Joseph and the Amazing Primary Colour CTI Function: The Opportunities and Benefits of Primary Source Intelligence
CTI functions can improve the quality of their reporting in various ways. Few will have as dramatic an improvement as utilising primary source intelligence.
Cyber threat intelligence (CTI) can be a vital pillar of an organisation’s cyber security function. Yet not all intelligence is created equal — it can range from stale and outdated indicators of compromise all the way to zesty adversary attack details (and with juicy mitigation advice baked in for good measure).
When it comes to refining intelligence, no one needs more data. Quality trumps quantity. The majority of intelligence stakeholders are time constrained and have enough on their reading list already. The challenge is to produce high leverage intelligence that equips stakeholders with decision advantage related to their most pressing challenges.
There are various ways that CTI functions can improve the quality of their reporting. Yet, few will have as dramatic an improvement as utilising primary source intelligence.
Primary Source Intelligence 101
Primary source intelligence refers to reporting that is based on immediate and first-hand accounts. Within cyber security, this typically means reporting based on a direct connection to the threat at hand.
Multiple forms of primary source collection exist in cyber security. This could include perspectives gained through incident response engagements into network intrusions. Endpoint protection products will also provide rich telemetry across multiple industries. Some threat intelligence teams will also build an organic collection capability to monitor adversary infrastructure and behaviour.
Primary source intelligence does not possess a monopoly on useful insight. It is typically compared to secondary source intelligence that, by definition, is based on second-hand observations of adversaries. Secondary source intelligence could therefore be based on media articles, academic papers, or third-party reporting.
Many organisations combine both primary and secondary sources in their reporting. This is because secondary source can undoubtedly provide high-quality insight. Ultimately, no single entity has omniscient visibility into the threat landscape. Utilising external sources can therefore help to gain a more expansive perspective and additional insight.
However, despite the clear contribution that secondary source intelligence can provide, a robust primary source-led approach to CTI provides a unique and highly effective perspective.
Benefits of primary source intelligence
Primary source CTI confers several advantages for today's security functions.
Build an intimate understanding of adversary behaviour
Regular, first-hand observations of threat actors afford an opportunity to learn intimate details of an adversary’s modus operandi. Possessing an understanding at this granular level then provides the foundation for producing and disseminating intelligence in a variety of formats (whether that be relevant indicators, executive perspectives, MITRE ATT&CK playbooks, or even a technical annex for those determined to venture into the weeds).
Intelligence based off front-line understanding ultimately removes ambiguity by reducing the risk that reporting is misinterpreted. Secondary sources introduce additional nodes in the communication chain between any initial observed adversary activity and a final report. These additional links increase the risk that adversary details are obfuscated, redacted, or amended as a story goes through different reporting iterations.
Detailed technical reports, for example, are often summarised into high-level media pitches. Intelligence based on these media articles would then be unable to provide technical details that would likely be useful to relevant stakeholders. Primary source intelligence, by contrast, cuts out intermediaries.
Understand adversary activity from multiple angles
A variety of primary sources exist in cyber security and utilising a breadth of sources will help organisations to better understand their threat landscape. This is because each source provides a unique perspective.
Ransomware is one example where a variety of primary sources enriches our understanding. Incident response engagements help us to understand how a ransomware variant operates once it has reached a target system — an increasingly important issue given the rising popularity of post-compromise ransomware operations. Here, tracking malware and adversary infrastructure provides additional insight into many of the tools used in conjunction within these campaigns.
Endpoint telemetry on the other hand, can provide a broader perspective on the most prescient threat to specific regions and industry verticals. Access to dark web criminal forums also affords an understanding of the new variants being advertised for sale. Regularly monitoring data leak sites linked to ransomware operations allows organisations to confirm any publicised victimsand to ascertain any data exposure issues that could impact organisations.
The point here is not that any one of these sources is superior, but that when combined, they are able to build up a much clearer picture of the threat landscape.
Speed
Timeliness is a key component of actionable intelligence. Whether it be relevant indicators or the use of a new MITRE technique, CTI functions should strive to shorten the window of time between adversary activity and the dissemination of relevant and actionable insight to defenders.
Threat actors are constantly innovating, and front-line experience allows organisations to move at the speed of the threat. By being close to the action and leveraging sources with a direct connection to the threat at hand, an intelligence function is able to provide intelligence in as close to real-time as is possible for finished and quality-assured intelligence products.
A Data-Led Security Function
The cyber threat landscape is highly complex and there is no shortage of attack vectors. Yet, not all attacker techniques pose a uniform threat to organisations. Most cyber security functions require insight to help them focus and prioritise on what really matters to them. Rather than providing an exhaustive list of all the attack techniques that might pose a threat, a CTI team will always deliver more value through intelligence that can sort through the noise and identify the handful of TTPs that pose the most significant and likely threat. Empirical and data driven analysis sits at the bedrock of this approach. This can be enabled through primary source intelligence.
COVID-19 provides one example of how the cyber threat landscape can become distorted through secondary reporting. In March 2020, the intense global interest in the pandemic meant there was understandable press interest around how the virus was being leveraged in social engineering campaigns. With so many of these reports published in a short time frame, it would be easy to assume that the vast majority of phishing emails contained COVID-19 lures. Yet, cyber security reporting intended for a mainstream audience will understandably report on what is new and topical. After all, who wants to read about yet another generic phishing email?
Mandiant Threat Intelligence, by contrast, was able to leverage its malicious email detection data to ascertain that COVID-19 content was used in only two percent of malicious emails at the time. This highlights how a more data-driven approach to CTI can untangle tangible threats from broader hype and media headline bias. Ultimately, whilst both cyber security news reporting and intelligence play important functions, they are fundamentally different products developed for different purposes.
The same principles can also be applied to vulnerability intelligence. Patching across an organisation running multiple systems and applications can be a mammoth task. This makes prioritisation crucial. Yet the mean and ugly vulnerabilities that make their way onto headline news are not necessarily the ones that pose a material threat
Rather than focusing on the most frightening vulnerabilities, organisations are better off adopting a context-driven approach. This prioritises patching vulnerabilities that are both being actively exploited and affecting relevant geographic and industry verticals. This significantly increases the chances that an organisations’ patching efforts go towards preventing targeted attacks. Again, such context requires expansive telemetry and rich data sets.
Conclusion
A primary source-led intelligence capability offers unapparelled insight into adversary behaviour. By developing a security strategy that builds off experience and expertise from the frontlines, an organisation can map its defensive posture against the operational realties in their sector and region.
Despite the clear added value of primary source insight, its benefits can only be leveraged if intelligence is appropriately integrated within an organisation’s security function. It is therefore vital that organisations zoom out and identify the relevant processes and capability required to maximise the benefits of threat intelligence.
One does not need to work in the cyber security industry for long before encountering oodles of distraction, hype, and questionable hot takes. Primary source intelligence might not be the cyber security silver bullet for every practitioner wished existed, but there is little doubt that it can provide a healthy and much-needed dose of grounded perspective. This empowers organisations to focus on the threats that really matter.