“But I think the real tension lies in the relationship between what you might call the pursuer and his quarry, whether it’s the writer or the spy.”
John le Carre
Before diving into the application of intelligence-driven incident response, it is important to understand the reasons that cyber threat intelligence is so important to incident response. This chapter covers the basics of cyber threat intelligence, including its history and the way forward, and sets the stage for the concepts discussed in the rest of this book.
As long as there has been conflict, there have been those who studied, analyzed, and strove to understand the enemy. Wars have been won and lost based on an ability to understand the way the enemy thinks and operates, to comprehend their motivations and identify their tactics, and to make decisions—large and small—based on this understanding. Regardless of the type of conflict, whether a war between nations or a stealthy intrusion against a sensitive network, threat intelligence guides both sides. The side that masters the art and science of threat intelligence, analyzing information about the intent, capability, and opportunities of adversaries, will almost always be the side that wins.
In 1986, Cliff Stoll was a PhD student managing the computer lab at Lawrence Berkley National Laboratory in California when he noticed a billing discrepancy in the amount of 75 cents, indicating that someone was using the laboratory’s computer systems without paying for it. Our modern-day, network-security-focused brains see this and scream, “Unauthorized access!” but in 1986 it was hardly cause for concern. Network intrusions were not something that made the news daily, with claims of millions or even billions of dollars stolen; the majority of computers connected to the “internet” belonged to government and research institutes, not casual users. The network defense staple tool tcpdump was a year from being started. Common network discovery tools such as Nmap would not be created for another decade, and exploitation frameworks such as Metasploit would not appear for another 15 years. The discrepancy was just as likely to have been a software bug or bookkeeping error as it was that someone had simply not paid for their time.
Except that it wasn’t. As Stoll would discover, he was not dealing with a computer glitch or a cheap mooch of a user. He was stalking a “wily hacker” who was using Berkley’s network as a jumping-off point to gain access to sensitive government computers, such as the White Sands Missile Range and the National Security Agency (NSA). Stoll used printers to monitor incoming network traffic and began to profile the intruder responsible for the first documented case of cyber espionage. He learned the typical hours the attacker was active, the commands he ran to move through the interconnected networks, and other patterns of activity. He learned how the attacker was able to gain access to Berkley’s network in the first place by exploiting a vulnerability in the movemail function in GNU Emacs, a tactic that Stoll likened to a cuckoo bird leaving its egg in another bird’s nest to hatch and which inspired the name of the book on the intrusion, The Cuckoo’s Egg. Understanding the attacker meant that it was possible to protect the network from further exploitation, identify where he may target next, and allowed a response, both on the micro level (identifying the individual carrying out the attacks) and on the macro level (realizing that nations were employing new tactics in their traditional intelligence-gathering arsenal and changing policies to respond to this change).
Over the decades, the threat has grown and morphed. Adversaries use an ever-expanding set of tools and tactics to attack their victims, and their motivations range from intelligence collection to financial gain to destruction to attention. Understanding the attacker has gotten much more complicated, but no less important.
Understanding the attacker has been a critical component of incident response from the beginning, and knowing how to identify and understand the attacker as well as how to use that information to protect networks is the fundamental concept behind a more recent addition to the incident responder’s toolkit: cyber threat intelligence. Threat intelligence is the analysis of adversaries—their capabilities, motivations, and goals; and cyber threat intelligence (CTI) is the analysis of how adversaries use the cyber domain to accomplish their goals. See Figure 1-1 on how these levels of attacks play into one another.
In information security, we traditionally focus on scientific concepts; we like things that are testable and reproducible. But there is both an art and a science behind cyber threat intelligence, and it is the art that most often eludes us. This art includes the analysis and interpretation of data about attackers, as well as how to convey that information to the audience in a way that makes sense and enables them to act. This is what will truly help us understand a thinking, reacting, and evolving adversary.
Security analysts love few things more than identifying malicious activity on their networks and tracing that maliciousness back to a known attacker, but in many cases early implementation of intelligence was ad hoc and largely intuitive. Over the years, new technologies were developed with the goal of better detecting and understanding malicious activity on networks: Network Access Control, Deep Packet Inspection firewalls, and network security intelligence appliances are all based on familiar concepts with new applications.
These new technologies give us more information about the actions that attackers take as well as additional ways to act on that information. However, we have found that with each new technology or concept implemented, the enemy adapted; worms and viruses with an alphabet soup of names changed faster than our appliances could identify them, and sophisticated, well-funded attackers were more organized and motivated than many network defenders. Ad hoc and intuitive intelligence work would no longer suffice to keep defenders ahead of the threat. Analysis would need to evolve as well and become formal and structured. The scope would have to expand, and the goals would have to become more ambitious.
In addition to detecting threats against an organization’s often nebulous and ephemeral perimeter, analysts would need to look deeper within their networks for the attacks that got through the lines, down to individual user systems and servers themselves, as well as look outward into third-party services and to better understand the attackers who may be targeting them. The information would need to be analyzed and its implications understood, and then action would have to be taken to better prevent, detect, and eradicate threats. The actions taken to better understand adversaries would need to become a formal process and a critical part of information security operations: threat intelligence.
Intelligence is often defined as information that has been refined and analyzed to make it actionable. Intelligence, therefore, requires information. In intelligence-driven incident response, there are multiple ways to gather information that will be analyzed and used to support incident response. However, it is important to note that incident response will also generate cyber threat intelligence. The traditional intelligence cycle—which we cover in depth in Chapter 2—involves direction, collection, processing, analysis, dissemination, and feedback. Intelligence-driven incident response involves all of these components and helps inform direction, collection, and analysis in other applications of threat intelligence as well, such as network defense and user awareness training. Intelligence-driven incident response doesn’t end when the intrusion is understood and remediated; it actually generates information that will continue to feed the intelligence cycle.
