Cyber Threat Intelligence Course Development Mike Sterrett ...€¦ · Cyber Threat Intelligence...
34
Cyber Threat Intelligence Course Development Mike Sterrett CYBR 624 University of Maryland Baltimore Campus Shady Grove
Transcript of Cyber Threat Intelligence Course Development Mike Sterrett ...€¦ · Cyber Threat Intelligence...
Cyber Threat Intelligence Course Development
Mike Sterrett
CYBR 624
University of Maryland Baltimore Campus
Shady Grove
1
Table of Contents Chapter 1: Introduction ............................................................................................................................... 3
Background of the Problem ...................................................................................................................... 3
Statement of the Problem ........................................................................................................................ 3
Purpose of the Study ................................................................................................................................. 3
Research Question .................................................................................................................................... 4
Importance of the Study ........................................................................................................................... 4
Scope of the Study .................................................................................................................................... 4
Definition and Terms ................................................................................................................................ 4
Limitations ................................................................................................................................................ 7
Chapter 2: Review of Literature .................................................................................................................... 8
Intelligence Led Security ........................................................................................................................... 8
The Intelligence Cycle ............................................................................................................................... 9
Planning and Direction ............................................................................................................................ 10
Collection ................................................................................................................................................ 11
Analysis ................................................................................................................................................... 12
Cyber Kill Chain ....................................................................................................................................... 13
Diamond Model of Intrusion Analysis ..................................................................................................... 14
Combined Kill Chain and Diamond Model .............................................................................................. 15
Dissemination ......................................................................................................................................... 16
Information Sharing ................................................................................................................................ 16
Tools and Standards for CTI .................................................................................................................... 17
Chapter 3: Research Methods .................................................................................................................... 18
Verification .............................................................................................................................................. 18
Pilot Study Results................................................................................................................................... 18
Chapter 4: Research Findings ...................................................................................................................... 19
Proficiency in the Cyber Environment .................................................................................................... 19
Understand and Explain the Role and Value of CTI ................................................................................ 19
Understand the Intelligence Cycle .......................................................................................................... 20
Understand How to Determine Intelligence Collection Requirements .................................................. 21
Clearly Articulate Findings in Briefings and Papers................................................................................. 21
Graphically Display Complex Cyber Intrusions and Attacks.................................................................... 21
Produce CTI Products that Inform and Drive Network Defense Plans ................................................... 22
2
Understand the Different Sources of Data; Both Internal and External ................................................. 22
Generate CTI from Their Own Data Sources ........................................................................................... 23
Conduct Open Source Intelligence (OSINT) ............................................................................................ 23
Understand How to Process Data into a Format That a CTI Analyst Can Understand and Use ............. 23
Analyze Successful and Unsuccessful Intrusions .................................................................................... 24
Develop Profiles of Campaigns, Actors, and Organizations .................................................................... 24
Apply Critical Thinking and Structured Analytic Techniques .................................................................. 24
Conduct Link Analysis .............................................................................................................................. 24
Understand and Apply the Cyber Kill Chain ............................................................................................ 25
Understand and Apply the Diamond Model of Intrusion Analysis ......................................................... 25
Produce an Adversary Specific Playbook ................................................................................................ 25
Manage CTI to Support Objectives of Their Organizations ..................................................................... 25
Course Syllabus ....................................................................................................................................... 26
Course Curriculum .................................................................................................................................. 27
Chapter 5: Conclusions and Suggestions for Future Research ................................................................... 29
Summary ................................................................................................................................................. 29
Conclusions ............................................................................................................................................. 29
Suggestions for Future Research ............................................................................................................ 30
Bibliography ................................................................................................................................................ 31
3
Chapter 1: Introduction
Background of the Problem
In order to defeat Advanced Persistent Threats (APT) and other modern threats,
organizations must transition from the traditional perimeter defense model and move to the Cyber
Threat Intelligence (CTI) model. CTI provides end-to-end understanding of the adversary kill
chain from reconnaissance to the attack itself. Once network defenders understand how the
adversary operates, the more opportunities network defenders have to deny, degrade, disrupt, and
even prevent the attack. CTI leads to the development of an intelligence-driven network defense
so that instead of focusing on broad defensive measures, defenders can proactively prioritize
network defense resources to protect the most critical assets from the most likely attack. It
challenges the traditional mindset that response should occur after the compromise and informs
network defenders through actionable intelligence. CTI is conducted by combining traditional
analytic tradecraft, from the intelligence community (IC), with standard cybersecurity practices to
create and operationalize CTI.
Statement of the Problem
There is a lack of trained CTI analysts. Many vendors are marketing products and services
that claim to be intelligence; however, most of the products and services provide information.
Information does not become intelligence until it is analyzed and put into context by an analyst.
Despite growing interest and varying levels of implementation of CTI, most academic institutions
do not offer courses on CTI. SANS Technology Institute offers an excellent week-long class on
CTI; however, the focus on the SANS course is on current cyber security practitioners and the cost
of the training makes it somewhat prohibitive for students.
Purpose of the Study
The goal of the study is to first determine what skill sets are required to be a CTI analyst
and then design a course to prepare students to conduct CTI analysis and develop intelligence-
driven network defenses. The course design will introduce best practices from proven
4
methodologies from both the government and private sector and explain how to implement those
practices into a holistic CTI program.
Research Question
What skillsets are required to conduct CTI and how should they be taught?
Importance of the Study
Researching and designing a course to prepare students to conduct CTI and develop
intelligence-driven network defenses will fill a current gap in most graduate-level cybersecurity
programs. Additionally, trained CTI analysts entering the workforce will allow organizations to
adopt CTI practices and enable them to proactively prioritize network defense resources.
