rob dartnall | director methodologies in cyber threat ......rob dartnall director –cyber...

The use of conventional intelligence methodologies in Cyber Threat Intelligence

Rob Dartnall | Director – Cyber Intelligence

CONTENTS

Rob Dartnall

Director – Cyber Intelligence

Rob is a CREST Certified Threat Intelligence Managers (CCTIM) and Cyber Intelligence Director of SecurityAlliance - a Bank of England certified Cyber Threat Intelligence provider under the CBEST framework. Withspecialist interest areas of Insider Threat and Nation State Fusion Warfare, Rob has unique experience andinsight into the threat landscape. In his role as the Associate Director of Cyber Threat Intelligence to Gartner,Rob and Security Alliance are the global providers of Threat Intelligence services to Gartner consulting.

From a conventional Military Intelligence background Rob has been creating cyber threat assessments andtesting programs for some of the largest organisations in Europe, North America, the Middle East and Africa.

Rob Dartnall

Director – Cyber Intelligence

CREST certified Threat Intelligence Managers (CCTIM) Cyber Intelligence Director of SecurityAlliance Bank of England CBEST

Insider Threat Nation State Fusion Warfare,Associate Director of Cyber Threat

Intelligence to Gartner,

From a conventional Military Intelligence background

NOT A WHEEL

THE BRIEFEST HISTORY OF INTELLIGENCE YOU WILL EVER SEE…

CONE OF PLAUSIBILITY

CONE OF PLAUSIBILITY - BASELINE

Russia continues to play upon internal political divisions due to economic

stagnation & political differences. Poor security of country X firms and gov

department allows Russian hackers to continue almost unimpeded. SM remains

an open forum for misinformation operations conducted by Russian assets who have additional resources due to an

increased focus on NATO targets post turn down of Syrian Ops.

TECHNOLOGY

MILITARY

POLITICAL

ECONOMIC

SECURITY

RELIANCE ON SM –INTERNAL DIVISIONS

POOR CYBER SECURITY REMAINS

RUSSIA DECREASES SYRIA –INCREASES NATO

COUNTRY X PLAYS NICELY WITH VLAD

REMAINS STAGNANT

GLOBAL DETERIORATION

SOCIAL

20212017

CONE OF PLAUSIBILITY - PLAUSIBLE

TECHNOLOGY

MILITARY

POLITICAL

ECONOMIC

SECURITY

INCREASED AWARENESS OF FAKE NEWS

SECURITY RAPIDLY IMPROVESGov., Corp & Persons


COUNTRY X PLAYS NICELY

REMAINS STAGNANT


SOCIAL

20212017

CONE OF PLAUSIBILITY - WILDCARD

Conventional diplomacy is side-lined as country X plays hard ball with Russia, both

in public and in private. Offensive cyber operations and international sanctions

against Russia increase tensions. Russian Cyber Ops increase in frequency and

severity. With Russia's increased NATO focus a new cold war ensues. Russia's

economy becomes unstable and pressure mounts on the President’s position.

TECHNOLOGY

MILITARY

POLITICAL

ECONOMIC

SECURITY

RELIANCE ON SM –INTERNAL DIVISIONS

POOR CYBER SECURITY REMAINS


COUNTRY X PLAYS HARD BALL

REMAINS STAGNANT


SOCIAL

20212017

CONE OF PLAUSIBILITY - MOSTLY STRATEGIC

- SOMETIMES OPERATIONAL

- RARELY TACTICAL

BASELINE SCENARIODRIVERS ASSUMPTIONS

PERIOD OF TIME

PLAUSIBLE SCENARIO

WILDCARD SCENARIO

PLAUSIBLE SCENARIO

WILDCARD SCENARIO

BACKCASTING – TIMELINE ANALYSIS

ASSUMPTIONS:

WE HAVE IP OF INTEREST TO AN ADVANCED ACTOR / NATION STATE

WE ARE AWARE OF THE BREACH

THE BREACH BECOMES PUBLIC KNOWLEDGE

SCENARIO:

WE, PHARMACEUTICAL COMPANY X, WILL HAVE SUFFERED A SIGNIFICANT BREACH

OF IP THIS YEAR, WHICH LEADS TO A FALL IN OUR SHARE PRICE AND THE COLLAPSE

OF OUR MERGER.

