Product Group Tests
Emerging products: Threat intelligence
Regardless of who or what you believe hacked Sony, it was a massive cybercrime. Was it an act of cyberwar? That’s not for us to determine, but regardless, laws were broken and the attacks came via cyberspace. So we have, at the least, a very serious and rather complex cybercrime.
Full Group Summary
Regardless of who or what you believe hacked Sony, it was a massive cybercrime. Was it an act of cyberwar? That's not for us to determine, but regardless, laws were broken and the attacks came via cyberspace. So we have, at the least, a very serious and rather complex cybercrime.
Why does this lack of distinction matter? First, it matters because there is an emerging pattern of attack: whether nation-state, sub-state, criminal enterprise or individual, criminal hackers are the executors. That pattern is characterized by Lockheed Martin as the cyber kill chain. The term gives us a clear way to visualize what really goes on in a cybercampaign.
One of the things that we especially like about the kill chain is that it gives a concise, no-nonsense definition of advanced persistent threats, particularly "threat." We tend to confuse threats with malware. So if we are hunting threats we are hunting malware. While it certainly is true that malware may be involved, Lockheed says - and we agree - that a threat is a person or persons with intent, opportunity and capability.
That sounds a lot like the motive, method and opportunity that defines the likely perpetrator of a crime. And that is exactly what it is. At the end of the day we must start to think of cyberattack campaigns as crimes carried out by people - not machines - with motive, method and opportunity. Understanding who these people are through their attacks is a sort of Holy Grail for cyberanalysts and investigators. Without that there is no attribution. And, as a challenge, attribution is about as difficult as it gets.
Understanding the kill chain for a particular type of campaign is a huge step toward protecting and responding. And that is where cyberthreat intelligence comes in. Cyberthreat intelligence is the meat and potatoes of this month's emerging products group. This likely is the newest product classification in our field and it certainly has become one of the most important in its short lifetime.
Strangely, several of the companies we are looking at this month have been around a while doing something that relates to what they are doing now. The leadership in most of these companies comes from some sort of intelligence background. And, importantly, these intel folks have teamed up with - or are themselves - some pretty impressive software development talent.
There is a concept called crime assessment that says look at the crime, understand it and from that understand the criminal who committed it. We look at the crime scene and we ask: Why would someone do this? Do we have a starting point for attribution? And so on.
A lot of these questions can be addressed - if not always answered completely - through solid intelligence analysis. And if all goes well and you have the right products, knowing these answers in advance can go a long way toward protecting you against the ravages of a Sony-style compromise.
What is even more interesting is that organizations are finally coming around to the fact that without cybersituational awareness they are in very treacherous waters. Still, this is not a journey for the faint-hearted. Having data is not even close to having enough of the tools needed to break the kill chain. You have to understand the data in the context of the overall threatscape. That is a lot easier to say than it is to do, but this month's offerings are a solid step in that direction.