Scope of the Study
The scope of this project is twofold. The initial focus is to research current CTI practices
and determine the skillset required to be an effective CTI analyst. The second part of the project
is to develop a graduate-level detailed course outline and lesson plan that includes practical hands
on exercises that demonstrate the concepts and principles presented during the lecture. The course
will cover best practices and lessons learned from the private sector and apply structured analytic
techniques used by the IC to enhance those practices. While principles of cybersecurity and the
cyber environment are critical to be an effective CTI analyst, those principles are beyond the scope
of this project.
Definition and Terms
Cyber Threat Intelligence (CTI): Forrester Research defines threat intelligence as “details of
the motivations, intent, and capabilities of internal and external threat actors. Threat intelligence
includes specifics on the tactics, techniques, and procedures of these adversaries.” [1]
Intelligence: The U.S. Army defines intelligence as “the product resulting from the collection,
processing, integration, evaluation, analysis, and interpretation of available information.” [2] It
is important to differentiate between information and intelligence. The same is true for cyber
threat data. It does not become CTI until it has been processed, integrated, evaluated, analyzed,
5
and interpreted. Many commercial vendors are marketing raw information, such as data feeds,
and calling it CTI. The chart below from iSightPartners provides a comparison of the difference
between information and intelligence. [3]
Information Intelligence
-Raw unfiltered feed -Processed, sorted information
-Unevaluated when delivered -Evaluated and interpreted by trained
intelligence analysts
-Aggregated from virtually every source -Aggregated from reliable sources and cross
correlated for accuracy
-May be true, false, misleading, incomplete,
relevant, or irrelevant
-Accurate, timely, complete (as possible),
assessed for relevancy
-Not actionable -Actionable
Table 1 Information vs Intelligence Source: iSightPartners
Advanced Persistent Threat (APT): An adversary that conducts targeted cyber-attacks that
leverage multiple tactics to gain network access and remain undetected for extended periods. [4]
Analytic Tradecraft: Analytic tradecraft is the practiced skill of applying learned techniques and
methodologies appropriate to an issue to mitigate bias, gain insight, and provide persuasive
understanding of the issue. [5]
Attribution: Linking an attack to a specific adversary. [4]
Actionable Intelligence: Intelligence that can be integrated into operations or operational
planning is referred to as actionable intelligence. [2] Senior Forrester Technologies analyst and
former military intelligence officer Rick Holland identified the following seven characteristics of
actionable intelligence: accurate, aligned with intelligence requirements, integrated, predictive,
6
relevant, tailored, and timely. Table 2 was constructed using Holland’s definition of each
characteristic. [6]
Characteristic Definition
Accurate Sources for CTI must be evaluated for
accuracy.
Aligned with intelligence requirements CTI requirements must be linked to assets and
data the organization wants to protect.
Integrated CTI must be integrated with security
solutions.
Predictive CTI must provide indications and warning of
something malicious is about to occur.
Relevant CTI must be relevant to the consumer’s
organization.
Tailored The CTI must be tailored for the consumer.
Timely The CTI must reach network defenders in
enough time to respond proactively.
Table 2 Characteristics of Actionable Intelligence Source: (Holland)
Indicator of Compromise (IOC): An artifact or event associated with attacks or data breaches.
[4]
Pivot: Investigating an event by starting with initial IOCs and finding related indicators and events.
[4]
Signature: A unique identifier of a file or other artifact potentially associated with an attack. [4]
7
Tactics, Techniques, and Procedures (TTP): Patterns of activities and methods associated with
specific threat actors. [4]
Tradecraft: Operational techniques used in intelligence to obtain information from adversaries
without detection. [4]
Limitations
Information from representatives of organizations conducting CTI was obtained during
interviews, discussions, and presentations; however, they were conducted in a non-attribution
environment. The information is used as background information and specific citations will not
be used.
8
Chapter 2: Review of Literature
There is a growing body of literature published in the last few years on different elements
of CTI. Taken as a whole, the body of literature provides a good representation of CTI and how
to develop a CTI program. However, there is not a single document that outlines the training of a
CTI analyst. This literature review is broken down into the major elements of CTI and provides
the foundational knowledge to identify the skills necessary to conduct CTI.
Intelligence Led Security
There is a current marketing blitz by vendors touting the importance of CTI and offering
intelligence related products and services. However, most of those products and services offer
information, not intelligence. As Allan Liska, author of one of the first non-vendor sponsored
books on building an intelligence-led security program, points out “intelligence is not a data feed
or a series of indicators. Instead intelligence is a process that takes those indicators, makes them
actionable, and provides context around the threat behind those indicators.” [7] Additionally,
Liska outlines how to adjust current security processes to accommodate the intelligence cycle and
to determine where to inject the resulting intelligence.
Pre-dating Liska’s book, Rick Holland [1] published a paper on building an effective threat
intelligence capability. Holland outlines five steps that he describes as the “intelligence journey.”
The steps include: lay a solid foundation of essential capabilities, establish buy-in, identify
required staffing and skill levels, establish your intelligence sources, and derive actionable
intelligence.
Security vendors, such as iSight Partners, have sponsored and published papers and
briefings on CTI and how to use CTI. They provide a basic understanding of threat intelligence
and why it is important to consider its use in cyber security practices and explain how cyber threat
9
intelligence supports cyber security practices and discusses how to include it throughout
workflows. [8] [3]
The US Army [9] developed a process to build the intelligence picture in order for
intelligence to drive operations. The process is called Intelligence Preparation of the Battlefield
(IPB) and the principles are applicable to CTI. Instead of the traditional military sense of driving
operations, the goal of CTI is to drive the security program. The steps of IPB include: 1) Define
the operational environment; 2) Describe the effects of the operational environment; 3) Evaluate
the threat/adversary; and 4) Determine the threat/adversary courses of action.