STRATGICTACTICALOPERATIONAL

BACKCASTING – TIMELINE ANALYSIS

WE, PHARMACEUTICAL COMPANY X, WILL HAVE SUFFERED A SIGNIFICANT BREACH OF IP THIS YEAR, WHICH

LEADS TO A FALL IN OUR SHARE PRICE AND THE COLLAPSE OF OUR MERGER.

THE ATTACK

RECONNAISSANCE WEAPONISATION DELIVERY EXPLOITATION INSTALLATION C2C ACTIONS ON

MERGER

COLLAPSES

DFIR

INFORM – BOARD

REGULATORS

AUTHORITIES

STATE

DISCOVERY

POOR MESSAGING MEDIA COVERAGE

PRESS RELEASESSIMPLE INTRUSIONNATION X

INCREASE IP

COLLECTION

Ops VIA

PROXYEXFILTRATE

EXPOSITION RISING ACTION CLIMAX FALLING ACTION

DENOUEMENT

INITIAL RECON


METHOD CONSTRUCTTARGET ID

ASSET ID

INITIAL RECON

EXPLOIT ID ETC

ETC ETC

ETC

COMBAT INDICATORS (FLAGS AND SIGN POSTS)

WE, PHARMACEUTICAL COMPANY X, WILL HAVE SUFFERED A SIGNIFICANT BREACH OF IP THIS YEAR, WHICH

LEADS TO A FALL IN OUR SHARE PRICE AND THE COLLAPSE OF OUR MERGER.

METHOD CONSTRUCT


TARGET ID

ASSET ID

INITIAL RECON

EXPLOIT ID ETC

ETC ETC

RECONNAISsANCE WEAPONISATION DELIVERY EXPLOITATION INSTALLATION C2C ACTIONS ON

ETC

METHOD CONSTRUCTTARGET ID

ASSET ID

INITIAL RECON

EXPLOIT ID ETC

ETC ETC

RECONNAISsANCE WEAPONISATION DELIVERY EXPLOITATION INSTALLATION C2C ACTIONS ON

ETC

CRITICAL PATH ANALYSIS

BACKCASTING - ALWAYS STRATEGIC

- ALWAYS OPERATIONAL

- ALWAYS TACTICAL

What is the – Most Likely Course of Action (MLCoA)?

- Most Dangerous Course of Action (MDCoA)?

- What sits between?

BACKCAST THEM ALL

ANALYSIS OF COMPETING HYPOTHESES (ACH)

• PROSPECTIVE OR RETROSPECTIVE

• SOME SPECIALIST SOFTWARE AVAILABLE

• CAN BE LONG, COMPLEX AND RESOURCE HEAVY− BUT…IT CAN BE QUICK AND DIRTY


ASSET, A. WILL BE COMPROMISED BY

ACTOR (X)

EVIDENCECREDIBILIT

Y

HYPOTHESIS

NS NS – PROXY OCG HACKER HACTIVIST

ACTOR HAS

MOTIVATIO

N

4 4 4 3 4

ACTOR HAS

CAPABILITY4 3 3 3 2

ACTOR HAS

OPPORTUNI

TY

4 4 3 3 3

ACTOR HAS

PREVIOUS4 4 4 2 2

SCORE: 16 15 14 11 11



ACTOR (X)

EVIDENCECREDIBILIT

Y

HYPOTHESIS


ACTOR HAS

MOTIVATIO

N

4 4 4 3 4

ACTOR HAS

CAPABILITY4 3 3 3 2

ACTOR HAS

OPPORTUNI

TY

4 4 3 3 3

ACTOR HAS

PREVIOUS4 4 4 2 2

SCORE: 16 15 14 11 11

TIP: START BIG – go

small



ACTOR (X)

EVIDENCECREDIBILIT

Y

HYPOTHESIS


ACTOR HAS

MOTIVATIO

N

4 4 4 3 4

ACTOR HAS

CAPABILITY4 3 3 3 2

ACTOR HAS

OPPORTUNI

TY

4 4 3 3 3

ACTOR HAS

PREVIOUS4 4 4 2 2

SCORE: 16 15 14 11 11



ACTOR (X)

EVIDENCECREDIBILIT

Y

HYPOTHESIS

CHINA RUSSIA IRAN US UK

ACTOR HAS

MOTIVATIO

N

4 4 4 3 4

ACTOR HAS

CAPABILITY4 3 3 3 2

ACTOR HAS

OPPORTUNI

TY

4 4 3 3 3

ACTOR HAS

PREVIOUS4 4 4 2 2

SCORE: 16 15 14 11 11



ACTOR (X)

EVIDENCECREDIBILIT

Y

HYPOTHESIS

APT 28 APT 29 APT 1 APT 3 APT 12

ACTOR HAS

MOTIVATIO

N

4 4 4 3 4

ACTOR HAS

CAPABILITY4 3 3 3 2

ACTOR HAS

OPPORTUNI

TY

4 4 3 3 3

ACTOR HAS

PREVIOUS4 4 4 2 2

SCORE: 16 15 14 11 11

WHAT ABOUT RETROSPECTIVLEY ?


