Methods and Methodology

Methods

The Intelligence Lifecycle

The intelligence lifecycle is a core method that sits behind Intelligence in general. Some texts explain intelligence as a process, as well as a description for a product. On August the 15th the SIG compared different types of content around the Intelligence lifecycle, as various staged models exist. You can read more about the vote here. The group settled upon a Six Step approach - (Direction, Collection, Processing, Analysis, Dissemination, Feedback (Review): based on the current Wikipedia Reference here

F3EAD Cycle

Moving at the speed of the threat – applying the Find, Fix, Finish, Exploit, Analyse and Disseminate cycle

The F3EAD cycle (Find, Fix, Finish, Exploit, Analyze and Disseminate) is an alternative intelligence cycle commonly used within Western militaries within the context of operations that typically result in lethal action, such as drone strikes and special forces operations. By making small changes to the above narrative i.e. replace “Kill or capture” with “remove or restrict.” Many security teams do the practice of “find-remove-on to the next” and, while that is at the core of the F3EAD cycle, there is still value in defining the process within the confines of the framework.

The intelligence cycle and the F3EAD cycle can be employed closely together to fulfill the overall company’s intelligence requirements, both tactical and strategic. One way of visualizing these two cycles is as cogs turning together within the intelligence process, with intersections between the intelligence cycle’s “Collection” phase and the F3EAD cycle’s “Find” phase. This relationship is shown below.

Cyber Intelligence Process Integration

Within this context both cycles can be run in tandem within the context of a single response case.

When Should I use F3EAD?

F3EAD is very good at aligning limited resources in a pressurized situation to answer very specific almost binary questions. For example

These types of question often have very simple answers i.e. yes/no however, they are often critical to the overall assessment of the situation. As such within the context of a response case candidates for F3EAD action should be prioritized according to the impact answering the question will have on the overall development of the situation.

When considering this prioritization, the phrase ‘tactical factors that have a strategic effect’ should be in the mind of the operations commander. Returning to the example questions outlined above, all will have indicators at the tactical level however, their impact will have wide ranging strategic implication for the organization.

Based on this F3EAD is a tool that should be used sparingly, with the understanding that focusing on answering one question, de-prioritized other questions. Care needs to be taken to prioritize the correct question based upon the core interest of the business. Taking this principle of prioritization into account and returning to the above example questions, consider the profile of the following organization

Organization 1: Financial institution operating within a highly regulated environment

Suggested priority:

  1. “Have we been breached?”
  2. “Is a threat actor still within our network?”
  3. “Are we being DDOSed?”

Explanation: within this context the immediate concern for the organization will be to communicate with the regulator around the nature of the breach with the follow up question being the nature of the access the threat has to the victim network. The DDOS element is less of a priority at this point due to the core focus on PII of the initial response.

How does it integrate with models like the Kill Chain?

While F3EAD can be used with the model such as the Kill Chain and the MITRE attack frameworks, it should be noted that this is an operational cycle not necessarily a model of the threat such as the former models. As such F3EAD is useful for filling in elements of a wider threat modelling process, IF these element have the strategic impact that was outlined in the previous section.

Having said that F3EAD and the Kill Chain have been more closely integrated – shown below is Wilson Bautista’s example integration of F3EAD and the Kill Chain

Cyber Kill Chain and F3EAD

The F3EAD in more detail

Phase Description Application Within a Response Context Considerations
Find

essentially ‘picking up the scent’ of the opponent, with the classic “Who, What, When, Where, Why” questions being used within this phase to identify a candidate target

The benefit of these three sections to a response case is that they allow a far more granular appreciation of the resources necessary to achieve the IRs for the tasking. Find and Fix are essentially getting the team into the position to create the finish effect, be that a site takedown, confirmation of data breach or malware analysis. As these sections are often non-trivial this could put this sub operation out of the scope of the wider operation giving the operational commander a clear go/no go decision in regard to the case

What Sources and Agencies (SANDA) do I have?
Fix

verification of the target(s) identified within the previous phase, which typically involves multiple triangulation points. This phase effectively transforms the intelligence gained within the “Find” phase into evidence that can be used as basis for action within the next stage

same as above Where possible multiple SANDA should be used to create the triangulation
Finish

based on the evidence generated from the previous two phases the commander of the operation imposed their will on the target

same as above What effect are we trying to achieve with this operation?
Exploit

deconstruction of the evidence generated from the finish phase

The objective of this phase is not the same as the Analysis phase as the point is to spin off new IRs for another F3EAD cycle that will add to the wider intelligence picture