In addition to the military, there are also lessons to be learned from law enforcement
intelligence techniques. KPGM [10] published a paper explaining how cyber threat intelligence
enables organizations to identify potential threats and vulnerabilities. The focus of the paper is on
applying lessons learned from law enforcement to developing and conducting cyber threat
intelligence analysis.
The Intelligence Cycle
Intelligence is a never ending process and the intelligence cycle is a continual cycle of
developing raw information and data into finished intelligence. The IC has broken the intelligence
cycle down to five distinct phases: planning and direction, collection, processing, analysis and
production, and dissemination. [11] The IC’s intelligence cycle depicted in Figure 1 is easily
applied to CTI.
10
Figure 1 The Intelligence Cycle Source: CIA
Planning and Direction
Planning and direction is critical to the success of the CTI program. Intelligence
requirements are identified during the planning and direction phase. If the right intelligence
requirements and questions are not articulated correctly there is little chance of success for the CTI
team. Liska [7] states that the planning and direction team should get guidance from the consumers
of the intelligence in order to develop the intelligence requirements. Friedman and Bouchard [4]
point out that those requirements drive not only what is collected, but also how it is analyzed.
The first step of the planning and direction team is to identify and prioritize what assets
must be protected and then determine what information about the adversary is required to plan and
implement protective measures. Friedman and Brouchard [4] use the quote from Fredrick the
Great “He who defends everything, defends nothing” to highlight the importance of prioritizing
assets to be protected.
Brian Kime [12] recently published a white paper focused primarily on the planning and
direction of threat intelligence. Kime points out that CTI teams must be focused on requirements
that are approved and resourced by management, if they are to be successful at providing
intelligence that leads to a reduction in risk.
Planning and Direction
Collection
ProcessingAnalysis and Production
Dissemination
11
Collection
As stated earlier, collection is driven by intelligence requirements. In order to conduct
effective CTI analysis, it is important to collect data from multiple sources and types of data. The
data must consist of both internal data collected inside the network and data collected from outside
the network. Holland [1] identifies that sources for internal information include the technical
information derived from network logs and flows, as well as information from internal honeypots.
Additionally, employees provide a valuable source for internal information. Employees can alert
security personnel of suspicious behavior, such as social engineering attempts or system
anomalies.
Friedman and Brouchard [4] group cyber threat information into three categories: Threat
Indicators, Threat Data Feeds, and Strategic Cyber Threat Intelligence. Threat indicators or
indicators of compromise (IOC) are artifacts that indicate possible compromise. The most
common types are file hashes and reputation information on IP addresses and domains that have
been associated with malicious behavior. Threat data feeds provide information on threat
indicators. The threat data feeds assist the CTI analyst in identifying patterns associated with
malicious behavior. Lastly, strategic cyber threat intelligence is information about the specific
adversary targeting the organization’s network.
There are many sources for both internal and external data and information including
government, industry, and commercial vendors. The Table 3 from Forrester Research depicts
sources of both internal and external information.
12
Table 3 Source of Information Source: Holland
Analysis
In 1965 Sherman Kent, considered the father of intelligence analysis by many members of
the IC, wrote “Whatever the complexities of the puzzles we strive to solve and whatever the
sophisticated techniques we may use to collect the pieces and store them, there can never be a time
when the thoughtful man can be supplanted as the intelligence device supreme.” [13] Never have
Kent’s words been truer than when applied to CTI. All of the previously described data and
information collected is useless until it has been evaluated, analyzed, and interpreted by an analyst.
Sager [14] points out that while automation is key for the collection, sharing, correlation, and
usability; human analysts are needed to convert that information into actionable intelligence.
In simplest terms, analysis is processing information to make judgments on incomplete and
ambiguous information. Heuer [13] takes a deep look into how people process information to
13
conduct intelligence analysis. His work is relevant to all types of analysis, including cyber threat
intelligence analysis.
The CIA [15] publicly released a primer on structured analytic techniques (SAT) that
highlights how SAT can help one challenge judgments, identify mental mindsets, stimulate
creativity, and manage uncertainty. Additionally, SAT allows an analyst to decompose large
technical processes into smaller bite-sized pieces that make it easier for an analyst to understand.
In 2013, Carnegie Mellon University [16] published the results of a study on the best
practices in cyber intelligence of six government organizations and twenty private organizations.
Results from the Carnegie Mellon study, including modeling threats to shape resource allocation
and knowing your adversary, and are incorporated into this project.
Cyber Kill Chain
Eric Hutchins, Michael Cloppert, and Dr. Rohan Amin introduced the concept of the
Cyber Kill Chain in their seminal paper on Intelligence-Driven Computer Network Defense and
it was first published at the 6th Annual International Conference on Information Warfare &
Security in March 2011. [15] Borrowing largely from U.S. military targeting doctrine, the kill
chain is a systematic process to “target and engage an adversary to create desired effects.” [16]
It is an end-to-end process referred to as a “chain” because disrupting any step in the process will
disrupt the entire process. The CTI analyst conducts analysis to determine how the adversary
specifically completes each step in the chain. [17] Figure 2 below graphically depicts the Cyber
14
Kill Chain described in the Lockheed Martin paper.
