Methods and Methodology

Methods

The Intelligence Lifecycle

The intelligence lifecycle is a core method that sits behind Intelligence in general. Some texts explain intelligence as a process, as well as a description for a product. On August the 15th the SIG compared different types of content around the Intelligence lifecycle, as various staged models exist. You can read more about the vote here. The group settled upon a Six Step approach - (Direction, Collection, Processing, Analysis, Dissemination, Feedback (Review): based on the current Wikipedia Reference here

F3EAD Cycle

Moving at the speed of the threat – applying the Find, Fix, Finish, Exploit, Analyse and Disseminate cycle

The F3EAD cycle (Find, Fix, Finish, Exploit, Analyze and Disseminate) is an alternative intelligence cycle commonly used within Western militaries within the context of operations that typically result in lethal action, such as drone strikes and special forces operations. By making small changes to the above narrative i.e. replace “Kill or capture” with “remove or restrict.” Many security teams do the practice of “find-remove-on to the next” and, while that is at the core of the F3EAD cycle, there is still value in defining the process within the confines of the framework.

The intelligence cycle and the F3EAD cycle can be employed closely together to fulfill the overall company’s intelligence requirements, both tactical and strategic. One way of visualizing these two cycles is as cogs turning together within the intelligence process, with intersections between the intelligence cycle’s “Collection” phase and the F3EAD cycle’s “Find” phase. This relationship is shown below.

Cyber Intelligence Process Integration

Within this context both cycles can be run in tandem within the context of a single response case.

When Should I use F3EAD?

F3EAD is very good at aligning limited resources in a pressurized situation to answer very specific almost binary questions. For example

These types of question often have very simple answers i.e. yes/no however, they are often critical to the overall assessment of the situation. As such within the context of a response case candidates for F3EAD action should be prioritized according to the impact answering the question will have on the overall development of the situation.

When considering this prioritization, the phrase ‘tactical factors that have a strategic effect’ should be in the mind of the operations commander. Returning to the example questions outlined above, all will have indicators at the tactical level however, their impact will have wide ranging strategic implication for the organization.

Based on this F3EAD is a tool that should be used sparingly, with the understanding that focusing on answering one question, de-prioritized other questions. Care needs to be taken to prioritize the correct question based upon the core interest of the business. Taking this principle of prioritization into account and returning to the above example questions, consider the profile of the following organization

Organization 1: Financial institution operating within a highly regulated environment

Suggested priority:

  1. “Have we been breached?”
  2. “Is a threat actor still within our network?”
  3. “Are we being DDOSed?”

Explanation: within this context the immediate concern for the organization will be to communicate with the regulator around the nature of the breach with the follow up question being the nature of the access the threat has to the victim network. The DDOS element is less of a priority at this point due to the core focus on PII of the initial response.

How does it integrate with models like the Kill Chain?

While F3EAD can be used with the model such as the Kill Chain and the MITRE attack frameworks, it should be noted that this is an operational cycle not necessarily a model of the threat such as the former models. As such F3EAD is useful for filling in elements of a wider threat modelling process, IF these element have the strategic impact that was outlined in the previous section.

Having said that F3EAD and the Kill Chain have been more closely integrated – shown below is Wilson Bautista’s example integration of F3EAD and the Kill Chain

Cyber Kill Chain and F3EAD

The F3EAD in more detail

Phase Description Application Within a Response Context Considerations
Find What Sources and Agencies (SANDA) do I have?
Fix same as above Where possible multiple SANDA should be used to create the triangulation
Finish same as above What effect are we trying to achieve with this operation?
Exploit F3EAD is meant to be relentless and this phase is the focus point for this drive
Analyse
Dissemination

Worked Example

Context: the Organisation has suffered a data breach at the hands of a malicious actor. X number of HR records have been stolen and are now apparently on sale on various Dark Web forums. The Organisation has initiated numerous strands of response one of which is finding if that data is in fact for sale and by who on the Dark Web.

Intelligence Requirements (IRs):
The following IRs are stipulated for this case

  • Which (if any forums) is the data available on?
  • What is the credibility of the actor selling the data?

Potential Execution:

Phase Activity Notes Hypothetical Result
Find
Fix
Finish
Exploit
Analyse
Dissemination

Points to note about the above example

Operational speed and cycle stage: F3EAD is meant to be fast and responsive as such sometimes keeping track of which stage of the cycle an operation is active within can be a challenge. As a suggestion the first three stages of the cycle (Find, Fix, Finish) are often the most important in regards to monitoring the most explicit transitions between the stages, note in the example above the Find and Fix stage are somewhat blurred. This is not uncommon but should be remembered in regards to resource management within the context of an F3EAD investigation.