F3EAD is meant to be relentless and this phase is the focus point for this drive
Analyse

Really the crux of the matter where the result is analyses and the IR answered

Dissemination

finally publishing the results of the research to key stakeholders and fusing the exploited evidence with the wider intelligence picture

Worked Example

Context: the Organisation has suffered a data breach at the hands of a malicious actor. X number of HR records have been stolen and are now apparently on sale on various Dark Web forums. The Organisation has initiated numerous strands of response one of which is finding if that data is in fact for sale and by who on the Dark Web.

Intelligence Requirements (IRs):
The following IRs are stipulated for this case

  • Which (if any forums) is the data available on?
  • What is the credibility of the actor selling the data?

Potential Execution:

Phase Activity Notes Hypothetical Result
Find

Conduct extensive survey of the Dark Web to find instances of vendors selling the breach data.
(This is an example only. Discuss with your lawyers if within your jurisdiction this method of data acquisition is appropriate).

This ‘search’ is in essence a collection activity however, it is more focused than the more generic intelligence cycle. Search in this case is defined activities which included

  • Active Touting: calling out for the data on various forums and chat rooms
  • Source work: tasking know sub sources to search for the data
  • Automated collection: scraping of multiple forums for keywords on mentions of the data

1.The data is being sold on two distinct Dark Web forums, within the VIP area of the site.

  1. One vendor is selling the data. Source: automated collection This also fulfills the first IR of the tasking
    • Which (if any forums) is the data available on? – the two forums that where identified earlier
Fix

Despite knowing where the data is, due to the fact that it was located by an automated bot we do not have direct access to the section of the forum where the actor has posted the advert vending the site.

In this case there are two options

  1. Attempt to gain access to the VIP section of either forum
  2. Approach the vendor via another method to elicit the sale of the data As time is of the essence option 2 is decided upon resulting in a new Find phase to locate a plausible communication method with the vendor.

The vendor is seen to post ICQ Number on a number of other forums. With this we approach the actor and ask directly for the data. We create plausible denial via the ‘someone told me’ method to explain the juxtaposition of our ‘meta knowledge’ about the advert on the VIP section but our lack of ability to gain access to that section of the forum.

Finish

Two possibilities:

  1. The vendor states the price of 1 bitcoin for the data – we pay and gain a zip file of the data.
  2. Further possibility: After analysis of the sample data we found that maybe the vendor is not receiving the first source of the data
    • we pay and gain the zip of data for further intelligence lead, while re-examining result on “Fix” and maybe back to “Find” steps.

This action fulfils the second core IRs of the tasking

  • What is the credibility of the actor selling the data? – highly credible
  • How close is the source of data to alleged breach actor? - the vendor is credible but maybe we deal with broker, we may need to trace it further
  • Was it the work of insider or adversaries? How does the breach TTP/IOC say about it? insider / APT / hacktivist / criminals).
    • It is the insider’s work.
Exploit

There are now a number of ways which the situation can be exploited, specifically in regards to the access that has be built with the vendor. The core focus at this point is to understand how the vendor got access to the data in the first instance.

Using the ‘anymore where that came from?’ tactic we identify that there is an insider feeding the vendor data from the Organisation

A new set of IRs are generated in order to find the insider

Analyse

The data is analysed

Assessed to be a complete data set

Dissemination

Results passed back to the core response team.

Sub case closed

Points to note about the above example

Operational speed and cycle stage: F3EAD is meant to be fast and responsive as such sometimes keeping track of which stage of the cycle an operation is active within can be a challenge. As a suggestion the first three stages of the cycle (Find, Fix, Finish) are often the most important in regards to monitoring the most explicit transitions between the stages, note in the example above the Find and Fix stage are somewhat blurred. This is not uncommon but should be remembered in regards to resource management within the context of an F3EAD investigation.