Figure 2 The Cyber Kill Chain Source: Hutchins, Cloppert, and Amin
Other authors have expanded on the cyber kill chain. Hartley [18] focused on improving
the cyber “kill chain” with cyber threat intelligence. He asserts that the cyber kill chain is too
much of a technical approach and does not provide a complete view of the threat. His article
explains that applying cyber threat intelligence will provide a holistic approach to understanding
the threat. Likewise, RSA [19] released a paper that uses the phrase “stalking the kill chain” to
describe the ability to use a structured approach to monitor the network with the idea of identifying
kill chain events in progress, across the entire kill chain. In the past, the focus was limited to single
point, or at most, two points on the kill chain. The structured approach is built on the ability to
add context by adding cyber threat intelligence analysis.
Diamond Model of Intrusion Analysis
Caltagirone, Pendergast, and Betz [19] developed the Diamond Model of Intrusion
Analysis based on the axiom that, “For every intrusion event there exists an adversary taking a
Reconnaissance
•Research, identification, and target selection
•Open source, social media, etc
Weaponization
•Coupling a remote access trojan with an exploit into a deliverable payload
•Client application files (i.e. PDF or MS Office) serve as weaponized deliverable
Delivery
•Tranmission of the weapon to the targeted network
•Email attachments, websites, USB removable media, etc
Exploitation
•After weapon is delivered, exploitation triggers the adversary's code
•Often exploitation targets an application or OS vulnerabilities
Installation
•Remote access trojan, backdoor, etc
•Allows the adversary to maintain persistence presence inside the network
Command and Control
•Compromised hosts beacon out to controller server to establish C2 channel
•Once C2 is established the adversary has "hands on the keyboard"
Actions on the Objective
•Only now, after going through the previous six steps, can the adversary take actions to achieve objectives
15
step towards an intended goal by using a capability over infrastructure against a victim to
produce a result.” The Diamond Model, named after the resemblance of a baseball diamond,
examines each intrusion from four specific core features: adversary, infrastructure, victim, and
capability. The Diamond Model is a useful methodology for CTI analysts to discover
relationships in collected data. The four core features represent points on the diamond as
depicted below.
-APT Persona: email addresses, handles, phone #’s-Network Assets
-Malware-Exploits-Hacker Tools-Stolen Certs
-Personas-Network Assets-Email Addresses
-IP Addresses-Domain Names-Email Addresses
Figure 3 Diamond Model Source: Caltagirone, Pendergast, and Betz
Combined Kill Chain and Diamond Model
In 2014, Pendergast [21] expanded upon his original work on the Diamond Model by
combining the kill chain and the diamond model to group events into ordered, causal chains of
activity separated by phases. The CTI analyst should look for relationships between intrusions.
16
Once a relationship has been discovered, the CTI analyst can “pivot” to learn more about the
adversary and how the adversary operates throughout the Kill Chain.
Intrusion 1
Recon
Delivery
Exploitation
C2
Actions on Obj
Intrusion 2
Recon
Delivery
Exploitation
C2
Actions on Obj
Intrusion 3
Recon
Delivery
Exploitation
C2
Actions on Obj
Intrusion 4
Recon
Delivery
Exploitation
C2
Actions on Obj
APT 1
APT 2
Figure 4 Kill Chain/Diamond Model Source: Pendergast
Dissemination
The final step of the intelligence cycle is the delivery of the actionable intelligence products
to network defenders in a timely manner so they may proactively prioritize scarce network defense
resources to protect the most critical assets from the most likely attacks. In regards to timeliness,
at Mandiant’s Incident Response Conference (MIRcon) in 2010, keynote speaker Gordon Snow
from the FBI Cyber Division described the importance of timeliness of intelligence reporting by
stating, “Cyber information is unlike any other kind of information. It's perishable. If I don't get
it to you in a reasonable period of time, it's useless to you.” [22]
Information Sharing
AFCEA [23] highlights that although cyber threat intelligence sharing is growing, it is
nowhere near the level required to be successful at protecting government and corporate
information, assets, and operations. In cases where sharing does take place there is a noticeable
increase of knowledge of the threat environment and improved insight into cyber attack behavior.
Examples of successful sharing include Financial Services Intelligence Sharing and Analysis
Center (FS-ISAC) and the Tier 1 Internet Service Providers.
17
Tools and Standards for CTI
As previously discussed, information sharing is important for an effective CTI program.
However, in order to conduct information sharing there is a need for standardized, structured
representation of cyber security information. Currently, there is no standardized format. In a white
paper for SANS, Farnham [24] provides product analysis on leading tools and standards used to
conduct cyber threat intelligence. Tools covered include Open Indicators of Compromise
(OpenIOC) framework, Structured Threat Information Expression (STIX), Open Threat Exchange
(OTX), Vocabulary for Event Recording and Incident Sharing (VERIS), Cyber Observable
eXpression (CybOX), Incident Object Description and Exchange Format (IODEF), Trusted
Automated eXchange of Indicator Information (TAXII), Traffic Light Protocol (TLP), and
Collective Intelligence Framework (CIF). It appears that the MITRE-developed STIX format is
becoming widely accepted. In another white paper, Barnum [25] asserts the STIX language is
flexible, extensible, automatable, and as human-readable as possible and is being widely adopted
by cyber threat-related organizations.
18
Chapter 3: Research Methods
Qualitative research methods based on published works, interviews, and the author’s
personal experience were used to create the data set on both skills required to conduct CTI and
methods to teach those skills. The data set was then analyzed to determine the specific skill set
required to conduct CTI analysis. Once the skill set was identified further research and analysis
was conducted to develop the course curriculum to teach those skills in an academic setting.
Verification
The results of the research and the curriculum underwent a SME review from the Senior
Intelligence Analyst at the Cyber National Mission Force at Fort Meade, Maryland.
Pilot Study Results
As a limited pilot study, portions of the curriculum were taught to intelligence analysts
assigned to USCYBERCOM at Fort Meade, MD and to students attending the Defense Intelligence
Agency’s Intelligence Support to Cyber Operations Course.
