Building a Cyber Threat Intelligence Capability from Scratch – Part III: Developing Self-Discovery
Introduction
Welcome back to part three of our four-part series on building a Cyber Threat Intelligence (CTI) capability from scratch. This article will discuss how you must understand your own business environment in order to determine the types of threats that are likely to target you. If you missed Part 1 or 2, you can read them below first in order to catch up.
Know Thy Self
“If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.”
― Sun Tzu, The Art of War
The above quote couldn’t ring any truer if it tried, in terms of its applicability to cyber threat intelligence. By understanding your own environment, you can understand the types of threat actors that are likely to target you. By understanding the threat actors, you can understand their motivations, their tactics, their campaigns and therefore discover ways in which to defeat them. This discipline of information gathering has played out in all forms of combat throughout history and is how militaries and intelligence services have operated for gaining the advantage since the dawn of time. Why, it can be argued, that businesses do not operate in the same way in terms of cyber threats against them is confusing. Because when you have and can utilise this intelligence, you can load the scales very much in your favour in terms of winning the defensive cyber battle. This is what we will focus on today and how you can begin this analytical self-discovery process.
In terms of our scenario from the previous articles, we have now outlined a team to begin our threat intelligence capability but we now need to begin to understand our personal business environment. You are probably asking yourself “How do I even start?” You could fall into the trap of just gathering as many intelligence feeds as possible to cover every angle but you will soon become overwhelmed. Instead, you remember the intelligence-led framework referenced in the first article approach and decide to begin to map out your environment.
1. My Assets
It can seem simple when someone tells you the process and almost a “Why didn’t I think of that?” scenario as it seems so simple. Essentially, you must understand what you are defending and therefore what is critical to your business operations. By mapping your own environment, this will determine what are the attractive targets to a threat actor. Basically, this boils down to knowing every single one of your systems, endpoints, devices, applications, software, people, data and prioritising them in terms of how critical they are to the business operations. In other words, this is your Asset Register. Below is an example of an Asset Register and the type of data it can contain. It will be extensive and to keep it current and effective will require a lot of effort and maintenance, however, if used correctly can be a very powerful tool for a business. On a security note, this document itself must be highly classified and protected because can you imagine if this data was leaked or made available to the wrong individuals? It would be similar to a military commander handing his opposition a list of all of his units, their locations, strengths and weaknesses.
Once you have a complete asset inventory, you can then prioritise and determine in IT terms, what are your business's Crown Jewels (the critical assets of the business i.e. Intellectual Property, Credit Card Information, Domain Controllers, etc), enabling you to assign resources in order to protect them. A company that tries to defend everything ultimately defends nothing. You can’t protect everything and therefore you must assign the most resources to your highest priority items in the business. Crown Jewel Analysis (CJA) is far more extensive than what I am portraying here and just simply marking your highest priority items is only the first step in CJA. The below image outlines the overall process and more information can be found by clicking on the picture below.
In terms of CTI, now we have this asset information we can begin analysing which threat actors would potentially be interested in them and begin to understand how they could attempt to exploit them and any vulnerabilities associated with them. For example, if we are a pharmaceutical company and we have developed a new drug that will revolutionise the market, we would definitely want to protect this intellectual property and any server, people and contractors that have access to it. Or if we were an organisation dealing with peoples medical records, we would want to ensure we resourced the confidentiality of the patient data as our top priority. By understanding this about our business, we can try and discover which threat actors target this type of asset. This will be explained in more detail next week but essentially we have tools available to us to map these Tactics Techniques Procedures (TTPs) of threat actors. One very good tool is the Mitre ATT&CK Framework. The model can be used to document and track various techniques attackers use throughout the different stages of a cyber attack to infiltrate a network and their actions whilst on their objective. By understanding these tactics we can map them to our current defences in place.
So, in terms of our scenario, we head out to ask the IT team for an up-to-date network map, an Asset Register and to interview all the different teams of the business to determine what they consider their personal business area crown jewels (not everyone will have the same opinion).
Output
- A current and up-to-date Asset Registry
- Crown Jewel Analysis
2. My Business
Hopefully, we now have our asset inventory baseline and we have prioritised our most critical assets in the business and started to assigned security resources to them. These security resources could be in the guise of people (i.e. monitoring analyst), security devices (i.e. Host Intrusion Detection devices or Anti-Malware software) or procedures (i.e. security playbooks or Disaster Recovery Plans) for example. We now must combine this data with understanding how the business operates on a tactical and strategic level and align our security practices. CTI is pointless if you do not align it to the business strategy and its day-to-day operations. For example, by not understanding what markets the company operates in, its competitors or its customers, you cannot customise the intelligence plan to fit the bespoke threats. Understanding how much risk a business is willing to take and how important they prioritise security is also essential in delivering an intelligence capability that is essentially there to effectively enable a more effective business decision making process.