Revising the requirements mid cycle: during the Finish phase there is the option in this case to revise the intelligence requirements of the task. This is reveals two separate ways that F3EAD can be managed, Rigid and Flexible, expanded in more detail below

The obvious secondary question in regards to the implementation of a Rigid or Flexible approach to F3EADE, there is no one size fits all answer. A general suggestion however, is that the more F3EAD cycles that are being run the more chance of losing track of the objective of an cycle, especially in a high pressure environment of crisis response. Within this context a more Rigid approach to implementing F3EADE is suggested whereas, a Flexible approach works for operations with a single strand where the objective of a cycle can be easily understood.

Graphical Decision Tree of Hypothetical Case

Analysis Techniques

Strategic Intelligence Analysis

In order to understand how to analyze information we must first understand the information hierarchy also known as the Data, Information, Knowledge, and Wisdom pyramid.

Pyramid

This pyramid is a graphical representation of how data is transformed into wisdom:

How does this look in an information security organization?

Pyramid

Intelligence and Cyber Security

“Cyber intelligence is the ability to gain knowledge about an enterprise and its existing conditions and capabilities in order to determine the possible actions of an adversary when exploiting inherit critical vulnerabilities. It uses multiple information security disciplines (threat intelligence, vulnerability management, security configuration management, incident response, and so on) and tool sets to gather information about the network through monitoring and reporting to provide decision makers at all levels to prioritize risk mitigation.”

Cyber Intelligence

Priority Information Requirements

Military commanders make decisions based on specific pieces of data that pertain to solving a specific question. Gathering of that information for the commander is based on a term called Priority Information Requirements (PIRs). These PIRs are what drives intelligence gathering operations as it provides guidance on what information is the most important to the commander so that they can plan for the next steps.

Good PIRs have three criteria:

  1. They ask only one question
  2. They focus on a specific fact, event, or activity
  3. They provide intelligence required to support a single decision

Military examples:

The same logic can be used within private organizations with the use of Key Performance Indicators or Key Risk Indicators. Leaders will have to provide targets, the means to measure them in order to validate whether or not they have met thresholds that are within or out of defined thresholds. Having a top-down approach when defining specific information to be derived from multiple security tools, will fuel an organization’s capability to prioritize and analyze information to be accurate, timely, and actionable.

Below are examples from the first two Center for Internet Security Controls

  1. Do we have an inventory of authorized and unauthorized devices?
    • Tactical: Do we have a complete list of authorized devices?
      • Operational: How are we continuing to gather this list?
    • Tactical: Do we have the capability of identifying unauthorized devices?
      • Operational: Where are we finding these devices?
  2. Do we have an inventory of authorized and unauthorized software?
    • Tactical: Do we have a list of authorized software?
    • Tactical: What are our most critical applications?
      • Operational: Where are these located?
    • Tactical: How are we protecting these?
      • Operational: What security tools are in place to ensure that the information does not get compromised?
    • Tactical: Do we have a list of unauthorized software?
      • Operational: Where do the systems with this software exist?

The above scenarios provided multiple points of intelligence gathering to provide a holistic view of an organization’s risk exposure and propensity to exploited by adversaries.

DIKW Functions vlv1

The Defense Acquisition Guidebook (DAG), Chapter 7, provides guidance to Program Managers (PMs) on how to use intelligence information and data to ensure maximum warfighting capability at a minimum risk to cost and schedule.

“The ‘intelligence cycle’ is a process which forms the basis of operations in government organizations like the CIA and the NSA. It very broadly outlines the stages of developing raw information into finished intelligence for policy makers to use in decision making.”