19
Chapter 4: Research Findings
Based on the research and analysis, there are 16 specific skills a CTI analyst must possess.
Those skills range from understanding the role and value of CTI to developing CTI to detect, deny,
disrupt, and defeat APTs. This chapter focuses on the skills required to conduct CTI. Some of the
skills are closely related and this chapter attempts to group those skills together; however, some
overlap remains.
After identifying the skills required to be an effective CTI analyst, further analysis and
research was conducted to develop a graduate level curriculum to teach the identified skills. The
end of this chapter includes a brief description of the course curriculum and the syllabus. A
separate support packet includes the slides, lesson plans, practical exercises, virtual machines, and
data to support the course curriculum.
Proficiency in the Cyber Environment
The results of a Carnegie Mellon study [16] on best practices from 26 organizations
conducting cyber intelligence identified that the number one requirement for an ideal analyst is
proficiency in the cyber environment. While some principles of cybersecurity will be addressed
in the training developed to support this project, teaching those principles is beyond the scope of
this project and the course supporting this project. The intent of the course is to be part of a
graduate-level cybersecurity program. Proficiency in the cyber environment will be developed as
accumulative knowledge gained from other courses in the cybersecurity program.
Understand and Explain the Role and Value of CTI
The CTI analyst must be able to understand and explain the role and value of CTI. CTI is
designed to enhance a security program. It is not a replacement of good security practices. CTI
will make a good security program better; however, without a sound security program, CTI will
not be effective.
20
By focusing on the adversary and how the adversary operates, CTI allows an organization
to anticipate where and how an adversary is most likely to attack. This allows organizations to
proactively prioritize network defense resources to protect the most critical assets from the most
likely attack, instead of focusing on broad defensive measures. CTI assists management in
deciding how to manage resources to adequately mitigate risk.
CTI supports the tactical, operational, and strategic level of the organization’s
cybersecurity program. At the tactical level, CTI assists in removing invalid indicators (to prevent
false-positives), prioritizes patches so that the most dangerous vulnerabilities are addressed first,
correlates SIEM events to intrusions more quickly and accurately, and prioritizes indicators to
identify alerts that need to be escalated. At the operational level, CTI provides situational
awareness and context to assist incident responders to quickly remediate damages and prevent
additional intrusions. Lastly, at the strategic level CTI provides the organization’s leadership and
decision makers with an understanding of the actual threat to their specific organization. [4]
Understand the Intelligence Cycle
A CTI analyst must understand the Intelligence Cycle and how to implement it. The
intelligence cycle is a continual cycle of developing raw information and data into finished
intelligence. The Intelligence Cycle, as depicted in Figure 5, has five distinct phases: planning
and direction, collection, processing, analysis and production, and dissemination. [11]
Figure 5 Intelligence Cycle Source: CIA
Planning and Direction
Collection
ProcessingAnalysis and Production
Dissemination
21
The CTI analyst must understand that although the Intelligence Cycle is continual, it is not
necessarily sequential. For example, during analysis and production (Phase 4) an intelligence gap
may be discovered. The intelligence gap becomes a collection (Phase 2) requirement and when
filled will assist in the analysis.
Understand How to Determine Intelligence Collection Requirements
Defining collection requirements is perhaps the most critical element of the Intelligence
Cycle. Sound analysis cannot take place if the proper data is not collected to analyze. Initial
collection requirements are determined during the planning and direction (Phase 1) phase of the
Intelligence Cycle. In order to determine the collection requirements, a clear understanding of the
intelligence analysis and production requirements is needed. Simply put, what does the customer
want to know? Once the analyst understands the analysis and production requirements, he/she
determines what information is needed to answer the customer’s questions and how that
information can be collected. The collection requirements are then refined throughout the
Intelligence Cycle as intelligence gaps are discovered.
Clearly Articulate Findings in Briefings and Papers
Being able to clearly articulate intelligence findings is one of the most critical skills a CTI
analyst must possess. The best collection and intelligence analysis is useless if the analyst cannot
effectively present his/her findings to the intelligence customer. The CTI analyst must be able to
present complicated technical information in a manner that a non-technical decision maker can
understand, realize the importance, and act upon the information. The course curriculum will
require the students to present multiple briefings and papers.
Graphically Display Complex Cyber Intrusions and Attacks
Closely related to being able to articulate intelligence findings is the ability to represent
complex information, related to attacks and intrusions, graphically. Senior leaders and decision
makers do not have the time to read lengthy text-based products. For example, an adversary
process graphic is a single graphic depicting how the adversary generally conducts a specific type
of operation. It is developed by going through large amounts of data. If it were a text based
22
product it would be over ten pages in length. The process graphic completed during CTI can be
digested and understood in less than a minute.
Produce CTI Products that Inform and Drive Network Defense Plans
The CTI analyst must produce actionable intelligence that informs and drives network
defense plans. As previously defined, actionable intelligence is intelligence that can be integrated
into operations or operational planning, specifically network defense plans. CTI should not be
conducted for the sake of conducting CTI. The planning and direction phase (Phase 1) of the
Intelligence Cycle should clearly state the purpose of CTI analysis.
Understand the Different Sources of Data; Both Internal and External
A common theme at the recent SANS sponsored CTI Summit was that the most valuable
data for the CTI analyst is often the internal data collected from within the organization’s network
because it is richest in context. An organization can spend large amounts of money on terabytes
of vendor provided data feeds and other information; however, many times the external data lacks
context. The internal data is available to the CTI analyst at little or no cost. External data can be
useful; however, the CTI analyst should first collect and analyze internal data before subscribing
to expensive vendor provided external data feeds and information. Typically, internal data is
focused on the organization’s network itself and what is happening on the network. External data
is typically data on the adversary and how the adversary operates in general.
