecture, automatic security measures), and only then build the next stages of maturity and add new functions.
The first tier that provides by far the greatest return on investment is architecture defined as planning, building and maintaining systems with security in mind. Architecture should, first of all, support the daily work of the organization, and in the field of security, anticipate the occurrence of crisis situations and security incidents. The aim of architecture is therefore not so much to prevent attacks and defend against cyber operations, but to ensure that incidents such as malware infection or access to the user's account by attackers do not lead to extensive damage to the infrastructure.
Next we have passive defense measures. In the model, this means devices and software that provide protection, but do not require continuous human maintenance. We will find here "classic" security solutions such as antivirus and other anti-malware, firewalls, IDSu, IPS. Naturally, installation and configuration requires initial staff involvement, as well as subsequent updates and troubleshooting. The defensive actions themselves, such as blocking the connection or removing malware from the system, are automatically taken in the course of work.
Another step is active defense, which should not, however, be confused with offensive actions or other actions that go beyond the protected environment. Active defense is broadly understood threat hunting and activities related to the assessment of events occurring in the environment by humans. Automatic systems cease to function as security in themselves, and become tools accelerating the work of analysts trying to detect more advanced hostile activities. The transition to the active defense level is, in my opinion, the biggest qualitative and cost leap in the entire Scale. At this level, we can lo longer avoid the involvement of a dedicated team dealing with security operations full-time or at least most of the time. While architecture and passive systems are largely the domain of engineers and system administrators, threat hunting is a job that requires knowledge and skills strictly related to threat analysis and responding to events resulting from more complex hostile operations.
Finally, in fourth place, and in a sense, the last one, which we will talk about in a moment, we reach threat intelligence. In this model, intelligence, even without the prefix threat, is defined as the process of collecting and processing data in order to fill previously identified knowledge gaps. Threat Intelligence, on the other hand, is an intelligence discipline that deals with the analysis of hostile activity in order to assist the actions of defenders by enabling better identification of hostile actions and methods of responding to them. The definitions themselves indicate why intelligence is so far on the scale adopted in this model. In order to take full advantage of this function, we must be able to assess the deficiencies in the visibility of the environment or the detection capabilities. If we are unable to effectively prevent attacks that can stop automated systems, it is hard to expect that we will be able to use intelligence products to construct advanced detections. It is worth paying attention to the close relationship between intelligence and active defense in this context - the function of intelligence is to create intelligence products, and actively defend themselves to consume them in the course of defense activities.
I mentioned that intelligence can be treated as the last function because, in fact, at the very end there is an area with very limited usefulness for most organizations - offensive activities. First, they require a very solid foundation in the previous functions, and in particular, the ability to attribute attacks. Secondly, they do not bring any benefits in the context of incidents that have already occurred. It should also be emphasized here that, for private organizations, legitimate offensive actions are actually limited to legal actions, such as filing a lawsuit ending with a court order to seize infrastructure. However tempting are the so-called hackback is unauthorized access to an information system remains a crime regardless of the relationship between the attacker and the victim.
As we can see, threat intelligence is quite far away in the model, actually at the very end of the defense functions. The specificity of this discipline is that in the context of organizational security, it is a support function, not an appropriate security. The role of the threat intelligence team is therefore determined by what intelligence requirements will be indicated to them and what is the target audience for the product. There are two factors to consider when assessing the role of this team in terms of ROI. First, wouldn't the money and resources invested in threat intelligence outweigh the other functions? The answer to this question, however, will be highly dependent on the organizational structure of a given entity - for example, in terms of whether we are talking about a purely internal intelligence team or a team operating simultaneously as a service provider to the clients. The factor we will look at here is whether intelligence can be shifted further to the left side of the scale, as the delivered products will support the architecture and passive defense functions.
This is where the second model will come into play - the intelligence cycle, i.e. the methodology of intelligence work with five stages, which I mentioned on the blog on the occasion of the OSINT methodology.
Despite the fact that the cycle is closed with subsequent phases arising from each other, the planning phase is undoubtedly the beginning. And here we see the clou of the matter, in mature organizations, limiting the role of threat intelligence to working only with active defense may not be the full use of its potential. So let us consider how the planning and requirements setting phase can channel threat intelligence efforts into the earlier phases of the Scale.
In terms of architecture, intelligence requirements can focus on attack vectors and targets attackers want to achieve when operating within activity groups that are relevant to the entire organization. Translating into specific examples:
- The first example of an intelligence requirement might be: what is the most commonly used technique to gain primary access by activity groups that threaten our organization? This requirement must be preceded by an analysis of the threat model and the definition of activity groups that may be of interest to our organization. However, the response to them may be a significant impulse for the modification and adaptation of the infrastructure to prevent access. Let's look at the most common techniques for gaining access - phishing emails and the use of vulnerabilities in devices exposed to the Internet. The support of the intelligence team can indicate to engineers and architects risk scenarios that they must take into account when deciding on issues such as how to exchange documents in the organization - whether we allow documents in e-mail attachments at all, or whether we require them to be transferred by granting access, e.g. to a resource in OneDrive. Further, decisions about accessing company resources from outside (even for remote employees) can be better made if the threat scenarios and techniques used by attackers are directly presented to engineers.
- Another example: what techniques can activity groups that threaten our organization use to achieve their goals? The flip side of the problem is securing against the last phases of the attack cycle and preventing them from reaching their goals. Presenting, for example, the way the ransomware family works and what techniques it uses to prevent data recovery, may affect the implementation of the backup method and the architecture of storing particularly important materials.
The goal here is to support architecture by illustrating attack scenarios with examples of observed and analyzed activities. Threat Intelligence serves as a source of situational awareness and knowledge of attack trends to complement the work of administrators and architects.
Paradoxically, it may be more difficult to support passive conservation measures. Until some time ago, threat intelligence was often associated with all streams of indicators such as IP addresses or hashes that can be directly transferred to IDS or other devices. However, the usefulness of this type of data for the purposes of threat detection or prevention is currently negligible. The role of the Intelligence team will thus be again advisory in the context of the observed attack techniques:
- The first example of a requirement: how can our passive security measures be attributed to the techniques used by activity groups attacking actors in our sector? Again, we operate at the level of conservation measures planning support, more specifically, visibility gaps and prevention gaps assessments. So we shift the role of threat intelligence from delivering purely tactical information to participating in the process of increasing the effectiveness of passive defense.
- Second example: what are the most common automated techniques used by activity groups that threaten our organization? Just as using single indicators like IP addresses is ineffective, applying rules like Snort can be more interesting. The goal of passive protection is to screen out the most common and relatively low-tech attacks. Threat intelligence should therefore provide support in the configuration phase of systems so that they do not actually require human supervision for effective operations.
Intelligence is therefore a highly "malleable" function of the organization. Its supportive nature means that it will only depend on the tasks set before it where it will be located in the organization. Returning, however, to the question from the very beginning of the post, concerning the universality of technically simple and known methods of attack, we will probably have many discussions on the effectiveness of individual means of protection. However, when assessing the work of the teams, one should bear in mind how they cooperate and how the responsibilities overlap. In this context, limiting the role of intelligence to production only for active defense may be a waste of potential. Especially that it is impossible to disagree with Robert M. Lee - the production of an interview is an expensive function that requires organizational maturity. All the more so, while striving for the highest possible return on investment, we can once again look at the Scale and make sure that all functions adequately use the possibilities resulting from the analysis and observation of threats.