Cyber Intelligence

Human Threat and Cyber Counterintelligence – an Agent’s Perspective

November 26, 2013

By Doug Helton, Director of Threat Operations

Earlier this month we recognized our nation’s veterans as we do each year on November 11th. SpearTip itself is founded by and staffed largely by veterans, myself included. We at SpearTip would like to take this opportunity to offer our thanks to our brothers and sisters in arms that have served and are serving now across the world. We appreciate and are grateful for those who have sacrificed so much in the name of serving others.

The true threat of one’s adversary is not posed by the tools or weapons the adversary uses but the adversary himself. As technology advances so does the weapons used against a state or organization to include rootkits, botnets and Advanced Persistent Threats. While the tools have changed human behavior has not – there are those who still seek to steal, spy, sabotage and destroy the information and assets of competing groups whether in business or at the state level.cyberci

Regardless of whether the threat is organized crime, a foreign intelligence services, or a terror network the purpose of counterintelligence is to identify, detect, deter, neutralize and exploit adversary threats to an organization. One should not take this just as a list of actions but consider that the order of the list is intentional. It is ordered in a functionally logical pattern that presents several implications. This list begins with basic, or tactical, actions and ends with by far the most advanced and strategic of actions. As the list progresses the skill, experience, and cost experience required to achieve a demonstrative effect also rises.

Historically, the most basic defense against external threats has been the construction of walls and barriers and the placing of sentries along those walls on the lookout for attack. In the cyber domain, these walls and perimeters are built with firewalls, intrusion detection and intrusion prevention systems. Like a soldier manning a gate, organizations monitor and track inbound and outbound traffic, and implement access control lists. At a slightly higher level, there are hardware and software solutions which look for anomalous behavior. These tactical solutions are an absolutely necessary piece of any defensive program as they keep the honest ones honest and eliminate low level and opportunistic attacks. This approach defines the concept of defense in depth. These solutions are limited to the tactical realm as they focus on the technical toolset and the counter the tools of the day. Consequently, it is strategically unsound for one to believe technical solutions can create a ‘secure’ environment for a sustained period of time in a world where history has demonstrated defensive and offensive weapons are developed in a perpetual arms race. Consequently, no environment can ever be truly secure and immune from attack. Executives should realize, however, that by utilizing both tactical and strategic solutions an environment can become come hardened and thereby reduce the possibility of a successful attack and raise the cost of initiating an attack.. As stated before, in order to counter the threat of nation state, organized crime, and ‘hacktivist’ attacker, host and network based attacks technical solutions are necessary and the foundation of an information security program. Cyber counterintelligence builds on these capabilities and seeks it identify and disrupt adversary activities beyond the corporate perimeter.

Cyber counterintelligence, like all intelligence collection and analysis initiatives, strives to collect, analyze and report an adversary’s capabilities and intent to attack prior to an attacks. Most importantly, cyber counterintelligence, like all intelligence endeavors, is not all knowing. It is limited by the access of collection platforms, the operational and communications security of the adversary, and chance. Failing to identify an attack in advance is not an ‘intelligence failure’ it is reality – no intelligence or counterintelligence activity ever bats .1000. However, a strong cyber counterintelligence program substantially increases the likelihood of early attack identification and similarly speeds up the detection time of a past or ongoing attack. Cyber counterintelligence becomes a strategic force multiplier by identifying and engaging threats well beyond the physical and logical perimeter allowing organizations to prioritize resource allocation intelligently and efficiently.
Threat intelligence. Threat landscape. Threatscape. These are the buzzwords thrown around in increasing numbers by security and risk practitioners and that is a good thing because it means more organizations are moving towards intelligence-driven risk management and decision making models. These words, however, are loaded and warrant some caution. They carry different meanings to different people and unfortunately there is a lot of data and information posing as intelligence. SpearTip has on staff decades of intelligence experience. I personally have over 12 years of signals intelligence, counter-terrorism, law enforcement intelligence and counterintelligence experience. Therefore, I feel comfortable saying that threat intelligence is not a term in use by the intelligence community on a wide basis and can be best described as vague and generic. The Department of Defense’s Joint Publication 2.0 defines intelligence as “the product resulting from the collection, processing, integration, evaluation, analysis, and interpretation of available information concerning foreign nations, hostile, or potentially hostile forces or elements, or areas of actual or potential operations.” Most threat feeds or threat intelligence streams focus on providing signature and behavior based rule sets to be implemented through hardware and software security solutions. The better threat intelligence services offer additional analysis and trends based on this data sets and some ever offer a degree of attribution to a particular group or actor. The most common element of threat intelligence is it is technical in nature. This is positive if one understands its limitations. Threat intelligence does a good job of protecting us from the weapons of yesterday and today but not tomorrow nor does it identify the adversary’s intent or diminish his capabilities. In one word, threat intelligence is tactical. To be clear, the value of forensic and technical intelligence should not be diminished and if organizations don’t have this type of information feed supporting information security they should strongly consider setting this as a priority.

Once that defensive wall is built, a cyber counterintelligence program can begin addressing the true threat – the human crafting, deploying and guiding these cyber-attacks. This requires in-depth knowledge and experience with both the actor, the human, and the tradecraft, malware, elements. SpearTip is compromised largely of former military counterintelligence agents with years of experience in human intelligence (HUMINT) and counterintelligence methodologies and a deep understanding of the human factors. These factors are the “physical, cultural, psychological and behavioral attributes of an individual and group that influence perceptions, understanding and interactions.” It is at this level that SpearTip is able to gain critical insight into the capabilities, motives, and intent of cyber threat actors by leveraging the ability to conduct cyber HUMINT and counterintelligence collection operations and subsequently providing advisory services to executives based on the intelligence gleaned from this collection and analysis. SpearTip also possesses the technical capabilities to identify, track, and analyze Advanced Persistent Threat activity and malware. This activity mirrors the surveillance and monitoring of espionage and terrorism related tradecraft in the traditional sense. This activity centers on establishing the ability to deter, neutralize and exploit these attacks whereas current threat intelligence focuses on detecting and blocking actions. The malware analysis and cyber counterintelligence collections pieces are mutually supportive and feed thorough intelligence analysis. Cyber counterintelligence becomes even more when early reporting for 2013 indicates the total number of breaches is down from previous years but the attacks are increasingly more targeted and sophisticated. Furthermore, attacks are increasingly targeting intellectual property rather than customer records. The end product is reporting that bolsters an organization’s ability to proactively manage enterprise risk and protect brand reputation, Personally Identifiable Information, and intellectual property.

_____________________________________________________________________________
U.S. Joint Chiefs of Staff, Joint Intelligence, Joint Publication 2-0 (Washington, DC: U.S. Joint Chiefs of Staff, October 22, 2013).
Ibid.
Ericka Chickowski. “Lessons Learned From 4 Major Data Breaches In 2013 -.” Dark Reading. Accessed November 26, 2013. http://www.darkreading.com/database/lessons-learned-from-4-major-data-breach/240164264.