If you follow my blog, you know that Threat Analysis and Intelligence (I call it CTA&I) is something I'm passionate (fanatical?) about, and write about regularly.
When I think about intelligence, especially in the cyber space, it's easy to see how many could confuse actionable information with good intelligence. And, we find that many folks we talk to think they understand, but in reality, most do not. And some of those who do, often times have no real means of consuming and/or implementing that information. There was a great piece that came out from Gartner a couple of weeks ago. I'm not a Gartner member, but someone forwarded it to me last week. The piece, "How to Select a Security Threat Intelligence Service" (Published: 16 October 2013), takes on the sometimes contentious discussion of what intelligence is and what it isn't, and what should be considered when purchasing threat intelligence. It breaks intel down into two simple bins --Operational, and Strategic.
- Operational Intel is intel derived through traditional IT tools. Operational Intel should be thought of as short term and tactical. It drives daily operations and will protect from what an old friend likes to call 'wolves closest to the sled'. Intel is delivered in machine readable formats by various subscription services, open source groups, commercial collaboratives (like Red Sky) or information sharing and analysis centers.
- Strategic Intel is used to affect longer term, strategic positioning of the organization and it's infosec team.
- Humanitarian NGO hacked: We posted analysis, and notified an international humanitarian organization that they'd been victimized. Wapack Labs (Red Sky's 'hands on' end of the operation) identifies and exploits sources of information not generally available to others. Through this source, we identified leads that lead us to this NGO. In coordination with an EU Computer Emergency Response Team, we were able to notify the humanitarian organization of the problem, and help them figure out what do to about it.
- Two new RAT versions were identified, analyzed, and shared. Again, through the lab, information was received and shared to the Red Sky membership. It was then analyzed by the collaborative with indicators cleaned up, and posted.
- Compromised US Government Certificates and Accounts: Wapack Labs received information from one of its HUMINT sources, raw, unevaluated information of US Government certificates and account compromises. We're receiving more and more information related to attacks on various governments and NGOs. Some of this stuff really isn't in our lane, so all information is posted to the Beadwindow portal where government users can download the information and act on it as needed.
- Incredible tactical information: The portal has been busier than ever. Tactical intelligence is growing and every minute you wait, you're losing valuable protection information.. information that would cost HOURS (if not days, weeks) to derive without help. From the tactical perspective, in both Red Sky and Beadwindow, you can quickly pull down:
- Information of hacks in industries, how they acted, and how others protected against them.
- Monitoring and sharing of network activity by others
- Shared monitoring of open sources such as social media, Google groups, chat rooms and other forums
- Analysis of artifacts - If you can't do this yourself, ask about Wapack Labs' malware analysis.
- Strategic Intelligence.. at a very high level...
- Who are these guys?
- What do they want?
- What will make them stop?
- What exactly are they trying to do when they hack us?
- How will you know?
- How can you prevent the attacks, or stop them in progress?
Have a great week!