“Intelligence” in Cyber Security

David Bianco recently posted Use of the term "Intelligence" in the RSA 2014 Expo. I suspect “intelligence”, as used in much of cyber security, is a buzzword used for marketing purposes. However, I thought I would put a stake in the ground by providing my definition of intelligence in cyber security.

Intelligence is extrinsic knowledge applied to local data to optimize analysts’ efforts.

Let me unpack that definition.

“Extrinsic knowledge” is the most important term. This is knowledge from outside your network. By definition, no matter how good your sensors or analysts are, extrinsic knowledge cannot be generated locally.

“Applied to local data” means that the knowledge must enhance the value of local data. In a sense, it would say, “pay attention to this fact, not that fact.” Suggested in the phrase is that the intelligence is structured so that algorithms can automatically apply the intelligence to potentially large volumes of data.

“focus analysts’ attention” means the purpose of this intelligence is to optimize people’s time. Of all the aspects in cyberspace, people’s time is the least scalable, so it is the most precious. The end result is that analysts should be provided with actionable data prioritized to give them the biggest bang for their buck (or time) for protecting their network.

What is intelligence applied to?

An important point is that I refer to applying the intelligence to “data”, but I did not explicitly say what the data was. Certainly one source of data is event logs of activity -- syslog messages, netflow data, and so on. This is for detecting malicious activity. But “data” can also refers to data collected about a network’s configurations -- programs installed, patches applied, hashing algorithms used to protect passwords, etc. Intelligence should also be applied to hardening the network to prevent successful attacks to begin with.

Where does that intelligence come from?

Intelligence comes from many sources. Here are a few. Aggregated sensor logs. If 100 of a community of 1000 sites have recently been attacked by a new attack tool, it would be nice if the other 900 sites knew to be prepare for the attack and be alert for its use. Cyber attack investigations. When investigating an attack at one site, tools, techniques, targets, external network addresses, and other evidence are uncovered that can then be looked for at other sites. Human intelligence. Infiltrating hacker groups, grooming contacts, lurking on bulletin boards, and looking for stolen data for sale are great sources of intel (think of Brian Krebs’ work). Penetrating attackers’ networks. This is a great source for intel, but it is something probably left to those who can legally get away with it.

What do you need to think about when using intelligence?

Here are some questions you should consider:

  1. How comprehensive and accurate is the original intelligence?
  2. How expressive is the structured language used to represent that intelligence?
  3. How well do the algorithms apply the intelligence to data streams?
  4. What is the coverage and quality of the data streams against which the intelligence is applied?

(1) reflects the size, skills, and tools of the organization gathering the intelligence. (4) depends on the local organization. I think questions (2) and (3) are what David Bianco wanted to know about. For example how much of David’s “Pyramid of Pain” can the structured language for intelligence capture? I think these are are areas ripe for research & development.

There you have it. Intelligence is knowledge collected, processed, and packaged outside your network and applied to the data collected from your network in order to maximize prevention and detection.