Analysis of an intrusion, either successful or failed, can provide a variety of information that can be used to better understand the overall threat to an environment. The root cause of the intrusion and the initial access vector can be analyzed to inform an organization of weaknesses in network defenses or of policies that attackers may be abusing. The malware that is identified on a system can help identify the tactics that attackers are using to evade traditional security measures, such as antivirus or host-based intrusion-detection tools, and the capabilities they have available to them. The way an attacker moves laterally through a network can be analyzed and used to create new ways to monitor for attacker activity in the network. The final actions that an attacker performed (such as stealing information or changing how systems function), whether they were successful or not, can help analysts understand the enemy’s motivations and goals, which can be used to guide overall security efforts. There is essentially no part of an incident-response engagement that cannot be used to better understand the threats facing an organization.
For this reason, the various processes and cycles outlined in this book are aimed at ensuring that intelligence-driven incident response supports overall intelligence operations. Although they provide specific guidance for utilizing cyber threat intelligence in incident response, keep in mind that wider applications can be used as intelligence capabilities expand.
Cyber-threat intelligence isn’t a new concept, simply a new name for an old approach: applying a structured analytical process to understand an attack and the adversary behind it. The application of threat intelligence to network security is more recent, but the basics haven’t changed. Cyber threat intelligence involves applying intelligence processes and concepts—some of the oldest concepts that exist—and making them a part of the overall information security process. Threat intelligence has many applications, but one of the fundamental ways it can be utilized is as an integral part of the intrusion-detection and incident-response process. We call this intelligence-driven incident response and think it is something every security team can do, with or without a major capital investment. It’s less about tools, although they certainly help sometimes, and more about a shift in the way we approach the incident-response process. Intelligence-driven incident response will help not only to identify, understand, and eradicate threats within a network, but also to strengthen the entire information security process to improve those responses in the future.
Over the past few decades, our world has become increasingly interconnected, both literally and figuratively, allowing attackers to carry out complex campaigns and intrusions against multiple organizations with the same effort that it used to take to target a single entity. We are long past the point where we can automatically assume that an intrusion is an isolated incident. When we better understand the adversary, we can more easily pick up on the patterns that show commonalities between intrusions. Intelligence-driven incident response ensures that we are gathering, analyzing, and sharing intelligence in a way that will help us identify and respond to these patterns more quickly.
A good example of this is the analysis of the Axiom Group, which was identified and released as a part of a Coordinated Malware Eradication (CME) campaign in 2014 called Operation SMN.
For more than six years, a group of attackers known as the Axiom Group stealthily targeted, infiltrated, and stole information from Fortune 500 companies, journalists, nongovernmental organizations, and a variety of other organizations. The group used sophisticated tools, and the attackers went to great lengths to maintain and expand access within the victims’ networks. As malware was detected and the incident-response process began within various victim organizations, coordinated research on one of the malware families used by this group identified that the issue was far more complex than originally thought. As more industry partners became involved and exchanged information, patterns began to emerge that showed not just malware behavior, but the behaviors of a threat actor group working with clear guidance. Strategic intelligence was identified, including regions and industries targeted.
This was an excellent example of the intelligence cycle at work in an incident-response scenario. Not only was information collected, processed, and analyzed, but it was disseminated in such as way as to generate new requirements and feedback, starting the process over again until the analysts had reached a solid conclusion and could act with decisiveness, eradicating 43,000 malware installations at the time that the report was published. The published report, also part of the dissemination phase, allowed incident responders to better understand the tactics and motivations of this actor group.
Several years before the Axiom Group was identified, another (possibly related) group carried out a similarly complex operation named Operation Aurora, which successfully targeted approximately 30 companies. This operation impacted companies in the high-tech sector as well as defense contractors, the chemical sector, and Chinese political dissidents. The patterns and motivations of the operation were similar to those in Operation SMN. Looking at these two examples of elaborate and widespread attacks, it becomes clear that these weren’t random but rather were coordinated with strategic objectives by a determined adversary willing to expend a great deal of time and effort to ensure that the objectives were met. If we tackle the problem by jumping from incident to incident without stopping to capture lessons learned and to look at the big picture, then the attackers will always be several steps ahead of us.
Both the Axiom Group attacks and Operation Aurora were information-seeking, espionage-related attacks, but nation-state sponsored attackers aren’t the only thing that incident responders have to worry about. Financially motivated criminal activity is also evolving, and those actors are also working hard to stay ahead of defenders and incident responders.
Despite the many advances in the computer security field, attackers continue to adapt. We are often surprised to hear about breaches where the attackers were loitering in a network for years before they were identified, or even worse, where the attackers are able to get back in undetected and reinfected a target after the incident-response process is complete. Intelligence-driven incident response allows us to learn from attackers; to identify their motivations, processes, and behaviors; to identify their activities even as they seek to outwit our defenses and detection methods. The more we know about attackers, the better we can detect and respond to their actions.
We have reached the point where a structured and repeatable process for implementing intelligence in the incident-response process is necessary, and this book aims to provide insight into that process. Throughout this book, we provide various models and methods that can be viewed as the tools of intelligence-driven incident response, as well as the background as to why these models are beneficial in incident response. There is no one-size-fits-all approach. In many cases, the incident or the organization will dictate which specific combination of models and approaches fits best. Understanding the foundational principles of intelligence and incident response as well as the specific methods for integrating them will allow you to build a process for intelligence-driven incident response that will work for you and to develop that process to meet the needs of your organization.