Revising the requirements mid cycle: during the Finish phase there is the option in this case to revise the intelligence requirements of the task. This is reveals two separate ways that F3EAD can be managed, Rigid and Flexible, expanded in more detail below

The obvious secondary question in regards to the implementation of a Rigid or Flexible approach to F3EADE, there is no one size fits all answer. A general suggestion however, is that the more F3EAD cycles that are being run the more chance of losing track of the objective of an cycle, especially in a high pressure environment of crisis response. Within this context a more Rigid approach to implementing F3EADE is suggested whereas, a Flexible approach works for operations with a single strand where the objective of a cycle can be easily understood.

Graphical Decision Tree of Hypothetical Case

Analysis Techniques

Strategic Intelligence Analysis

In order to understand how to analyze information we must first understand the information hierarchy also known as the Data, Information, Knowledge, and Wisdom pyramid.

Pyramid

This pyramid is a graphical representation of how data is transformed into wisdom:

How does this look in an information security organization?

Pyramid

Intelligence and Cyber Security

“Cyber intelligence is the ability to gain knowledge about an enterprise and its existing conditions and capabilities in order to determine the possible actions of an adversary when exploiting inherit critical vulnerabilities. It uses multiple information security disciplines (threat intelligence, vulnerability management, security configuration management, incident response, and so on) and tool sets to gather information about the network through monitoring and reporting to provide decision makers at all levels to prioritize risk mitigation.”

Cyber Intelligence

Priority Information Requirements

Military commanders make decisions based on specific pieces of data that pertain to solving a specific question. Gathering of that information for the commander is based on a term called Priority Information Requirements (PIRs). These PIRs are what drives intelligence gathering operations as it provides guidance on what information is the most important to the commander so that they can plan for the next steps.

Good PIRs have three criteria:

  1. They ask only one question
  2. They focus on a specific fact, event, or activity
  3. They provide intelligence required to support a single decision

Military examples:

The same logic can be used within private organizations with the use of Key Performance Indicators or Key Risk Indicators. Leaders will have to provide targets, the means to measure them in order to validate whether or not they have met thresholds that are within or out of defined thresholds. Having a top-down approach when defining specific information to be derived from multiple security tools, will fuel an organization’s capability to prioritize and analyze information to be accurate, timely, and actionable.

Below are examples from the first two Center for Internet Security Controls

  1. Do we have an inventory of authorized and unauthorized devices?
    • Tactical: Do we have a complete list of authorized devices?
      • Operational: How are we continuing to gather this list?
    • Tactical: Do we have the capability of identifying unauthorized devices?
      • Operational: Where are we finding these devices?
  2. Do we have an inventory of authorized and unauthorized software?
    • Tactical: Do we have a list of authorized software?
    • Tactical: What are our most critical applications?
      • Operational: Where are these located?
    • Tactical: How are we protecting these?
      • Operational: What security tools are in place to ensure that the information does not get compromised?
    • Tactical: Do we have a list of unauthorized software?
      • Operational: Where do the systems with this software exist?

The above scenarios provided multiple points of intelligence gathering to provide a holistic view of an organization’s risk exposure and propensity to exploited by adversaries.

DIKW Functions vlv1

The Defense Acquisition Guidebook (DAG), Chapter 7, provides guidance to Program Managers (PMs) on how to use intelligence information and data to ensure maximum warfighting capability at a minimum risk to cost and schedule.

“The ‘intelligence cycle’ is a process which forms the basis of operations in government organizations like the CIA and the NSA. It very broadly outlines the stages of developing raw information into finished intelligence for policy makers to use in decision making.”

