Having just returned from presenting at a very successful, well attended ISMG Security Summit held in London on 23 October 2018, I was left excited and enthused by some of the presentations I sat in on. In particular a very interesting insight into the world of the National Crime Agency (NSA – http://www.nationalcrimeagency.gov.uk/) who presented on some examples of their Cyber Operations which terminated illicit operations, leading to the arrest of two-man small-time, but nevertheless big earner Cyber Criminals working out of their squalid premises. For myself, attending to deliver a keynote on OSINT, Threat Intelligence, and Logical Investigative applied methodologies, my interest became focused on how the NSA had used the instance of recovered Internet published artifacts in the form of images to identify what was, up to that point meaningless background and subliminal data noise (intelligence). For example, a boastful video posted to the Internet to entice others to get involved in the big-earner operations – however, the image did show a cell-phone which had been damaged and had a cracked screen – in other words a ‘unique’ fingerprint of that particular device, with the attested footprint of the ‘unique’ crack signature-formation on the screen (AKA – Smoking Gun). The second area of interest was how the NSA observed a background part-screen which was displaying the application Shpock with a past purchase of a high-end fashion item – leading the NSA to bridge the gap with the identify the buyer under their on-line trading name, leading to the further discovery of their Shpock account-associated cell phone number. Here one excellent example of the fact that, whilst isolated objects may seem to have a very low investigative value, the power of aggregation came into play to accommodate a very successful outcome leading those logical artifacts to trace back their human owners.
The world of Cyber Security is changing fast, and in my opinion no longer will the old, conformist way of applying conventional defences deliver the expected gold standard of robust security – the presented threats, and the ingenuity of the cyber-criminal mind far outweigh what is being thrown at them as a defensive posture today – don’t shout at me, just look the facts presented in the multiples of high-impact breaches and compromises against some of the most high profile, protected companies on the planet!
Moving forward on the basis that most companies have suffered some form of hack that they are aware of, and many others have fallen to a cyber-attack or compromise, but simply are not aware of those exposures, linked to the backdrop of organisations who will be hacked, this dictates that the new age concept and methodologies of Cyber-Threat Intelligence, OSINT are the essential tools and methodologies which every organisation will need to furnish to underpin their future Cyber-Defence capabilities. Of course, in the case of Cyber-Threat Intelligence, here we are talking before the fact (of an attack or compromise) with the deleivery of Minority Report type data that may be leveraged to identify potential aggressors, adverse Internet chat, or even indicators of a misconfigured architecture or systems; or such capabilities could be built into internal security systems as an element of Offensive Security, and RED-TEAM capabilities to perform inverted Orwellian attacks against your own organisation or business. To ensure such internal security services are complete, plug this mission into OSINT, and HUMINT areas of Internet-based targeting and Social Engineering against the workforce in testbed scenarios, and you are getting as close to replicating a real-time, real-world attack as you can – the alternative of course is to just wait for some other party with darker intentions to test it for you!
In the reactive sense, OSINT, and the associated capabilities can be significant in a post breach posture. to say, reverse engineer an attack based on known known data, or out of the discovery of an unknown unknown exposure, or to look for key indicators for both before, and after the fact feeds of Intelligence which may act as a clue, or even a smoking-gun trace of evidence. Such capabilities are possible, both through commercial applications, but more surprising from the open sourece community, and the high-class applications that exist for the end-investigator to utilise. One such tool is Paliscope (https://www.paliscope.com/) which provisions the user investigator to track their on-line activities, and record a case file of events, capturing screen-shots, web pages, and in a future version enhanced image capture – for me, a sort of desktop brain that never forgets (unlike humans).
In an age in which the state of Cyber Exposures is a known known fact, linked to the high volume of successful attacks that have taken place, it must surely follow the train of common sense that Threat Intelligence is one of those areas of capabilities which every organisation should now be considering.
At the ISMG London Cyber Summit it was interesting that the results of a survey found that Threat Intelligence was number one on the wish list for future events, so I am pleased to say that my own contribution in this area is now gaining ground after a long 5/6-year period of evangelistic rhetoric and sharing of opinions which now, at last seems to be grabbing the imagination of many. My next trip onto the boards on this subject will be with ISMG in one of the future North American Summits, and I am looking forward to continuing to present on the subject of OSINT, and Cyber Threat Intelligence, but only after I have had a chance to feed the subject matter with a few more steroids – hope to see some of you real soon.