Cyber Threat Intelligence: More Threat Than Intelligence?


This article proposes that commercial cyber intelligence products have multiple flaws which make it unreliable for use by the U.S. government, and that it falls upon the government to address those flaws in the following ways:

  1. Examine cyber threat intelligence for indicators of deception. 
  2. Differentiate between bad actors in an attack. 
  3. Invest in developing human assets who are in a position to corroborate or deny what the technical indicators present as possibilities. 
  4. Exclude other possibilities until one remains. 



“Hit anything that doesn’t look like a knife until it does.”(1)

The U.S. government has relied heavily upon the private sector for cyber threat intelligence since 2005 when a team at Northrup Grumman was giving classified briefings to the Air Force about a group of Chinese PLA hackers known by a variety of names like Comment Crew, APT1, and a classified moniker that has since been made public (2).

Back then and continuing through at least 2011, the conventional wisdom was that cyber threats fell into two buckets: Financial crime was attributed to Russian hackers and intellectual property theft was attributed to the Chinese government. There was no allowance made for mercenary hacker groups who we now know were active during that time frame (3), or from Russian criminals (Russian Business Network) operating from Chinese IP space in 2007, or for cyber espionage operations run by France or Israel (4). Threat intelligence generated during the “two buckets” era was shared with the FBI and other agencies, and the FBI at least didn’t (and still doesn’t) have the time or resources to vet the source of the intelligence.

To put it simply, there are four things missing from the overwhelming majority of cyber threat intelligence generated from the private sector; things which are fundamental to generating a reliable analytic product:

  • Deception
  • Differentiation
  • Corroboration
  • Exclusion

Deception

Conducting Military Deception (MILDEC) operations in cyberspace is already a priority for Russia’s FSB according to Taia Global contacts in the Russian blackhat community. The FSB regularly recruits blackhats for contract work, and one of the standing orders is to leave evidence pointing to an entirely different government as the perpetrator of the attack (5). This is relatively easy to do since 95% of threat intelligence is based upon technical indicators (6) such as:

  • Keyboard Layout
  • Malware Metadata
  • Embedded Fonts
  • DNS Registration
  • Language
  • Remote Administration Tool Configuration
  • Behavior

All seven of these indicators can be easily spoofed by a savvy attacker, which the FireEye report properly notes in the Introduction. Take the Keyboard Layout, for example:
“FireEye researchers have found that many aspects of malware campaigns have the earmarks of being typed on a Mandarin (GB2312) keyboard used in China. In a similar vein, North Korea’s KPS 9566 character set can help identify the campaigns that emanate from that region. This method of tracing the origins of an attack is not foolproof. In theory, a Russian national could employ a North Korean keyboard to disguise his or her identity and whereabouts, for example. (7)”
The problem with focusing solely on technical indicators is that the attacker controls all of them; therefore you see what the attacker wants you to see. Unfortunately there is little investment in recruiting human assets to corroborate signals intelligence when it comes to cyber attacks, so investigating agencies and the private sector are in the highly vulnerable position of letting the attacker control all of the evidence that they have to go on.

Differentiation

The responsibility for the Sony breach of November 2014 has been assigned to North Korea by the U.S. government. However, Taia Global researchers found that the native language of the attackers was most likely Russian, not Korean; that Russian hackers had breached Sony’s network, and still had access 60 days after the destruction of 80% of Sony Pictures Entertainment’s network (8).

Technical analysis of a network will fail to differentiate between multiple bad actors operating simultaneously. No one mentioned Russian hackers until Taia Global published its findings. That’s because the White House with input from the intelligence community decided within days of the attack that the responsible party was North Korea (9), and then went about finding ways to prove it, which is the antithesis of sound intelligence analysis. Differentiation cannot be done when the analytic process doesn’t allow for it. The fact is that none of the publicly available evidence provided by the FBI rules out other perpetrators as being responsible. The NSA’s classified evidence can’t be vetted however whatever that evidence is, it failed to disclose that Russian hackers were in the network at the same time as the North Koreans.