The Intelligence Cycle

  1. Planning and Direction
    1. This category includes the receipt, identification, and prioritization of intelligence requirements; the development of concepts of intelligence operations and architectures; tasking appropriate intelligence elements for the collection of information or the production of finished intelligence; and submitting requests for collection, exploitation, or all-source production support to external, supporting intelligence entities.
  2. Collection
    1. Collection includes those activities related to the acquisition of data needed to satisfy specified requirements. This is managed by collection managers, whose duties include selecting the most-appropriate, available asset(s) and associated processing, exploitation, and dissemination (PED) and then tasking selected asset(s) and associated PED to conduct collection missions.
  3. Processing and Exploitation
    1. Data initially received from the sensor arrives in various forms, depending on the nature of the sensing device. Depending on the source, the raw input may be in the form of digitized data, unintelligible voice transmissions, or large digital files containing un-rectified images of the Earth. This collection output is converted by sensor-specific processing measures into visual, auditory, or textual information that is intelligible to humans, and can then be used by intelligence analysts and other consumers. The data conversion may be automated using algorithmic fusion, cuing, data analytics, and automated exploitation. Exploitation entails the further translation and contextualizing of information resulting from collection and initial processing into a product the planner, decision-maker, or intelligence analyst can assimilate cognitively.
  4. Analysis and Production
    1. During analysis and production, intelligence is produced from the information gathered by collection capabilities, and from the refinement and compilation of intelligence received from external organizations. All available processed information is integrated, evaluated, analyzed, and interpreted to create products that will satisfy requesters or users.
  5. Dissemination and Feedback
    1. This category involves the timely distribution of critical information and finished intelligence, readily accessible by the user, to the appropriate consumer. The movement toward a net-centric environment has reduced the technical challenges related to information dissemination. Nevertheless, intelligence infrastructure (such as intelligence networks, systems, and software) and intelligence resources
      1. The Right Format: Choose to present your intelligence in a format that your stakeholders can consume and understand. For example, you may not need to include everything you discovered for decision making, so work on summarizing information.
      2. The Right Hands: Intelligence can only be applied when made available to the correct people. Map types of intelligence not only to job titles, but to team responsibilities.
      3. The Right Time:Even the most relevant intelligence can be rendered useless if it’s out of date. This means you need to balance the time it will take to produce intelligence with any action that needs to be taken.
      4. The Right Medium: It’s not just what you communicate, but how. Choose communication methods that will reach your relevant stakeholders the most quickly and effectively.

ref:

  1. Practical Cyber Intelligence
  2. Intelligence Support and Acquisition
    https://www.dau.mil/guidebooks/Shared%20Documents%20HTML/Chapter%207%20Intelligence%20Support%20and%20Acquisition.aspx#toc35
  3. Applying Government Intelligence Strategies to Commercial Organizations
    https://www.recordedfuture.com/government-intelligence-cycle/

Technical Intelligence analysis

Technical intelligence need to be accurate, timely, and actionable. Analysis methodologies are designed to provide with better ways to operationalize technical data in support of security operations.

Intelligence at this level is focused mostly on indicators of compromise (IOCs) and signatures.[1]

The analysis phase of the threat intelligence lifecycle aims at evaluating, analyzing and interpreting the processed information against the program’s requirements (planning phase) to provide analytic judgments that determine confidence, relevance and threat impact of the collected data.

Direction, Collection, Processing, Analysis, Dissemination, Feedback (Review)

Collecting threat data is the first step in producing threat intelligence.

It is fundamental to highlight the difference between indicators and signatures as well as the difference between atomic and composite indicators. A signature should be thought of as a fingerprint (something that have a high confidence) whereas indicators are not as precise and need to be further analyzed and contextualized to produce valuable information. As a result of analyzing indicators we try to move from atomic indicators (a piece of information e.g. an ip) to composite indicators (putting atomic information together).

Composite information is much richer in content and can better support security operations.

The data collected is going to be as good as the use that you have of it and the analysis phase helps assessing how relevant it is to your environment.

Moving from atomic to composite indicators to climb the pyramid of pain. [2]

Data preparation steps

Def: Data Preparation is the process of (collecting), cleaning, and consolidating data into one file or data table, primarily for use in analysis.

  1. Data consolidation refers to the collection and integration of data from multiple sources into a single destination. During this process, different data sources are put together, or consolidated, into a single data store.

    Adding more context to the atomic data to leverage pivoting points for aggregation, correlation and visualization capabilities.

    • Sources for network atomic indicators enrichment:
    • pDNS (A, AAAA, PTR... records)
    • AS
    • ASN
    • Geolocation data
    • BGP lookups … Enriched technical indicators’ keys: Standards: Atomic Network Indicators
  2. Data cleansing or data cleaning is the process of detecting and correcting (or removing) corrupt or inaccurate records from a record set, table, or database and refers to identifying incomplete, incorrect, inaccurate or irrelevant parts of the data and then replacing, modifying, or deleting the dirty or coarse data.(wiki)

    Removing well-known indicators that can be associated to potential false positives, errors or mistakes.

    • MISP offers a list of 31 sources for data cleansing

External sources