Profiling and Cyber Threat Intelligence
Today I want to talk about the application of profiling in the field of CTI. However, I will address how (intentionally?) such concepts are distorted in the field of CTI.
As far as I know, for the last ten years, maybe even older, the phrase “being proactive” has been circulating in the industry. “Passive measures are a thing of the past, now it’s time to be PROACTIVE…” what is this proactivity mentioned with their cries?
The word itself means “act forward”. Another concept most closely related to this is “strategy”. However, the word does not define what is “acting forward”. In the cyber security industry, what is marketed under this name is actually a very specific concept.
I especially say marketed because someone is insistently marketing/trying to market us that being proactive is the best way, and that being proactive is a certain procedure.
This proactive defense tells us; The only way of effective cyber defense is to obtain intelligence on threat elements. Only if we organize our defenses through this intelligence can we fight the enemy. *insert airport security example here*
It looks good in theory, but how are things in practice? Before I touch upon this subject, I would like to talk to you about two concepts belonging to the traditional intelligence discipline; definitive and predictive intelligence.
As can be easily understood from their names; The task of descriptive intelligence is to identify an element or event. Information of an organization’s activities or defense expenditures of country X is descriptive intelligence. To give an example from the cyber field; The activities carried out by a hacker group, the tools it uses, the techniques, tactics and procedures (TTP) are examples of descriptive intelligence in this field.
The task of predictive intelligence is to predict events that have not yet occurred but are likely to happen. It is a type of intelligence that has a very critical importance in terms of the role it plays. Predictive intelligence is sometimes produced through espionage. In other words, before the event occurs, the person or persons who will carry out the event informs us about it.
However predictive intelligence often produced through analysis. In other words, you examine a case and make inferences about other cases. The systematic use of analytical methods is important. As a result of this study, two kinds of information are obtained, namely forecasts and indicators (not indicator of compromise). Forecasts are communicated to the client, while indicators are used by the analyst. Because the customer often does not have the capacity to monitor the indicators.
Let’s exemplify the theory. At the beginning of 2018, there was a cryptocurrency theft that almost all of Turkey was aware of. With the SIM card cloning method, the attackers reset the passwords of hundreds of Turkish stock market users and stole their cryptocurrencies.
The part that was not covered in the media was that a few days before the event, a topic was opened in a Turkish underground forum with a headline such as “2FA bypass service”. A few days later, the same person also made posts about the incident for vanity.
Let’s look at this case from two angles. First of all, let’s evaluate it in terms of “producing predictive intelligence through espionage”. In this incident, the person who made the action shared posts that will undertake the action when the incident started to take place. In other words, if you were a member of the forum at that time and you were following this person, you could convey the information to the customer with the advantage of a very short time. But even if you did obtain this information, you would still need some time to verify it, otherwise you would risk transmitting insufficiently verified intelligence. Even assuming you could verify the intelligence quickly, your client probably wouldn’t have enough time to act on that information.
Here we see why espionage is not a sustainable strategy for producing predictive intelligence. This method requires accessing the right information at the right time. It also leaves us a limited time window to verify the information and take action on it. Especially in the type of incidents that take place very quickly, such as a cyber attack, this time window gets narrower.
So are espionage activities completely unnecessary? No, it definitely isn’t. It serves a different function but I will write about it at a later time.
See you in the second part.
