Cyber Intelligence Part 1: An Introduction to Cyber Intelligence

This is the beginning of a short blog series on the topic of cyber intelligence, its sub-disciplines, and its uses. As an Adjunct Lecturer at Utica College, I teach graduate students in the M.S. Cybersecurity program on topics including cyber intelligence and cyber counterintelligence.

One of my observations while building the course syllabus and instructing the students is that there is a general lack of information on what cyber intelligence is and how to appropriately use it. There are a few resources out there but cyber intelligence is more often thrown around as a buzz word for company statements and contracts than it is actually defined and used.

I would argue that every good analyst working in information technology or “cyber” type roles uses intelligence; although I would readily admit that having encountered plenty of people in this field I know that some use it more than others.

The first step to understanding cyber intelligence is to realize that intelligence tactics, techniques, and procedures (TTPs) as well as various types of operations existed long before cyberspace was conceived. Intelligence is most often seen as offensive in nature when viewed from the lens of spying and collection operations but its ultimate purpose is also equally rooted in defense.

In a military context commanders want to know the intent of the adversary to either make better strategic choices on the battlefield (offense) or to more aptly prepare for an attack (defense). The definitions and tradecraft used by various government and military organizations serve as the best foundation for understanding cyber intelligence.

These definitions and processes will be reviewed in this first blog post and set the theme for the series as we explore the specific discipline of cyber intelligence more in depth.

The U.S. Department of Defense (DoD) has a document titled “Joint Publication (JP) 2-0 Joint Intelligence” (PDF) that serves as a foundation for their understanding and use of intelligence. From that document we can extract three very important pieces of information for use in cyber intelligence. The first is the definition of intelligence:

  1. The product resulting from the collection, processing, integration, evaluation, analysis, and interpretation of available information concerning foreign nations, hostile or potentially hostile forces or elements, or areas of actual or potential operations.
  2. The activities that result in the product.
  3. The organizations engaged in such activities.

From this definition we see that the DoD views intelligence as a product, the activities in that product, and the organizations performing the activities. Most civilian organizations and uses of intelligence will not include goals defined by foreign nations. A useful and more simplistic definition for general use thus can be presented as: Intelligence is both a product and process from collecting, processing, analyzing, and using information to meet an identified goal.

The key here is making sure the data meets some goal or purpose and is not just “intelligence for intelligence’s sake” (dragnet type intelligence operations actually hinder analysts and negatively impacts security; I’ll address the topic of privacy being crucial to security in a presentation to TROOPERS 2014 in March). This definition is applicable to cyber intelligence and we can simply apply the sources and efforts of the collection, processing, analyzing, and using of the intelligence to cyberspace related topics.

The second important piece of information from JP 2-0 is the way the DoD intelligence community defines its intelligence disciplines. This would be a much longer blog post to go through each discipline and define them but it is well worth the read to understand how the DoD defines specific categories of intelligence disciplines.

As examples, there are those that are more commonly referenced such as HUMINT (human intelligence derived from human to human interaction), OSINT (open source intelligence gathered from publicly available sources) and SIGINT (signals intelligence usually refers to electronic mediums from sources such as satellites).

There are also those less often referenced such as GEOINT (geospatial intelligence such as images taken from aircraft) and MASINT (measurement and signature intelligence such as radar data and nuclear radiation readings). It can be helpful to understand these terms but the biggest takeaway is realizing that there are disciplines of intelligence and that it is useful to categorize the intelligence by both its intended use and collection source so that you can evaluate it and apply it quickly and correctly. Cyber Intelligence would be a specific discipline in intelligence (some have tried to use CYBINT as this term although it has never truly caught on).

The JP 2-0 document contains a lot of other great pieces of information such as how the DoD fuses their intelligence products together to use them. This can be useful to providing a baseline of how others do it so you do not have to train yourself or others from nothing. However, the final useful piece of information I want to highlight is the intelligence lifecycle.

The intelligence lifecycle is something we will want to use extensively in cyber intelligence. The intelligence cycle is a circular and repeated process to convert data into intelligence useful to meeting a goal of a user or customer; it has the following steps:

  1. Planning and direction Determine what your requirements are. To appropriately create any amount of intelligence out of information you should have a defined goal and intentions. This could be something as simple as wanting to know the command and control servers of a piece of malware so that you can block it on your network to wanting to know the type of information systems your target uses so that you can infiltrate them. As you move through the intelligence cycle you can go back and address the steps again (as an example if you get new data which reveals something you did not know, an intelligence gap, you may define a new goal).
  2. Collection – Where and how you acquire the data and information to process. This can be honeypots, Firewall logs, Intrusion Detection System logs, scans of the Internet, etc. You should know most of your available collection options while in the planning and direction phase so you can make reasonable goals or intelligence needs.
  3. Processing – The conversion of your collected information into something you can use. E.g. being able to access and parse through the data you collected. This may apply to how you store and access the data or the actual parsing of data such as converting it to human readable information such as ASCII from binary data.
  4. Production – This is the step in which you will take your data and turn it into an intelligence product. This is done through analysis and interpretation and thus is heavily dependent on the analyst. All produced reports should meet a defined intelligence need or goal from your planning and direction phase.
  5. Dissemination – Supplying your customer or user with the finished intelligence product. If your users cannot access your product or cannot use it then it is useless and does not meet a goal. JP 2-0 does not directly include “feedback” as part of the intelligence cycle but all organizations and analysts should consider Step 6 – Feedback and make sure that your planning and direction phase lined up correctly with what was produced.

From the above we gather a great start into understanding cyber intelligence and moving to a point where we can use it appropriately. We also see the theme that intelligence is highly dependent on analysts and their interpretation of data.

In this way, a great analyst can use a small data set and get more out of it than an untrained analyst could from “big data” sets. In the next blog we will take a look at what it means to be a cyber intelligence analyst and some tips on developing your skills.


This was first published on Tripwire;

Originally appeared at RobertMLee.org.

Author:

Robert M. Lee is a fellow in the Cybersecurity Initiative. He is Founder and CEO of the cybersecurity company Dragos, Inc., a SANS Institute course author and researcher, and a PhD candidate at Kings College London.