23
Generate CTI from Their Own Data Sources
Closely related to understanding the different sources of data and processing data into a
format that the CTI analyst can use to conduct analysis is generating CTI from their own
organization’s data sources. As previously stated, internal data is generally the richest because it
provides context and details about what is happening on the organization’s network.
Conduct Open Source Intelligence (OSINT)
OSINT is defined as intelligence derived from publically available information. [25] The
CTI analyst must know how and where to search for information that supports analysis on the
specific adversary targeting the CTI analyst’s networks. This includes researching websites,
public records, forums, blogs, social media, and the dark web.
CTI analysts can learn valuable information by monitoring an adversary on the Internet.
This information may include: discussions of plans and tactics on forums and social media sites,
exchanges of information about new exploits and tools being developed, purchases of tools and
services, behaviors of malware and tools offered for sale, and sale of credit card numbers,
personally identifiable information, and other digital assets. [4]
Understand How to Process Data into a Format That a CTI Analyst Can Understand and Use
The processing phase (Phase 3) of the Intelligence Cycle includes configuring the vast
amount of internal and external data collected into a format that a CTI analyst can understand and
use to conduct analysis. Due to the sheer volume of data, automation is required to conduct
parsing, data deduplication, and formatting into something usable for the analyst. The CTI analyst
must become familiar with different methods to process the data and should be able to develop
their own methods in order to tailor the information to meet the CTI analyst’s specific analytical
needs.
24
Analyze Successful and Unsuccessful Intrusions
The CTI analyst should be able to analyze both successful and unsuccessful intrusions in
order to learn how the adversary generally operates and how the adversary modifies TTPs when
unsuccessful. The better understanding the CTI analyst has of the adversary, the better he/she will
be able to analyze and anticipate the adversary’s next step.
Develop Profiles of Campaigns, Actors, and Organizations
A CTI analyst must be able to discover relationships and group separate intrusions into
campaigns. Once the CTI analyst links intrusions to a campaign, he/she can use that information
to anticipate future intrusions and TTPs from the same campaign. Additionally, once the
campaigns are understood, intelligence gaps are identified and prioritized.
Apply Critical Thinking and Structured Analytic Techniques
Critical thinking and structured analytic techniques allow CTI analysts to decompose
complicated information into more easily understandable subsets. Additionally, it forces the CTI
analyst to consider information one element at a time and in a systematic manner. The Cyber Kill
Chain, the Diamond Model, and other models can be considered structured analytic techniques.
Instead of trying to understand how the adversary operates as a whole, those models decompose
the adversary’s actions into manageable subsets.
Conduct Link Analysis
Link Analysis is a visualization tool that allows CTI analysts to discover relationships
between individuals, groups, organizations, and other connected entities. When a relationship is
discovered it allows the CTI analyst to “pivot” his/her focus in an effort to learn more about the
adversary. Similar to other structured analytic techniques, link analysis allows the CTI analyst to
decompose a large dataset to more easily understandable subsets.
25
Understand and Apply the Cyber Kill Chain
The Cyber Kill Chain is the backbone of CTI. It covers the general steps an adversary
takes to complete an operation. The CTI analyst conducts analysis to determine how the adversary
specifically completes each step in the chain. While the Cyber Kill Chain and other models are
never 100% correct, when used properly it is a very useful tool to assist the CTI analyst in
anticipating the adversary’s actions.
Understand and Apply the Diamond Model of Intrusion Analysis
The Diamond Model, named after the resemblance of a baseball diamond, examines each
intrusion from four specific core features: adversary, infrastructure, victim, and capability. The
Diamond Model is a useful methodology for CTI analysts to discover relationships between
multiple intrusions. Once a relationship has been discovered, the CTI analyst can then “pivot”
his/her focus in order to discover additional information on the adversary.
Produce an Adversary Specific Playbook
The adversary playbook is basically everything the CTI analyst has been able to determine
and assess about the adversary put into a single document. It includes everything from the
adversary’s intent and TTPs to signatures and Indicators of Compromise (IOC).
Manage CTI to Support Objectives of Their Organizations
Supporting the organization’s objectives is the sole purpose of CTI. An analyst should not
conduct CTI for the sake of doing CTI. While information about a specific adversary may be
interesting, if the information does not support the CTI analyst’s organization the information is
useless. The organization’s goals and objectives should be clearly stated and understood during
the planning and direction phase (Phase 1) of the Intelligence Cycle. All analysis and production
requirements should support those objectives.
