One of the penultimate, and more poignant, episodes of the television series Band of Brothers was “Why We Fight.” The episode highlighted how, although the members of the unit followed through the series faced multiple trials and setbacks, the discovery of concentration camps emphasized the necessity for continuing the struggle against the Nazi regime.
Within the realm of Cyber Threat Intelligence (CTI), we rarely face so stark and dire circumstances with respect to our work. Yet at the same time, there is often questioning or concern as to the value, purpose, or significance of CTI’s contribution to the overall effort of network defense. While it is highly questionable whether CTI operations would ever result in something equivalent to the liberation of concentration camps (although the good folks at Bellingcat and CitizenLab could justifiably dispute this), we nonetheless hold within our capacity the ability to shape, influence, or enable investigations against cyber threats for the benefit of actual, noticeable defense.
Which brings me to the CTI Twitter/Slack/Sharing Group Mafia. So much CTI work – technically astute and operationally valuable – remains forever locked in a realm of backchannel sharing, oddly constructed Traffic Light Protocol (TLP) arrangements, and unspoken agreements such that the information never reaches the light of day. While CTI practitioners operating within these dank, dark, murky realms may feed off of and derive pleasure from information shared under such circumstances, the limitations on information and its use mean such items forever represent what John McDowell referred to as “frictionless spinning in a void” – knowledge and understanding for its own sake, with little (if any) connection to reality or the world of consequences. From a security specific standpoint, this would mean security-relevant information forever locked up in the realm of CTI sharing yet never reaching the front-line defenders who would most benefit from and utilize such information.
So – why does CTI even exist? Based on an informal, unscientific survey of the various sharing groups, communities, and other entities I belong to, it would seem that CTI exists as this self-perpetuating, internally significant body: producing analysis and understanding for other analysts and practitioners to then review and either exclaim as lauditory or declaim as so much drek. While this might work within such tightly wound, closed communities, we have to ask ourselves: what is the purpose? To what end do we toil, and toward what end should we aim?
In this vein, my understanding is quite simple: CTI is a supporting, secondary capability to primary security functions such as the Security Operations Center (SOC) and Incident Response (IR), along with operational IT workcenters. CTI may think itself “special,” but our significance only results from our ability to measurably and meaningfully improve the capability of operationally-focused workcenters to do their job. If a CTI effort cannot notably improve SOC response, IR cleanup, or IT operations, then CTI has largely failed, except possibly in the realm of strategic planning (which, while useful, represents a far longer-term prospect than immediate defense – allowing the house to burn while leadership plan an addition).
So, what should CTI focus on then? For one, CTI as a discipline needs to crawl out of its own asshole with respect to information and realize that our value is directly related to the ability of a supported organization to enable or improve defense. Absent this, CTI becomes a rather gauche luxury item – filling executive’s heads with visions of foreign state-sponsored intelligence agency intrusions to give them a feeling of importance. While such intrusions may very well exist, their identification, description, and detailed guidance on defense belongs with SOC, IR, and similar personnel that have to deal with such entities. If we as CTI analysts cannot support or enable such operations, we can (and should) consider ourselves abject failures within the broader schema of information security operations.
Some might argue that the viewpoint I’m espousing is too operations-specific and ignores strategic considerations. I would completely agree that I’m ignoring strategic viewpoints – largely because accurate, meaningful strategic views represent an inductive pathway towards final conclusions. By doing operational threat intelligence and threat understanding “well”, we open the space for an understanding of strategic concerns and related considerations. Approaching the higher-level strategic concerns and going direct to leadership may seem desirable and “sexy”, but sets CTI on a weak and unstable foundation absent a thorough understanding of operational security risks, considerations, and actions.
So why do we, as CTI analysts, “fight”? I would postulate that our existence as a discipline hinges upon our ability to directly and usefully support front-line defenders. Absent that, our existence appears to be a luxury, rapidly discarded in times of austerity. Yet if CTI can support and amplify the work of front-line defenders, the role becomes meaningful and valuable – and thus worthy of continued support (and funding).
But what of internal CTI shibboleths such as the sharing of “secret” or “protected” data? Some may argue that the dissemination of information with scary-sounding labels such as “TLP:RED” represents an insurmountable barrier to further assistance to actual defenders. On this matter, I disagree. While TLP stipulations can and should be respected, they represent fundamental guidelines and not absolute rules. Purely TLP:RED (or similar) data should (and arguably must) be respected – but if our goal is not some internally-complete CTI understanding and rather resides in enabling operational defense, other avenues must be pursued.
Along these lines, the concept of parallel construction becomes quite relevant. TLP:RED, or similar, data may be inactionable on its own, but in the service of actual defenders, an analyst can (and arguably should) pursue other avenues of investigation. Such analysis can yield alternative routes to arrive at the original conclusion of the sensitive tipper, and therefore offer “cover” for whatever sources and methods went into the discovery of the original artifact.
Some may decry this procedure as a roundabout way of violating agreements and understanding – and honestly, I would agree with this assessment, while at the same time not caring. While the field of CTI should not treat items passed in confidence carelessly, at the same time we as a discipline need to recognize that we do not exist for our own entertainment and operation. Rather, CTI is a subservient role to more fundamental security operations. If CTI cannot support front-line defensive operations in the SOC or response activities for IR, we need to question the validity of our very existence.
Lack of relevance and obfuscation of necessary, actionable information which can be sourced or constructed through alternative means are death knells for the field of CTI. If CTI cannot prove its value in an operationally relevant fashion, then the entire discipline can (and arguably should) disappear. CTI’s value is not one which is intrinsic to the field, but rather one which is gained through support and assistance to other, more direct security functions. If we as CTI analysts wilt in front of stipulations such as overly strict interpretations of TLP without at minimum pursuing other avenues of discovery that would permit usage and prosecution, I would strongly argue that we are not doing our jobs, and should be regarded as fundamentally useless to the security concerns of the organization which employs us.
Such commentary as provided above may appear incendiary and provocative, but I refuse to back down as CTI fundamentally is subservient to the actual defense of a given network. When CTI is divorced from this concept, such as for reasons of internal information “preservation”, we ultimately fail in our jobs to meaningfully improve the operation of day-to-day information security. Overall, the CTI field needs to recognize and accept our place: as unique, but ultimately second-class, entities to front-line defenders which actually monitor and prosecute network intrusions. So “why do we (as CTI analysts) fight”? We fight (or work) to ensure that those entities looking to us for expertise or guidance can find such information. Failure to do so not only damns us to irrelevance, but towards eventual obsolescence.