Active defence and intelligence: Threat Intelligence in industrial environments
In the article Active Defence and Intelligence from Theory to Practice the new requirements were outlined with regard to defence in an industrial environment. Among these requirements we observe new elements such as "active defence and intelligence". Due to its importance, this article goes into more depth with regard the specific part of creation and the consumption of intelligence.
The majority of documents regarding intelligence, applying this concept to the creation of information that is useful for the defence of an environment, are probably supported by military concepts, as is the case with the concepts of counter intelligence and active defence.
The cycle or process of creating intelligence is based on different phases, normally using military terminology for its nomenclature. Below, we will present a possible adaptation of this:
- Plan and aim: As in all cycles, there should be an initiation phase, the first step of which is the correct definition of the aim, particularly the definition of the type of resulting intelligence and, secondly, the procedures to obtain this. It must be taken into account that, from the beginning, the intelligence aimed to be obtained is going to be focused on improving the defence of our particular industrial environment. Consuming data that does not specifically apply to our environment, our sector, or our threats in particular, is a very serious mistake which must be controlled from this first step.
- Gathering: Data, information and intelligence can be components of our data sources but, in this stage, the key will be the way in which this data is collected and the way in which it is going to be used. If we gather an IoC (Indicator of Compromise) on a determined file housed in the memory, is the capacity available to apply this IoC in our industrial devices? If the answer is no, first of all we should understand that this piece of intelligence is of no use in our specific environment and secondly, we should consider if these capacities should be obtained to increase resilience in the environment.
- Process and Exploitation: In this context, the term exploitation is more focused on obtaining something valuable. In this phase, the aim is to obtain information from raw data, which can later be analysed. The data we have available should be processed, a correlation established and it should be exploited as much as possible in order to elaborate tables or more specific displays of the particular industrial environment that can be analysed in later phases.For example, processing the commands obtained in a raw capture of traffic of an industrial protocol or for them to show us that a strategy in a PLC has changed. This process enables us to know when a change has been carried out in the programming of a PLC, with this data being able to be exploited in order to obtain a graph where the number of times the programming changes and when said changes were made can be easily viewed.
- Analysis and production: The real use of all the information processed in the previous phases is determined by the analysis of the person responsible for this process. The analyst is in charge of matching the pieces so that everything fits together, without forgetting the task of distinguishing, again, what information is useful and what should be discarded, based on their experience and the specific environment at that moment, etc. Finally, the analyst must create a report which correctly shows all of this information, orientated in each case for the target audience. This phase cannot be automated, as it must be undertaken by a specialist, therefore it may be the most costly phase.
- Dissemination and integration: In the last phase of this process, the appropriate people are made aware of the results in the suitable format. Facilitating the discoveries in a good time and manner so that they can be quickly integrated pursuant to the situation must be a prime objective. It would not make any sense for the intelligence obtained in order to stop a critical situation to take years to arrive. Hence it is important to share information, whilst it upholds its useful value for the recipients.
- Evaluation and feedback: This is not a phase as such, but rather a framework that is common to all phases. The framework of work suggests that, at all times, it should be evaluated if the results that have been obtained are useful in reality, as well as considering and evaluating the opinions about the improvement of any person, in any of the stages.
The following image shows the previously described phases:
We cannot understand defence without its counterpart, attack, as understanding the actors that may be behind an attack, their capacity of executing it and other variables, is essential so as to develop an intelligence that is applicable to defence. In the following point we will develop some of these terms.
Opportunity, capacity and intention: threat
Understanding these concepts well is essential in order to be able to introduce a specific type of intelligence known as intelligence applied to the detection of threats, or 'Threat Intelligence' in the next section. In particular, a threat should be understood as the result of the sum of the three interception concepts or vectors, with regard to a traditional outline of concepts. These vectors or concepts that are going to determine the threat level are capacity, opportunity and intention.
- Capacity: defines the technical resources necessary to create a threat.
- Opportunity: opportune or convenient moment or situation to make the most of a weakness.
- Intention: determination of the will with regard to a purpose.
The capacity to identify actors and classify them by the threat level they pose for the organisation in particular is key when it comes to defining and creating intelligence.
Understanding this seems complicated, but with the following example it becomes easier for us: evaluating various sources, we identify two types of actors that may be a threat for our industrial environment in particular. We know that one of these actors works on a local level and various industries have been the target of certain intrusion attempts. The other stand-out actor is a group of people that have threatened an industry within the same sector, in a country that we have not heard be spoken of and due to a familiar conflict. Surely, both have the capacities, but on one may have the intention and the other possibly not. The monitoring of this case must be focused on preventing the actor with intention from finding an opportunity, with this being the aim for our intelligence motors.
Intelligence applied to Threat Detection
The cycle to create intelligence has been explained in detail, as has the threat analysis. All that remains is the last step in the creation of intelligence applied to the detection of threats, or 'Threat Intelligence'.
On the one hand we know the environment and we are monitoring it, we know our industrial devices and their communications, and furthermore we create intelligence from said environment. On the other hand, the actors that represent a threat for our industrial environment are known, we know the way of acting, through the different sources that we are analysing, we produce and exchange intelligence with regard to incidents, and reports are also available regarding the analysis of malware that affects similar infrastructure, is anything else really needed? Simply to not stand still and wait to be attacked. The duty of being responsible for defence is repeating the described cycle, but focusing on the creation of intelligence applied to the detection of threats.
‘Threat intelligence’ is created and shared, in general, by means of Indicators of Compromise (IoC), but they are not the only way. Another piece of intelligence that is very appreciated is that regarding Tactics, Techniques and Procedures (TTP). Exchanging intelligence about known actors, based on these TTP, for example, in lateral movements that they normally use with a network, or the way in which they employee said actors to elevate the privileges in a system, etc. will allow for specific detection measures to be created for any of these TTP, improving our defence to these possible scenarios.
Another way of presenting the intelligence applied to threat detection is by means of a report. These reports are a well-structured overview of an intelligence creation process. They are a finished product, thus they are truly useful and can be directly applied to defence. The reports on analysis are really useful, as their format is very suitable to enter directly into our intelligence process and be quickly applied in our defences.
The objectives of 'Threat Intelligence' are to try and have an advantage available with regards a possible intrusion, or effective mechanisms in order to detect a possible APT (Advanced Persistent Threat). Efforts have been made to explain, in detail, both the threat analysis process and the process for creating intelligence. These make up the foundations to make way for creating 'Threat Intelligence'. It should not be forgotten that, in the case concerning us, the intelligence should be truly focused on the industrial environment in particular, and that is the most difficult task that the analysts or people responsible for handling said intelligence must undertake. There must be the final of the result obtained during the intelligence creation process being implemented into our active defence in order to increase the resilience of the environment. With this aim of implementation, we would close the cycle gaining feedback about the results obtained and going back to start the process again.
In the cat and mouse comparison, which is always used for the defender and the attacker, we now add the mouse on the wheel, as a means of training and preparation for what might happen.