26
Course Syllabus Week Topic Assignment Due
1 Admin Procedures/Course Overview Introduction to CTI Global Cyber Threat Overview
2 Levels of Intelligence Structured Analytic Techniques Part 1 -Issue Development -Source Check -Quality of Information/Relevance Check -Critical Factors Analysis Intrusion Analysis Models Intel Cycle Phase 1 (Planning and Direction) Biases Confidence Levels
Lab 1
3 Intelligence Cycle Phase 2 (Collection) OSINT Wireshark
Lab 2 -Current Intel Brief #1
4 Intelligence Cycle Step 3: Processing Structured Analytic Techniques Part 2 - Sorting -Timelines -Link Analysis Netflow
Lab 3 -Current Intel Brief #2 -Critical Thinking Assignment #1 (Pistachio Harvest)
5 Intelligence Cycle Step 4: Analysis Cyber Kill Chain Part 1 Diamond Model Structured Analytic Technique Part 3: Process Map
Lab 4 -Current Intel Brief #3 -Critical Thinking Assignment #2 (Newscaster)
6 Structured Analytic Techniques Part 3 -Structured Brainstorming -Starbursting -Morphological Analysis Cyber Kill Chain Part 2
Lab 5 -Current Intel Brief #4 -Process Map Assignment
7 Structured Analytic Techniques Part 4 -Event Tree -Subjective Probability -Analytic Hierarchy Process/Weighted Ranking Cyber Kill Chain Part 3
Lab 6 -Current Intel Brief #5 -Critical Thinking Assignment #3 (Compare and Contrast #1 and #2)
8 Mid Term
9 Structured Analytic Techniques Part 5 -Analysis of Competing Hypothesis (ACH) Cyber Kill Chain Part 4
Lab 7 Current Intel Brief #6
10 Structured Analytic Techniques Part 6 -Key Assumptions Check -Devil’s Advocacy -Structured Self-Critique Developing a Campaign Profile
Lab 8 Current Intel Brief #7
11 APT Briefings APT Brief
12 Guest Panel Discussion
13 Final Project Scenario Current Intel Brief #8
14 Adversary Playbook Session
15 Adversary Playbook Presentations Adversary Playbook
27
Course Curriculum
The course curriculum was developed by analyzing the skills required to conduct CTI and
developing the curriculum around those skills. Table 5 identifies the 16 skills previously discussed
and Table 6 maps those skills to specific class sessions outlined in the course syllabus.
# Skill # Skill S1 Explain Role of CTI S9 Develop Campaign Profiles
S2 Understand Intelligence Cycle S10 Apply Critical Thinking
S3 Determine Collection Requirements S11 Apply Structured Analytic Techniques
S4 Articulate Findings S12 Kill Chain
S5 Graphically Display Findings S13 Diamond Model
S6 Produce CTI that Informs Defense S14 Process Data to Usable Format
S7 Data Sources: Internal/External S15 Analyze Intrusions
S8 OSINT S16 Adversary Playbook Table 4 CTI Analyst Skills
S1 S2 S3 S4 S5 S6 S7 S8 S9 S10 S11 S12 S13 S14 S15 S16 WK1 X WK2 X X X X WK3 X X X X WK4 X X X X X X X X WK5 X X X X X X X WK6 X X X X X WK7 X X X X X WK8 WK9 X X WK10 X X X X WK11 X X WK12 WK13 X X X X X X X X X X X X X X X WK14 X X X X X X X X X X X X X X X WK15 X X X X X X X X X X X X X X X X
Table 5 CTI Skills Mapped to Course Session
The course features multiple structured analytic techniques designed to gain a better
understanding of the adversary and how the adversary operates throughout the Cyber Kill Chain.
It is designed to be 50% lecture and 50% hands on labs and practical exercises. The course walks
the students through the Intelligence Cycle and the Cyber Kill Chain and demonstrates how to
develop campaigns from multiple intrusions. The course culminates with a final project that
28
incorporates everything that was covered in the lectures and labs. The final project is presented in
the final class session and the grade will be weighted in the same way as a final exam.
29
Chapter 5: Conclusions and Suggestions for Future Research
Summary
CTI provides end-to-end understanding of the adversary Kill Chain from reconnaissance
to actions on the objective. Once network defenders understand how the adversary operates, the
more opportunities network defenders have to deny, degrade, disrupt, and even prevent the attack.
CTI leads to the development of an intelligence-driven network defense so that instead of focusing
on broad defensive measures, defenders can proactively prioritize network defense plans in order
to protect the most critical assets from the most likely attack.
There are 16 specific skills required to conduct CTI. Those skills range from understanding
and being able to explain CTI to developing a campaign profile. Structured analytic techniques
allow CTI analysts to decompose complicated information into more easily understandable
subsets. Additionally, structured analytic techniques provide the CTI analyst an opportunity to
consider information one element at a time and in a systematic manner. By doing so, a CTI analyst
is able to understand how the adversary operates throughout the Kill Chain and discover
relationships and group separate intrusions into campaigns. Once the CTI analyst links intrusions
to a campaign, he/she can use that information to anticipate future intrusions from the same
campaign.
Like most cybersecurity positions, there is a shortage of trained CTI analysts. Despite
growing interest and varying levels of implementation of CTI, most academic institutions do not
offer courses on CTI.
Conclusions
The 16 skills can be taught in an academic setting during a standard 15-week semester.
The course designed as part of this project focuses heavily on structured analytic techniques
applied to APTs and adversaries conducting targeted attacks. The curriculum consists of 50%
lecture and 50% labs and practical exercises. The labs and practical exercises use real data and
scenarios as much as possible. In addition to the structured analytic techniques and technical
information, a special emphasis is placed on being able to articulate CTI findings through
presentations and papers.
30
Suggestions for Future Research
A potential area for future research is developing a graduate certificate program in CTI. A
certificate program consisting of courses aimed specifically at intelligence analytic techniques,
hacking techniques and incident response, cybersecurity principles, and the application of CTI.
31
Bibliography
[1] R. Holland, "Five Steps to Build an Effective Threat Intelligence Capability," Retrieved from:
http://www.coresecurity.com/system/files/attachments/2013/04/RickHollandFiveStepstoBuild
.pdf, 2013.
[2] U.S. Army, FM 2-0 Intelligence, Washington DC: Department of the Army, 2010.
[3] iSight Partners, "What is Cyber Threat Intelligence and why do I need it?," Retrieved from:
http://www.isightpartners.com/wp-content/uploads/2014/07/iSIGHT_Partners_What_Is_20-
20_Clarity_Brief1.pdf, 2014.
