Written for the SC Magazine. The original link seems to have died. Here’s an archived version: https://web.archive.org/web/20200730233821/https://www.scmagazineuk.com/understanding-strategic-threat-intelligence/article/1685804.
In March 2020, Booz Allen Hamilton released a fascinating dossier analysing the cyber operations of GRU, the Russian military intelligence agency, spanning 15 years. The dossier ran the traditional cyber threat intelligence (CTI) tradecraft through an impressive analytic process, thus credibly gluing the cyber operations of GRU to the doctrinal framework and geopolitical imperatives of the Russian state.
Citing only open source intelligence and walking a thin line that is typically reserved for a non-state actor, Booz Allen Hamilton performed remarkable adversarial signalling while also advancing the science of CTI to the next level.
Strategic threat intelligence is what differentiates the professionals from the amateurs. Ever since Mandiant broke the veritable geopolitical glass ceiling with its report on APT1, the industry has been on an unending quest to reach to holy grail of CTI: its strategic dimensions. Such dimensions permit the defenders to look beyond the event horizon of tactical intelligence, largely governed by atomic feeds and parameters such as “indicators of compromise.”
There remains no doubt that, behind the curtains of the military-industrial complex, the science of intelligence may have already advanced to such vaunted levels.
Even the enterprise defenders have long acknowledged and writhed under David Bianco’s now legendary “Pyramid of Pain.” Yet, the dynamics of the CTI industry are such that they sometimes introduce more architectural and commercial constraints when it comes to creating strategically minded paradigms.
Before delving further into the problem, it must be understood that the kind of strategic intelligence that is being talked about here is not an overkill for a regular, run-of-the-mill defender.
The nature of the threat is already inextricably blended. Espionage, crime and power projection fuse together in cyberspace. From Lazarus and APT28 to APT39 and Winnti, we are witnessing the brazen expansion of the remit of the threat actors as their offensive toolchains keep on harnessing the institutional memory of generations of regimented cyber operators. The hybrid, below-threshold nature of modern conflict has brought non-combatants and industries directly into the crosshairs.
Even from a purely tactical standpoint, the enterprise security architecture witnessed a major shift towards more responsive paradigms over the last decade. People now advocate “Assume Breach,” bringing down the dwell-time, and decreasing the incentives while increasing the costs for the adversary. Such discourse has already seeped deep into enterprise security operations.
The CTI vendor space, too, has substantially evolved over the last decade. It has become an indispensable accessory to the conventional enterprise architecture and is largely driven by the following imperatives:
Anticipating the ever-evolving threat landscape.
Fine-tuning defences around attack-centric threat models.
Warding off cyberattacks that are increasingly focused, targeted – and successful.
Supplying a steady stream of intelligence datasets and feeds to in-house systems to bolster tactical situational awareness.
The aforesaid evolution has been gradual but consistent. From PDF-based dispatches consumed manually, steady feeds of structured intelligence to bespoke fusion platforms based on hybrid data models, the industry has certainly come a long way.
But such highly tactical CTI shines light on attacks, less so on the actors. Its rinse-and-repeat cycle ends as soon as minimal credible visibility over the ongoing attack campaign is gained, and then the focus shifts. Analyst rigor and tradecraft is unduly influenced by commercial imperatives. The glaring attention of the media on big-ticket attacks also incentivises this approach.
CTI feeds do sacrifice depth for scale. Driven by a highly competitive environment, vendors provide millions of atomic threat indicators, which sounds impressive but carry little practical value. It is an approach which has been questioned and even debunked by experts. It also tricks customers into subscribing to intelligence that is completely irrelevant or non-contextual to their threat perception.
It is often the case that the attack infrastructure related to one actor gets misattributed to the other; and the real intent or motive of a cyberattack remains shrouded in mystery due to hurried misjudgements. All this, while predicting the next move of the adversary is not even accounted for in the intelligence assessment.
On the other hand, well-endowed organisations such as signals intelligence agencies, defence services and top-tier companies have adopted models which are in complete contrast to the approaches of the industry.
Such organisations focus on curating strategic CTI which is more adversary-centric than attack-centric.
Legendary threat researcher Juan Andres Guerrero-Saade of Google Chronicle has laid the ideological testbed for what is called “Dynamic Threat Actor Profiling.”
By deconstructing behaviours, traits and procedures spanning many cyberattack campaigns – rather than narrowing the visibility to just an ongoing attack – strategic intelligence methodically derives the actors’ limitations including finances, targeting criteria, operating structures, operational fluctuations, geopolitical imperatives, mission incentives, and boundaries of knowledge.
It calls for the creation of completely new intelligence taxonomies and ontologies, fusing the technical grammar of cyber operations with the vocabulary of international relations.
Ambitious as it may sound, these approaches cannot work in silos of the enterprise architecture simply because they are expansive, expensive and intense, yet the cost-benefits are amply clear.
The good news is that the industry has slowly albeit reluctantly veered towards introducing a semblance of interoperability and collaboration into the CTI ecosystem.
The nominal successes of Structured Threat Information eXpression (STIX) have catalysed initiatives like ISAO-SO, OpenC2 and Collaborative Automated Course of Action Operations, better suited for collaborative sectoral environments. On one side, threat taxonomies such as STIX have helped CTI rise up the Pyramid of Pain; on the other, the popularisation of ontologies including MITRE ATT&CK have encouraged a public assessment of the quasi-strategic paradigms of CTI.
However, it is most likely that any emerging data models in this space would be subsumed by governments, blanketed by the geopolitical compulsions around secrecy and sensitivity. Or they may remain bespoke, impeding interoperability.
Nonetheless, sustained, broader and over-the-horizon techniques can thwart threat actors which are only a blip on the radar of tactical CTI vendors when they regroup and resort to specific kinds of activity.
While similar frameworks have been incubated within larger companies such as Kaspersky, Google and Microsoft, not much thought has been given to leverage them for emerging strategic models for cyber defence. The space remains rarefied.