Corroboration

Cyber threat intelligence is primarily signals intelligence, however there are multiple examples of Signals Intelligence getting it wrong, such as the second Gulf of Tonkin attack, the lack of WMDs in Iraq, and the Yom Kippur war to name a few. There must be more of an effort made to acquire human assets such as blackhat hackers who can corroborate the evidence provided by technical indicators. Minus such corroboration, the degree of trustworthiness of intelligence gained through signals intelligence alone is highly suspect.

Exclusion

How does an investigating agency rule out other suspects in a computer network attack? It must have the ability to differentiate between hacker groups and/or nation states, which is extremely difficult without consulting human assets who were either involved themselves or know someone who was. Yet, the ability to exclude other parties from a finding of responsibility is a necessary part of generating reliable threat intelligence. More resources should be provided to the Central Intelligence Agency to fulfill this part of their mission even if that means cutting the NSA’s share of the budget to make that happen.

The Private Sector

“Must be nice to be a Threat Intelligence company.”
“Can anyone disprove this?”
“No”
“Run with it. (10)”

Cyber threat data and cyber intelligence reports are generated by the private sector and provided to the FBI and other government agencies on a frequent basis. This wouldn’t be a problem if the FBI has the resources and the manpower to vet the intelligence before adding it to their database however they don’t have those resources. They rely heavily on the private sector’s cooperation precisely because their own resources are limited.

The private sector isn’t trained to do intelligence collection and analysis, nor do they have any oversight or suffer any consequences for bad practices or mis-attribution.

There are numerous reasons why government agencies should question the quality and value of intelligence generated by the private sector.

It has no skin in the game.

If the private sector is wrong about attribution for any given attack, there are no consequences. They just move on to the next report.

They are profit-driven.

Private threat intelligence companies generate intelligence as a sellable product. For many years, blaming an attack on China was guaranteed to get them a mention in the New York Times or the Wall Street Journal, which in turn brought in new customers. Blaming an attack on Romania might merit an article in an industry blog like Dark Reading, which wasn’t nearly as desirable.

They’ll never have an “intelligence failure”.

The U.S. Intelligence Community has suffered many intelligence failures, and for the bigger ones it usually results in the forming of a commission and a subsequent report with recommendations on how to avoid another failure. While this is embarrassing for the agencies involved, it has the important benefit of improving their sources and methods for collection and analysis. The private sector will never have that experience, therefore they can run with whatever evidence they want in a way that will maximize profits for their stockholders.

Conclusion

The U.S. government is overly dependent upon the private sector for cyber intelligence and needs to make investments to off-set this dependence.

The U.S. government should receive attack data from the private sector solely as raw information that requires vetting and all-source analysis. It should never take private sector intelligence reports at face value without fully examining the evidence and watching for a plethora of cognitive biases including the all-too-prevalent confirmation bias.

NOTES:

1) Spijk Selby quoting Jacob Maheu, “Horseshoe Knives”, December 28, 2013: http://rockyhillforge.com/2013/12/28/horseshoe-knives/

2) Private correspondence between the author and a former Northrup Grumman employee whose team generated the intelligence and gave those briefings between 2005-2008.

3) Su Bin criminal complaint: http://online.wsj.com/public/resources/documents/chinahackcomplaint0711.pdf

4) “The Report to Congress on Foreign Economic Collection and Industrial Espionage”, p. B2: http://www.ncix.gov/publications/reports/fecie_all/Foreign_Economic_Collection_2011.pdf

5) Private IM chat between the author and Russian hacker Yama Tough.

6) “Digital Bread Crumbs: Seven Clues To Identifying Who’s Behind Advanced Cyber Attacks”, A FireEye White Paper

7) Ibid., p.4

8) “New Evidence Shows Russian Hackers Have Access To Sony’s Network”, The Taia Global blog, February 4th, 2015: https://taia.global/2015/02/new-evidence-shows-russian-hackers-have-access-to-sonys-network/

9) “New Agency To Sniff Out Threats In Cyberspace” by Ellen Nakashima, The Washington Post, 10 Feb 2015: http://www.washingtonpost.com/world/national-security/white-house-to-create-national-center-to-counter-cyberspace-intrusions/2015/02/09/a312201e-afd0-11e4-827f-93f454140e2b_story.html

10) Tweet by Steve Tornio on Feb 10, 2015: https://twitter.com/steve_tornio/status/565158646628499458

Comments