ASSESSMENT: Corporate Threat Intelligence Versus Actual Intelligence Products
Threat intelligence is the new hotness in the field of information security and there are many players who want your money to give you their interpretation of it. Crowdstrike, Mandiant, and a host of others all offer what they call threat intelligence but what is it really in the end that the customer gets when they receive a report? Too often what I am seeing is reports based on suppositions and little critical thinking rather than the traditional raison dartre of a threat intelligence report on actors that may have an interest in your environment. A case in point is the report from HP that was conveniently released right in time for this years RSA conference in San Francisco.
This report on the Iranian cyber threat was hard to read due to the lack of real product or knowledge thereof that would have made this report useful to anyone seeking true threat intelligence on an actor that may have interests in them. With a long winded assortment of Googling as Open Source Intelligence, this report makes assumptions on state actors motivations as well as non state actors who may, or may not, be acting on behalf of the Basij or the Iranian government altogether. While the use of Google and OSINT is indeed a valid way of gathering said intelligence, intelligence is not “intelligence” until proper analysis is carried out on it. This was one of the primary problems with the HP report, the analysis was lacking as was the use of an intelligence analyst who knew what they were doing.
Clients and Products:
When carrying out any kind of intelligence gathering and analysis you must first have a client for the product. In the intelligence game you have “products” that “clients” consume and in the case of the HP report on Iranian actors it is unclear as to whom the client is to be here. There are no direct ties to any one sector or actor for the intelligence to have any true “threat matrix” meaning and thus this report is of no real use. These are fairly important factors when generating an analysis of a threat actor and the threat vectors that may affect them when creating a report that should be tailored to the client paying for it. Of course the factors of threat actors and vectors of attack can be general at times and I assume that the HP analyst was trying to use this rather wide open interpretation to sell a report as a means to an end to sell HP services in the near future. I am also willing to bet that this report was a deliberate drop for RSAC and they had a kiosk somewhere where they were hawking their new “Threat Intelligence” services to anyone who might want to pay for them.
In the case of this threat intelligence report ask yourself just who the client is here. Who is indeed really under threat by the alleged Iranian hackers that are listed. What sectors of industry are we talking about and who are their primary targets of choice thus far? In the case of Iran there has been also a great deal of supposition as to these actors and their motives. The report makes allusions to state actor intentions but only lists known Iranian hacker groups that may or may not have affiliations with the government. The same can be said for their TTP’s and other alleged data within the report. The important bit about threat intelligence in the world of information security is that you need hard data to model the threats and the actors for your specific company and this report generates none of this. This fact makes the report not really threat intelligence at all, not in the aspect of either true intelligence nor corporate intelligence.
The collection of intelligence is an arduous process that should be carried out by trained individuals. There are so many pitfalls that can happen to an untrained analyst that could make the product of the report bias or useless in the end and these things should be avoided. In the case of corporate intelligence reporting and threat intelligence the same is true. Just carrying out some OSINT on some individuals and outputting what you find by stringing together assumptions is not a valid way of carrying out intelligence reporting nor is it the correct way to gather intelligence. The collection of intelligence in the information security spectrum should also include direct data on telemetry and known instances of attack against the organization in question to determine if they are in fact subject to the interests of the threat actor such as Iran or SEA. The HP report lacks this context and thus is not much more than some suppositions about how you might be under threat from an amorphous threat actor, and thus is little more than FUD.
If you are going to collect intelligence I suggest that you get trained individuals to start or if you are interested in the subject yourself you can easily locate materials online to read on how to do so properly and avoid the common pitfalls like bias and group think. Intelligence collection is comprised of many facets. You need to be collecting information from a vast array of sources and methods before you attempt to analyze it and create any kind of cogent reporting for a client. In the case of the HP report you only have histrionic data from news reports and light analysis of websites owned by alleged hackers or state actors. True collection though for a client would also include detailed data or knowledge of their business, their technical measures, and their history to create a cogent picture of their business and the threats that they may face from the actors out there who may have interest in them. The HP report lacks this and that is unfortunate.
The analysis of intelligence is as I said above, a learned skill that must be honed in order to perform it correctly. Analysis in and of itself takes all of the data out there and generates a report on the entirety of the data for an against, positive and negative. Anything short of this kind of holistic analysis of information in a report of this kind only serves to mislead the client and usually be quite incorrect. An example of this would be the White House Iraq Group’s (WHIG) assessment of Iraq’s WMD’s and intentions pre Gulf War II. In this case however it was even worse because the intelligence was fit to the political desire of the administration and thus was not really analysis nor intelligence product. In the case of the HP report there is a narrow swath of data that was alleged to be collected (presented in footnotes or screen shots) in addition to snippets of news media as intelligence.
To analyze intelligence one must first have proficiency in the disciplines of intelligence gathering, analysis, and the particular subject matter. In the case of the HP report, there is a lack of comprehension of the politics of Iran which might be drivers for the alleged hackers or state actors. There is also a lack of rigorous interrogation of the data presented as intelligence to test whether or not there may be a disinformation campaign or deception operations at play as well. Put simply, the analyst for HP did not take into account that this is in fact a nation state and that they may in fact be leading such analysts down the primrose path to obfuscate the real actors. This was not even considered in the report and just paints the alleged hacker groups as more than likely linked to nation state activities. This is poor analysis even if there may be some truth to it, but without a rigorous investigation and questioning there can be no real solid assumptions made. The net net here is that analysis of intelligence is not just looking at websites and making assumptions.
Reporting intelligence is a key part to the overall process within all types of intelligence activities. A report as stated above, must have a client and in the case of the HP report I would once again ask who is the client here? What type of business should be worried that they may fall into the targeting of the nation state of Iran or these Iranian hackers? What sectors of business should be more worried than others here? In the case of the HP report I suspect there was no real client here but it should never be forgotten why one is carrying out the intelligence cycle and just who your client is in order to tailor the report so they can use the information in a productive way. Form and formats change but the aegis of the report is to apprise your client of the five W’s (Who, What, Why, Where, and When) and should be paramount in your efforts at collection and reporting of any kind of intelligence.
My analysis here is this; “Buyer beware” Threat Intelligence may be all the rage out there as services go but really think about what you are getting as product. Ask yourselves just what you are looking for when you consider buying into threat intelligence services and how you may be getting it. If you are looking to see what your current threats are your analyst should be asking you to provide intelligence on you first in order to see who might be attacking you. The technical means of log analysis and telemetry is an integral part of the process here for threat intel for corporate bodies and should never not be a part of the process. Any other reporting on threat actors without defined and direct matrices to your org is nothing more than news reports on possible terrorists who may or may not be attacking in the near future somewhere near you. This is not threat intelligence nor is it giving you a true picture of the threats you may face.