So, to aid in this we have a few analytical tools that a CTI team can use to help build an overall picture and understanding of a business. These tools help focus analysis, aid in avoiding the effects of cognitive bias and help deliver a comprehensive overview of a chosen target. You decide in our scenario, to use the below Environmental Scanning tools to help understand the business and subsequently can also be used when attempting to discover potential threat actors.
To look inward at your own business and to help develop an understanding of our own strengths and weaknesses, we can combine several different scanning methodologies. Here we will use two well-known models and one new model in the form of MIST, SWOT and one I created for this purpose called TEAMCOPPERS. These three models will help your CTI team understand the business and highlight potential avenues of exploitation open to attackers and where the security gaps may exist for the business. This is not an isolated process and it will require you to visit each department to understand their own personal issues. You could employ MIST, SWOT and TEAMCOPPERS for different areas of a business and then combine them into one overall analytical model for example. This is because each department and manager will have a different perspective on each model. However, by the end of it, you will hopefully have an understanding of your strengths, discovered vulnerability gaps in your own defensive posture and understand why your business operates in a certain way and how it currently responds to threats. This will help with the next phase, which is understanding who is likely to target you.
MIST: MIST is a top-level analytical tool used to identify and examine elements of a group’s aims, objectives, motivations and methods. You can use this model for your own business in understanding an overarching understanding of how it operates. When you discover and fully answer each segment, you can conduct further in-depth analysis of the different points raised and how they impact on the business and how it will likely react to certain scenarios.
MIST is designed to offer insights at all levels without going into explicit detail and provide start points and guidance for further exploitation and analysis. MIST works well when used in conjunction with similar techniques such as SWOT mentioned next and also Centre of Gravity analysis (not contained in this article).
SWOT: SWOT analysis can be used to understand a business or a threat actor or business by analysing specifically their respective strengths, weaknesses, opportunities open to them and threats against them. It is recommended to use MIST and SWOT together. Whilst MIST provides high-level data on how a business can operate, SWOT can delve in much more detail in how a business operates. It also begins the process of understanding the types of threats it could be open to, which leads to threat actor analysis.
TEAMCOPPERS: Is designed to be employed against your own business, a client or even a threat actor to build a tactical understanding of their capabilities, their likely ability to respond and remain resilient to attacks and where the likely vulnerabilities lie. It looks in much more depth than MIST or SWOT and it is recommended that you complete these first as they will provide the overarching points that can be broken down by TEAMCOPPERS. It is straight forward in how it can be utilised and works very well in combination with the Three Column Analysis Model outlined below on the points drawn out from TEAMCOPPERS.
Three Column Analysis Model
By using these analytical tools it will no doubt generate questions that require to be captured and further analysis applied to them. A good method to capture these additional factors and then the subsequent analysis is with a Three Colum Format model. For example, in TEAMCOPPERS a current event could be that the company is coming under continued spear-phishing attacks, which threatens the integrity of the security of the critical assets if someone clicks on a malicious attachment. The Three Column format can be used to conduct a deep dive analysis of this activity instead of cluttering the TEAMCOPPERS model. An additional example is provided below but essentially what it ensures is that whenever an analyst develops a hypothesis or question they ask the question "So What?" of the factor. This promotes further analysis and the subsequent outputs can be captured here and inputted into future intelligence products. This is also a good way for analysts to track their work and to highlight their thought process to prove they have covered every angle in terms of their analysis.
Outputs:
- MIST analysis
- SWOT analysis
- TEAMCOPPERS analysis
- Three Colum Format analysis
Using these techniques together (conducted simultaneously and cross-referenced) they can provide useful insights into a group across a range of activities and aims. If used to analyse several groups operating in the same area they can also be used to identify where aims and objectives are shared or opposed between groups. This can then be used to inform other analytical techniques such as Link Analysis and aid in developing targeting strategies. These models can, of course, be flipped and used for threat actor analysis as well.
Conclusion
If you use these tools correctly, with skilled analysts, you will build up a fairly comprehensive overview of your business. There are also many more analytical models that I have not mentioned but will be explained in later articles. By developing a system to capture your assets and a process to maintain its integrity you will have a very powerful tool that can be used to develop your own security and intelligence strategy and align your available resources to your most critical assets. By highlighting all your assets, you can then research their weaknesses and associated vulnerabilities, which is the beginning of a Vulnerability Management plan. With this information, you then next need to research who would be interested in your assets and why. This is what we will specialise in the next article and we will aim to bring all of these processes together to finally formalise our CTI capability into a working programme.
*Special thanks go to the many UK CTI specialists whom I have had the pleasure over the last 12 months meeting and working with who have helped shape these ideas and provided inspiration.