25 Sep Threat intelligence and situational awareness for better security
More and more governmental agencies establish Security Operations Centres in order to gather information from different rage of sources and indicate threat indicators, mitigating identified threats and sharing knowledge with other parties to support incident response efforts. Threat intelligence consists of intelligent information collection and processing to help organizations develop a proactive security infrastructure for effective decision making[1]. Mainly threat intelligence is associated with cybercrime, cyberterrorism, hacktivism, but it can be also used as decent tool for fighting with disinformation, turbulence and as well for mass surveillance as well. Many countries have raised the issue of cyber security as a subject in the national security strategy[2].
Today’s online communication has led to an overwhelming volume of data from so different sources that it becomes difficult to collect relevant information without getting extra “noise” part of it. To improve situation and deal better with floods of information it is required to use tools which could provide analytical benefit for tactical, operational, strategical and technical intelligence. Strategic intelligence is relevant for senior decision-makers focusing more on risk-based information, operational used to prevent certain actions during some incident, tactical intelligence refers to threat actors and threat indication detection and analysis to understand better situation, but technical intelligence is related to actor’s tools, malware, infrastructure, focusing on indicators of compromission.
Such intelligence tools should be able to continuously capture hight-speed of data streams, which consist from structured and unstructured data, provide automatic analytical processes which is based on certain preconfigured rules and also dynamic analytic possibilities based on machine learning possibilities. It is understood there are more possibilities offered by these systems, like dynamic intelligence feeds adopted to specific environment, automated workflows, smart data visualization, OSINT feeds. While it should be taken into account that the last step of possible decisions is human intelligence which allows evaluate specific situations and incident situations where automatic rules and machine decisions cannot help. Immense challenge in the monitoring of the network communication is that network traffic mainly is encrypted, but also there are possible proposals how to track certain indicators of compromission, for example, JA3 fingerprinting is an effective way of detection malicious threats, where this method combines five parameters of TLS communication – version, ciphers, extensions, elliptic curves and its formats hash value which allows identify certain object in network. Not always content itself is so important part for analytics, often more important is to detect the patterns of behaviour. Noteworthy that such protocols like TAXII allows exchange intelligence information and combine multiple threat sources in one platform. And if particular platform is evolved enough it can filter traffic based on organisation needs. Among such tools IBM X-Force Exchange (https://exchange.xforce.ibmcloud.com/), Mimecast Threat Intelligence platform (https://www.mimecast.com), PaloAlto Networks AutoFocus (https://www.paloaltonetworks.com/cortex/autofocus) and others can be mentioned.
If research deeper in the functionality of intelligence system of Security information and management system (SIEM) it has grown to central analytical system which is able to capture live traffic with millions of devices. Distributed File Systems and data streaming technologies allows process unlimited amount of data and adapt technical infrastructure and processing power according analytical needs. If usually these systems were used as on-prem solutions, then now there are also commercial services with analytical software and professionals who work for certain countries[3]. It should be taken into account there are different focuses of systems – like focusing mainly on cyber-attacks than analysing malware, network protocols, vulnerability lists, device network profiles, and in opposite – focusing on mass surveillance focusing on social network feeds, geolocation data, feeds from accidents or surveillance cameras.
FIU Latvia participates in NATIONES project (https://www.notiones.eu/). This is great possibility to cooperate with intelligence practitioners and security specialists from several law enforcement agencies and academic institutions. Project allows explore current possibilities of tools which could be useful for Law enforcement entities and also project gives understand what kind of gaps should be filled to provide better security.
Author(s): Nauris Paulins, Deputy head of Innovation and IT division of Financial Intelligence Unit of Latvia
References:
[1] J. Nestor M. Dahj, Master Cyber Intelligence, Packt, April 2022, 528, ISBN 9781800209404
[2] D. Rezki, M. Syaroni, Cyber Intelligence in National Secuirty, Journal of Strategic and Global Studies. Volume 4, July 2021.
[3] The Cyber Threat Intelligence Integration Center. https://www.dni.gov/index.php/ctiic-who-we-are or Flashpoint Cyber Threat Intelligence https://flashpoint.io/ignite/cyber-threat-intelligence/