EVIDENCECREDIBILIT

Y

HYPOTHESIS

APT 28 APT 29

MALWARE A

RECOVERED4 2

MALWARE B

RECOVERED4 2

TOOL A 4 4

TOOL D 4 4

RUSSIAN

LANGUAGE4 4

IP XXX.X.XX.XXX 0 0

STATEMENT A 3 3

STATEMENT B 3 3

ASSET A IS… 4 1

ASSET C LEFT 3 2

TTP X 3 1

SCORE: 36 24

MURDER BOARDMurder boards are used to aggressively review, without constraint or pleasantries, a situation's problem, assumptions, constraints, mitigations, and the proposed solution.

TH

HORIZON SCANNING

What people don't realise is that professionals are sensational because of the fundamentals.

-Barry Larkin, US Athlete

DON’T FORGET THE BASICS

Open / closed /

leading

What people don't realize is that professionals are sensational because of the fundamentals.

-Barry Larkin, US Athlete

DON’T FORGET THE BASICS

REFINE

THE

QUESTION

CLARIFY

FOCUSING

WIDENING

Is the question clear?

Can you answer it?

Is it the right

question?Are there assumptions?

One or two questions

What information do

they want?In what way does it

need answering?

WHAT ARE WE ULTIMATELY LOOKING TO ACHIEVE?

“…IPB is a systematic, continuous

process of analysing the threat and

environment in a specific geographic

area.”

INTELLIGENCE PREPARATION OF THE BATTLEFIELD

There are four main steps:

• Define the battlefield environment

• Describe the battlefield’s effects

• Evaluate the threat

• Determine threat COAs


• Define the battlefield environment.

• Describe the battlefield’s effects.

• Evaluate the threat.

• Determine threat COAs


WE ALL HAVE BIAS…

…but professionally trained analysts – using methodologies – know how to deal with it

Evoked Set reasoning

Mirror-Imaging

Lack of empathy

Authority principle

Premature conclusions

Worse Case analysis

Ruling Theory

Excessive secrecy

Parochialism

Ruling Party

Anchoring

Congruence bias

Confirmation bias

Choice supportive bias

Bias blind spots

Belief Bias

Bandwagon effect

Loss Aversion Effect

Just-world phenomenon effect

Information bias

Impact bias

Illusion of control effect

Hyperbolic discounting effect

Endowment effect

Disconfirmation biasContrast effect

Pseudocertainty Effect

Planning bias

Colour Psychology bias

Mere exposure effectAND THAT IS JUST

HALF OF THEM

‘Intelligence without communication is

irrelevant.’ - General A M Grey, US Marine Corps

TERMINOLOGY

TERMINOLOGY

Statement Probability rangeRemote or highly unlikely <10%

Improbable or unlikely 11-25%

Realistic possibility 26-50%

Probable or likely 51-75%

Highly probable/likely 76-90%

Almost certain >90%

TERMINOLOGY

LET’S NOT FORGET WHAT INTELLIGENCE IS…

“…The directed and

coordinated acquisition

and analysis of

information to assess

capabilities, intent

and opportunities for

exploitation by leaders

at all levels.

Information is defined as

unprocessed data of

every description that

may be used in the

production of

intelligence.”

A FINAL POINT ON CTI…

DISSEMINATION‘The timely conveyance of intelligence, in an appropriate form and by any suitable means, to those who need it’

ADD VALUE

SO WHAT?

CONSISTENTCLARITY

BREVITY

USABILITY

QUESTIONS

CRITICAL PATH

SORRY, WHO ARE YOU AGAIN?

DO YOU EVEN TWEET BRO?

WIKI LINK ROB DARTNALL @CYBERFUSIONTEAM

rob dartnall | director methodologies in cyber threat ......rob dartnall director –cyber...

Documents