In the previous article in this series I talked about developing your cyber intelligence analyst skills. The approach largely relied on becoming tool agnostic and developing a strong base through education. As the analyst it is your opinion and expertise that matters most.
I also highlighted three of the more talked about sub-disciplines of cyber intelligence which are Intelligence Collection Operations, Cyber Counterintelligence, and Threat Intelligence. In this blog we will cover Cyber Intelligence Collection Operations.
What is Cyber Intelligence Collection Operations?
The topic of Intelligence Collection Operations sounds inherently military or government based in nature especially with the use of the word “operations.” The term here though is meant to invoke the concept of a prolonged process and not just a single action.
When an analyst goes about collecting information or data it should more often be a part of a larger effort to reach some goal or answer some question instead of just being a singular event. When thinking of the military or government aspect, there also tends to be an over valuation on information the government obtained or classified material.
While government operations or material that was deemed classified can be enticing one must always remember it was conducted or written by other analysts; while not always the case sometimes analysts get it wrong or over hype their own products. Where collection operations are concerned there does not have to be anything classified or cryptic about them.
Channeling the concept of the ongoing process, or operation, think back to the first blog post in this series and you will remember the intelligence lifecycle. In this blog we are specifically taking a look at the second step of an ongoing cycle – collection.
To perform any sort of analysis on data you must have access to data. This seems simple enough but identifying the right sources of data can be one of the most difficult jobs an analyst has. Often, data that is mentioned in reports and threat feeds is already analyzed and lacks the original, or raw, data that the other analyst looked at.
There is benefit in viewing the analysis of other analysts and companies but access to raw data can be critical especially for the purpose of validating the information. In addition to validating another analyst’s work, it is important to be aware that two analysts can look at the same raw data and come to two or more different conclusions.
There are many ways to collect data. For the purpose of this blog I will highlight the three categories of collection I use to understand where data comes from and then discuss the three types of data. There is not a de facto standard but this is an approach that has helped me and I hope that it helps you as well. The three types of data collection:
- Passive – data collected on networks or information systems you have responsibility over. An example would be analysts capturing internal network traffic, collecting system logs, monitoring internal company forums, and other activities internal to their organization such as performing red team assessments. The key here is to highlight that the term passive refers to an analyst not directly engaging with an adversary or their infrastructure.
- Hybrid – data shared from other networks or information systems or collected from networks designed to entice adversaries. Here, an example of hybrid data would be Bank 1 sharing information off of their networks with Bank 2. Bank 1 may have recently been targeted by an adversary and sharing that information with Bank 2 can help them better prepare. Another example would be honeypots established to entice adversaries into interacting with them. Hybrid data collection is a key aspect of Threat Intelligence which will be discussed later in this blog series.
- Active – data obtained from external networks or information systems under the influence of an adversary. It is important to understand that networks or information systems under the influence of an adversary might not actually be owned or controlled by the adversary. An example would be a Command and Control (C2) server being utilized to connect to malware. The C2 server may belong to an unwitting victim while it is being used by the adversary. Active data collection usually requires analysts to have access to sensitive data, participate in takedown operations performed by the government, or conduct law enforcement operations issued with legal warrants. This type of data collection must be performed carefully so that the legal and privacy rights of members are protected.
After determining the type of data collection performed, it is imperative to understand the type of data collected. Three types of data classifications I use are:
- Raw Data – unevaluated data collected from a source. This type of data can be the most fruitful but requires extra time to process and analyze it; this type of data would be found in step two of the intelligence lifecycle. It should include raw details such as IP addresses, network logs, or full forum posts by a potential adversary.
- Exploited Data – data processed and exploited (analyzed) by another analyst which contains selected raw data. This is the type of data that might be available to an analyst after the third step in the intelligence lifecycle. It should contain raw data and technical details (if available) but it might only be raw data that the analyst found interesting and not all of the data. This type of data should include analysis on what the data means or indicates. An example would be malware or computer campaign reports with technical information and analysis on a threat.
- Production Data – data finalized into a report meant for dissemination that may include limited or no raw data. This type of data that would be available after the fourth step in the intelligence life cycle. Often, production data may only be intended for the awareness of a reader or customer or it might be intended for suggested actions. An example would be advisories given to users or Intrusion Detection System signatures readymade for deployment.
Many tools and approaches are available to analysts such as digital forensics and incident response, threat intelligence, monitoring forums adversaries’ use, subscribing to threat feeds, performing OSINT searches, and even joining specialized groups that share data and analysis.
However, the most important aspect of Cyber Intelligence Collection Operations is correctly identifying the right sources of data and making sure the data is valid. Any time you try to conduct intelligence operations you must be aware that data or analysis can be incorrect and that false data can be placed for the purposes of counterintelligence and deception.
The next article in this series will discuss the aspect of cyber counterintelligence.
To learn more about Tripwire’s products and solutions, click here.
About the Author: Robert M. Lee (@RobertMLee) is an Adjunct Lecturer at Utica College. He is also Co-Founder of Dragos Security LLC, a cyber security company which develops tools and research for the control system community. Additionally, Robert is an active-duty U.S. Air Force Cyberspace Operations Officer – his views and this article are his own and do not represent or constitute an opinion by the U.S. Government, DoD, or USAF. He has published and presented on cyber security topics in publications and conferences around the world, and is the author of SCADA and Me.
Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
- Continuous Security Monitoring: An Introduction
- Reacting Faster and Better with Continuous Security Monitoring
- Proactively Hardening Systems: Defining the Attack Surface
- Top Five Hacker Tools Every CISO Should Understand
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].