The Intelligence Cycle

  1. Planning and Direction
    1. This category includes the receipt, identification, and prioritization of intelligence requirements; the development of concepts of intelligence operations and architectures; tasking appropriate intelligence elements for the collection of information or the production of finished intelligence; and submitting requests for collection, exploitation, or all-source production support to external, supporting intelligence entities.
  2. Collection
    1. Collection includes those activities related to the acquisition of data needed to satisfy specified requirements. This is managed by collection managers, whose duties include selecting the most-appropriate, available asset(s) and associated processing, exploitation, and dissemination (PED) and then tasking selected asset(s) and associated PED to conduct collection missions.
  3. Processing and Exploitation
    1. Data initially received from the sensor arrives in various forms, depending on the nature of the sensing device. Depending on the source, the raw input may be in the form of digitized data, unintelligible voice transmissions, or large digital files containing un-rectified images of the Earth. This collection output is converted by sensor-specific processing measures into visual, auditory, or textual information that is intelligible to humans, and can then be used by intelligence analysts and other consumers. The data conversion may be automated using algorithmic fusion, cuing, data analytics, and automated exploitation. Exploitation entails the further translation and contextualizing of information resulting from collection and initial processing into a product the planner, decision-maker, or intelligence analyst can assimilate cognitively.
  4. Analysis and Production
    1. During analysis and production, intelligence is produced from the information gathered by collection capabilities, and from the refinement and compilation of intelligence received from external organizations. All available processed information is integrated, evaluated, analyzed, and interpreted to create products that will satisfy requesters or users.
  5. Dissemination and Feedback
    1. This category involves the timely distribution of critical information and finished intelligence, readily accessible by the user, to the appropriate consumer. The movement toward a net-centric environment has reduced the technical challenges related to information dissemination. Nevertheless, intelligence infrastructure (such as intelligence networks, systems, and software) and intelligence resources
      1. The Right Format: Choose to present your intelligence in a format that your stakeholders can consume and understand. For example, you may not need to include everything you discovered for decision making, so work on summarizing information.
      2. The Right Hands: Intelligence can only be applied when made available to the correct people. Map types of intelligence not only to job titles, but to team responsibilities.
      3. The Right Time:Even the most relevant intelligence can be rendered useless if it’s out of date. This means you need to balance the time it will take to produce intelligence with any action that needs to be taken.
      4. The Right Medium: It’s not just what you communicate, but how. Choose communication methods that will reach your relevant stakeholders the most quickly and effectively.

ref:

  1. Practical Cyber Intelligence
  2. Intelligence Support and Acquisition
    https://www.dau.mil/guidebooks/Shared%20Documents%20HTML/Chapter%207%20Intelligence%20Support%20and%20Acquisition.aspx#toc35
  3. Applying Government Intelligence Strategies to Commercial Organizations
    https://www.recordedfuture.com/government-intelligence-cycle/

Technical Intelligence analysis

Technical intelligence need to be accurate, timely, and actionable. Analysis methodologies are designed to provide with better ways to operationalize technical data in support of security operations.

Intelligence at this level is focused mostly on indicators of compromise (IOCs) and signatures.[1]

The analysis phase of the threat intelligence lifecycle aims at evaluating, analyzing and interpreting the processed information against the program’s requirements (planning phase) to provide analytic judgments that determine confidence, relevance and threat impact of the collected data.

Direction, Collection, Processing, Analysis, Dissemination, Feedback (Review)

Collecting threat data is the first step in producing threat intelligence.

It is fundamental to highlight the difference between indicators and signatures as well as the difference between atomic and composite indicators. A signature should be thought of as a fingerprint (something that have a high confidence) whereas indicators are not as precise and need to be further analyzed and contextualized to produce valuable information. As a result of analyzing indicators we try to move from atomic indicators (a piece of information e.g. an ip) to composite indicators (putting atomic information together).

Composite information is much richer in content and can better support security operations.

The data collected is going to be as good as the use that you have of it and the analysis phase helps assessing how relevant it is to your environment.

Moving from atomic to composite indicators to climb the pyramid of pain. [2]

Data preparation steps

Def: Data Preparation is the process of (collecting), cleaning, and consolidating data into one file or data table, primarily for use in analysis.

  1. Data consolidation refers to the collection and integration of data from multiple sources into a single destination. During this process, different data sources are put together, or consolidated, into a single data store.

    Adding more context to the atomic data to leverage pivoting points for aggregation, correlation and visualization capabilities.

    • Sources for network atomic indicators enrichment:
    • pDNS (A, AAAA, PTR... records)
    • AS
    • ASN
    • Geolocation data
    • BGP lookups … Enriched technical indicators’ keys: Standards: Atomic Network Indicators
  2. Data cleansing or data cleaning is the process of detecting and correcting (or removing) corrupt or inaccurate records from a record set, table, or database and refers to identifying incomplete, incorrect, inaccurate or irrelevant parts of the data and then replacing, modifying, or deleting the dirty or coarse data.(wiki)

    Removing well-known indicators that can be associated to potential false positives, errors or mistakes.

    • MISP offers a list of 31 sources for data cleansing

External sources