[4] J. a. M. B. Friedman, Definitive Guide to Cyber Threat Intelligence, Annapolis, MD: CyberEdge
Group, 2015.
[5] Defense Intelligence Agency, Tradecraft Primer: Structured Analytic Techniques, Washington
DC: Defense Intelligence Agency, 2011.
[6] R. Holland, "Actionable Intelligence," Retrieved from
http://blogs.forrester.com/print/rick_holland/14-02-11-
actionable_intelligence_meet_terry_tate_office_linebacker, 2014.
[7] A. Liska, Building an Intelligence Led Security Program, Boston: Syngress, 2015.
[8] iSight Partners, "How to Use Cyber Threat Intelligence in my Workflows?," Retrieved from
http://www.isightpartners.com/wp-content/uploads/2014/08/How-to-use-cyber-threat-
intelligence-in your-workflows-brief-final-8.4.14.pdf, 2014.
[9] Department of the Army, "FM 34-130 Intelligence Preparation of the Battlefield," Washington
DC, Department of the Army, 1994.
[10] KPGM, "Cyber Threat Intelligence and the Lessons Learned from Law Enforcement," Retrieved
from: http://www.kpmg.com/Global/en/IssuesAndInsights/ArticlesPublications/
Documents/cyber-threat-intelligence-final3.pdf, 2013.
[11] CIA, "The Intelligence Cycle," Retrieved from
http://fas.org/irp/cia/product/facttell/intcycle.htm.
[12] B. Kime, "Threat Intelligence: Planning and Direction," Retrieved from
https://www.sans.org/reading-room/whitepapers/threats/threat-intelligence-planning-
direction-36857, 2016.
[13] R. Heuer, Psychology of Intelligence Analysis, Washington DC: Center for the Study of
Intelligence Central Intelligence Agency, 1999.
32
[14] T. Sager, "Killing Advanced Threats in Their Tracks: An Intelligent Approach to Attack
Prevention," Retrieved from: http://www.sans.org/reading-
room/whitepapers/detection/killing-advanced-threats-tracks-intelligent-approach-attack-
prevention-35302, 2014.
[15] CIA, "A Tradecraft Primer: Structured Analytic Techniques for Improving Inteliigence Analysis,"
U.S. Government, Washington DC, 2009.
[16] T. Townsend and J. M. A. M. K. S. Melissa Ludwick, "SEI Emerging Technology Center: Cyber
Intelligence Tradecraft Project," Carnegie Mellon University,
http://www.sei.cmu.edu/library/assets/whitepapers/citp-summary-key-findings.pdf, 2013.
[17] Lockheed Martin, "Cyber Kill Chain," Retrieved from http://www.lockheedmartin.com/us/what-
we-do/information-technology/cyber-security/cyber-kill-chain.html, 2014.
[18] U.S. Department of Defense, JP 3-60 Joint Targeting, Washington D.C.: U.S. Department of
Defense, 2007.
[19] E. M. Hutchins, M. J. Cloppert and R. M. Amin, "Intelligence-Driven Computer Network Defense
Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains," Retrieved from:
http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-
White-Paper-Intel-Driven-Defense.pdf, 2011.
[20] M. Hartley, "Strengthening the Cyber Kill Chain with Cyber Threat Intelligence," Retrieved from:
http://www.isightpartners.com/2014/09/strenghtening-cyber-kill-chain-cyber-threat-
intelligence-part-1-of-2/, 2014.
[21] RSA, "Stalking the Kill Chain," Retrieved from: http://www.emc.com/campaign/web/ rsa-acds/
index.htm.
[22] S. Caltagirone, A. Pendergast and C. Betz, "The Diamond Model of Intrusion Analysis," Retrieved
from:
http://www.threatconnect.com/files/uploaded_files/The_Diamond_Model_of_Intrusion_Analy
sis.pdf, 2013.
[23] A. Pendergast, "The Diamond Model for Intrusion Analysis: A Primer," Retrieved from
https://digital-forensics.sans.org/summit-
archives/cti_summit2014/The_Diamond_Model_for_Intrusion_Analysis_A_Primer_Andy_Pend
ergast.pdf, 2014.
[24] Pendergast, "Review: Mandiant's Incident Response Conference (MIRCON)," Retrieved from
http://digital-forensics.sans.org/blog/2010/10/15/review-mandiants-incident-response-
conference-mircon-day-2/, 2010.
[25] AFCEA International Cyber Committee, "Cyber Intelligence Sharing," Retrieved from
http://www.afcea.org/committees/cyber, 2014.
33
[26] S. Farnham, "Tools and Standards for Cyber Threat Intelligence Projects," Retrieved from
http://www.sans.org/reading-room/whitepapers/warfare/tools-standards-cyber-threat-
intelligence-projects-34375, 2013.
[27] S. Barnum, "Standardizing Cyber Threat Intelligence Information with Structured Threat
Information eXpression (STIX)," Retrieved from https://msm.mitre.org/docs/STIX-
Whitepaper.pdf, 2013.
[28] M. Bazzell, Open Source Intelligence Techniques 4rth Edition, Greenville, SC: CCI Publishing,
2015.
[29] D. Shackleford, "Who is Using Cyberthreat Intelligence and How?," Retrieved from
http://www.sans.org/reading-room/whitepapers/analyst/cyberthreat-intelligence-how-35767,
2015.
[30] R. Heuer and R. Pherson, Structured Analytic Techniques for Intelligence Analysis, Washington
DC: CQ Press, 2011.
[31] D. Kahneman, Thinking, Fast and Slow, New York: Farrar, Strauss, and Giroux, 2011.
[32] N. N. Taleb, The Black Swan: The Impact of the Highly Improbable, New York: Random House,
2010.
