The Cyber Intelligence as an enabler of cybersecurity.
We constantly hear about the risks to which we are exposed in cyberspace and the importance that is taking cybersecurity, this news reinforced by multiple incidents (hacking, information leakage, identity theft and other attacks).
In this new context of advanced cyberthreats they are involved in which criminals and hacktivists groups with political and economic motivations, have a strategy of Cyber Intelligence becomes a key strategy to strengthen information security.
The aim of this article is to briefly explain the context of risks to which they are exposed our organizations, describe what is the Cyber Intelligence and its role as enabler of cybersecurity.
We start remembering that information security is about risk management, and risk is defined as the probability that a threat exploits a vulnerability, causing an impact to the organization. If there is no threat there is no risk, if no vulnerabilities, although there is also no risk threat, even if there are threats and vulnerabilities, there is no impact if there is no risk .
Today, attack strategies used are more complex and long-term use multiple structured steps, which are known as life cycle of an attack, which can be summarized as follows :
- Preparation. Provides for the identification, selection of the target to attack and collect all the information possible about the victim and the creation or acquisition of cyber weapons arsenal.
- Getting access. Sending cyber weapons by various means, being email (spearphishing), infected websites and the three most common USB devices to exploit vulnerabilities in the system of the victim and evade security systems that have.
- Creating persistence. Attackers seek to assert and expand its presence and control in the network of the victim, making the recognition of the network, various lateral movements and administrators stolen credentials.
- Execution of actions. Consider the selection and collection of the information sought to achieve the same extraction (exfiltration).
- Removing traces. Once achieved its objectives, the intruder will seek to eliminate all traces and evidence that could reveal the actions taken, their tactics, techniques and procedures.
Life cycle stages of an advanced attack
Today it is clear that the old paradigm of protecting networks and systems is not enough, we must focus our efforts to protect, detect and act. We must plan the strategy and actions based on the premise that our network will be compromised, even considering that we have already been committed. This is where the Cyber Intelligence begins to become a vital enabler for cybersecurity.
What is the Cyber Intelligence?
Cyber Intelligence is the acquisition and analysis of data to identify, track, predict and counteract the capabilities, intentions and activities of ciberactores (attackers) and offer courses of action based on the particular context of the organization, to improve decision making .
In the diagram below we can see generally the concept of Cyber Intelligence.
Schematic representation of the concept of Cyber Intelligence
The general process followed for the generation of Cyber Intelligence consists of five steps:
- Identification of the objective or mission. Determine what you want to find or what answer / hypothesis is that we want to answer.
- Collection of information. Define the sources of information that will be used; They can be internal or external, open or private, manual or automatic.
- Analysis. Preparation and analysis of information, using various techniques and visual tools.
- Identification findings. Find those elements that are relevant and help confirm or reject hypotheses, or help answer the questions set out in the first step.
- Diffusion. To convey to interested parties the findings and proposed courses of action.
There are many disciplines of intelligence gathering; Listed below are the most relevant and briefly explains their application in the context of cybersecurity:
- OSINT (Open Source Intelligence). Intelligence from the information that is public and open, the main source is the Internet.
- SIGINT (Signals Intelligence). Intelligence from the interception of signals. In this context it is usually translated as intelligence acquired by decoy networks, technically known as honeynets or honeygrids.
- GEOINT (Geospatial Intelligence). Intelligence obtained through geolocation; in this case the most important sources are mobile devices and applications.
- HUMINT (Human Intelligence). acquired by individuals in the context of cybersecurity intelligence is used as vHUMINT, it ie virtual entities that obtain information in their interaction with others through social networks and electronic communication channels.
How the Cyber Intelligence helps cybersecurity?
The Cyber Intelligence can support cybersecurity in each of the stages of the life cycle of attacks:
In the preparation stage of the attack, the Cyber Intelligence supports research on open sources, monitoring and Darkweb DeepWeb, IRC channels, etc., for possible are orchestrating campaigns against the organization, knowledge of new threats, identification of any information that allows anticipating a possible attack.
In the steps of obtaining access and create persistence comes into play one of the areas of the Cyber Intelligence known as Cyber Threat Intelligence (intelligence cyberthreats), which is defined  as knowledge about the opponents and their motivations, intentions and methods, that is collected, analyzed and disseminated in ways that help security personnel and business to protect critical assets of the organization.
This means performing the monitoring and analysis of malware, identifying potential attack vectors, identification of TTP (techniques, tactics and procedures) of the attackers, monitoring the activity of botnets, etc., by own means or by receiving external intelligence feeds.
Another line of work is the execution of forensics Cyber Intelligence and artifacts based on the correlation of previous attacks vectors.
In the stages of implementation of actions and trace removal, the Cyber Intelligence complements through active monitoring DeepWeb and DarkWeb to identify when it is put on sale or made public, non-legitimate way, the information is owned by the organization .
A very important activity that supports throughout all stages is to establish a strategy of collaboration with various entities that complements the strategy of Cyber Intelligence, this in order to make the exchange of intelligence on security threats and and potentiate each other’s capabilities protection, detection and response, ie, to strengthen the capacity of analysis and surveillance of threats and incidents, improve decision making and accelerate the implementation of response actions and remediation, as well as improve situational awareness ( situational Awareness).
The entities to look for this type of collaboration are those which, by their nature, carry out an ongoing assessment of the various threats have intelligence centers cyberthreats, or centers ciberrespuesta, either with local coverage or international, for example:
CERT government. They are embedded centers in government entities (eg in Mexico are the CERT-MX Scientific Division of the Federal Police of the National Commission on Security and UNAM-CERT) whose mandate is to identify and protect a service sector or group of people and should share information enabling them to investigate various criminal networks operating in the country.
Private CERT. It refers to approved centers, commonly by FIRST (Forum for Incident Response and Security Teams) or CREST (Council of Registered Ethical Security Testers) to perform these functions, which aims to provide its customers protection and response mechanisms incidents. These customers explicitly allow your information to be analyzed and shared to contain effects of attacks and threats.
Manufacturers of security technologies. Those entities who by the nature of the functionalities that integrate their equipment or the services they offer to their customers, perform analysis of attack vectors, identification of malware and infected PCs, to include in their schemes blacklisting or good protection behavior. These manufacturers have requested the express permission of its licensees to share information about their behavior and status in the scope of information that the ecosystem requires sharing.
By implementing a cybersecurity strategy you can obtain the following benefits:
Provide managers a view of the real cyberrisks business and greater visibility into the threats, achieving a better context and situational awareness.
Improve decisions on the use of security budget, investing strategically to maximize the cost-benefit ratio.
CISO improve communication with senior executives as it allows the technical and operational link with critical and strategic elements of business issues.
To perform a faster response, since analyzing attacks and have information allows you to create rules that increase the effectiveness of blocking technologies, allows investigate (hunting) and remedy any gaps.
Complementing the information they receive the SIEM (Security Information and Event Management) platforms, for greater accuracy and identify patterns associated with more nimbly attacks and eliminate false positives
Filter what is relevant, because currently many warnings, many warnings of vulnerabilities and patches, many reports about malware and DDoS attacks etc. are received, and better prioritize patching.
Focus on the most likely attacks occur for an organization and determine what the most important to address alerts are.
In the new context of advanced cyberthreats, have a strategy of Cyber Intelligence is one of the most critical elements to address them. This Cyber Intelligence must be properly articulated with the daily activities of the information security and should be an integral part of any strategy for cybersecurity