The paper explained, as I've heard from so many CISOs explains that security teams are feeling the data overload. Why? They're being bombarded with news, intelligence supporting vendor pitches and aggregators of every IP under the sun, dumping it your lap and calling it actionable intelligence.
If that isn't intelligence, what is?
We didn't have much time. It was a 30-minute meeting, but he asked me how we're different. I told him that we actually follow an intelligence process.
And so I explained, as I often do, by telling a story:
Many of our members operate in Eastern Europe and Ukraine. In 2014 we tracked, in near real time, election manipulation in Ukraine. The campaign wasn't just cyber however, it was full-spectrum information operations; psychological operations, influence operations, and propaganda, military actions for diversion (remember Crimea?), cyber, and intelligence monitoring the entire thing to ensure the desired impacts. There were actions against banks who supplied funding, and those associated with those banks. Military action was used to take over cellular communication nodes, and throughout, telephony denial of service (tDoS) and DDoS were used in conjunction with trojans and remote access control to take over communications.
There were several tools used by one side against the other (I say 'one side against the other' only because it's often times hard to know who's who). Little did we know that one of those tools, BlackEnergy would later become famous. We did some of our own work but one of our peer intelligence companies had authored a great report on BlackEnergy. We issued reporting to the Red Sky members that told the GEOPOLITICAL story (the 'why should we care' piece). We reverse engineered the tools identified and included in our reporting detection methods, and metadata.
Fast forward to Christmas 2015. BlackEnergy was believed used against power companies in Ukraine, and this time, unlike the previous time in 2014, it hit the press. Now, every Energy producer, distributor, etc., wanted to know how to protect themselves from attackers using BlackEnergy.
Back to the question. "What is Intelligence?"
I explained the idea of "Data, Information, Knowledge, and Wisdom". I explained that most intelligence feeds offer "data" (IOCS) but no real context about why it should be important or how it should be used.
I went on. Intelligence is the idea that we can collect a ton of data and that we boil it down into a form needed by a reader. In this case, we simply wanted to keep our finger on the pulse of the activities occurring in Ukraine. Why? We have members who operate there. We felt we might be able to offer insights on things that might affect them, and at the same time, pick up some lessons learned about how those in the area operate against each other... and there were!
Our reporting and follow-on blogging (in the Red Sky portal) offered several pieces of highly valuable, highly actionable intelligence:
- We told a story of how the attacks unfolded, thereby understanding where cyber fit in, how it was used, and who (specifically, by company name) was targeted.
- We identified several tools used, and by whom;
- We provided metadata on the tools, allowing security personnel the ability to protect;
- And we offered go-forward recommendations for operating safely in the future --not just security related, but things like monitoring political exposure of key executives in the area;
- Recommendations on courses of action are the hallmark of good intelligence. In some worlds, it's called 'strategy', but it's all based on some kind of solid intelligence foundation.
In this case, intelligence was realized by monitoring sources, collecting a ton of data and then boiling down into something consumable --the story of election manipulation in Ukraine, and how/why our members may be impacted. It was written in a way that any person could understand it. offered specific protection and go-forward recommendations.
- When the question came up in 2015, we had intelligence on BlackEnergy from a year prior.
- In the Carbanak campaign, when a few dozen banks were compromised in Eastern Europe, the story was told as compromises in American and Australian banks. We'd had intelligence from six months earlier that showed the story to not be entirely true (and we'd reported it out with the FS-ISAC at the time).
- Last week a Florida port (Port Everglades) and Cuba made a deal to allow Cuban ships in Florida ports but the deal fell apart when the Governor threatened to cut off state funding to the port --resulting in a politically motivated DDoS. This will happen again. We learned something from this one --it's good intelligence.
- We're tracking yet another PLA cyber unit. Why? Because we want to know what they target and how. This is intelligence. As more information becomes available, we'll analyze it and report. Until then, members can search through over five years of intelligence written and published in the Red Sky portal.
Intelligence is about assisting decision makers, in our case the CISOs, with protective strategies. We tell the stories, often times before they hit the news. We then, when possible, obtain the tools used, reverse engineer them and offer our members the technical data needed to protect themselves from the stories we've told.