What methods do you use to collect and analyze data to identify potential cyber threats?
As an intelligence professional, I rely on the industry standard intelligence lifecycle which serves as the foundation of intelligence analysis.
This is a refined process of transforming raw data into actionable intelligence, which consists of five stages:
- Planning and Direction: Intelligence objectives and requirements are prioritized. During this stage, intelligence leaders and decision-makers work to identify key areas of interest, potential threats, and critical information needs by identifying the strategic goals of the organisation.
This phase lays the foundation for subsequent intelligence activities, ensuring that resources are directed toward gathering actionable intelligence and a plan is established regarding methods of information gathering. - Collection: During this phase, a plan is executed, and data is collected to fill intelligence gaps.
A variety of methods are relied on to collect data such as Open-Source Intelligence (OSINT), drawing from publicly available information and Human Intelligence (HUMINT) derived from human interactions.
However, the reliability of this data has to be validated by assessing source credibility and removing potential biases.
Rigorous cross-referencing of data is also critical to authenticate the accuracy and credibility of intelligence assessments, providing decision-makers with a more comprehensive and reliable understanding of the complex and dynamic landscape within which intelligence operates. - Processing and Exploitation: Preparations are then made for collecting the raw data, eliminating inconsistencies and standardizing formats.
Critical thinking skills are fundamental here will intelligence professionals evaluating the credibility of sources credibility, and challenging assumptions to provide valuable intelligence assessments. - Analysis and Production: Structure Analytic Techniques (SATs) are used to evaluate processed information, filling intelligence gaps identified during the planning and direction phase.
Structured analytical techniques including SWOT (Strengths, Weaknesses, Opportunities, and Threats) analysis is applied here to evaluate the strategic position of the target organizations providing decision-makers with comprehensive insights into the cyber threat landscape that directly impact their business and related industry sector. - Dissemination: Finalized intelligence is finally distributed to the client.
A critical aspect of this phase involves initiating the next planning and direction phase for future collection efforts allowing for further cyber threat intelligence analysis to be performed to provide clients with continuous intelligence to navigate the ever-evolving cyber threat landscape.
How do you differentiate between false positives and actual threats in your analysis?
Throughout the cyber threat intelligence analysis process, Indicators of Compromise (IoCs) are the most prone to false positive detections.
A good rule of thumb to go by is to tailor IoCs to eliminate as many false positives as possible prior to identifying a particular threat.
This also requires collecting the correct type of data to validate IoCs against, which can be done by testing them against digital images.
To identify false positives, it is important to first establish a baseline based on historical data, metrics, and trends.
This will therefore allow for comparisons between data sets allowing for anomalies indicative of false positives to be detected.
It is also critical to correlate data filtered through the intelligence lifecycle by comparing and combining data from different sources to verify or enrich potential indicators of cyber threats.
Can you describe a recent threat landscape that significantly challenged your analysis skills, and how you managed it?
A recent challenging threat landscape to navigate through related to politically aligned hacktivism.
Hacktivist threats have historically had a reputation of being low impact and significantly less serious than other types of cyber operations.
However, I recently detected a significant development within the hacktivist threat landscape with Russian and Iranian state-sponsored cyber actors operating under the guise of pro-Russian and pro-Palestinian hacktivist personas, respectively.
The main instances that have emerged are as follows:
- The newly formed Cyber Army of Russia Reborn hacktivist group demonstrating ties with the Russian state-sponsored Seashell Blizzard
- The Iranian Spectral Kitten nation state actor operating under the Malek Team hacktivist identity
- The Iranian Haywire Kitten state actor operating under the Cyber Toufan hacktivist outfit. This has resulted in more sustained invasive intrusions such as distributed denial-of-service (DDoS) attacks, web defacement efforts and data theft against entities within geolocations perceived to be hostile to the nation supported by the hacktivist collective.
How do you ensure that your threat intelligence findings are actionable for other teams within your organization?
During the process, it is critical to identify the “so what?” element so that those receiving intelligence know why this is important, and more importantly, what measures can be undertaken to proactively defend against the cyber threats that we have assessed and identified to pose a significant risk to an organisation.
A critical aspect of this process is to provide defensive recommendations for clients to implement to enhance overall security posture.
These strategies are categorized according to the specific cyber threat as follows:
- Financially driven cybercriminal attacks (ransomware, stealware, phishing)
- Distributed Denial-of-Service (DDoS). Web defacement and Data Theft campaigns launched by hacktivist groups
- Sophisticated nation-state level operations (including espionage intrusions, destructive wiper malware deployment and mass supply chain exploitation).
What skills do you think are essential for a cyber threat intelligence analyst to keep developing, and why?
As human intelligence analysts, it is vital to mitigate cognitive biases and logical fallacies (flaws in reason) that can invade our analysis when engaged in intelligence operations.
These human features can drastically distort our interpretation of data and its sources so limiting these phenomena is crucial to optimizing the intelligence delivered to clients.
As such, problem solving skills are crucial as the main way to combat these flaws is to develop skills in SATs which are toolsets that can be used by intelligence analysts to approach problems in an organized way, for example, to consider each element in a systematic fashion.
Why?
Because it is up to cyber threat intelligence analysts to assess threats as they develop in real time and to cooperate with other teams to innovative solutions.
Cyber threat intelligence analysts must also be proficient across all layers of intelligence (strategic, operational, and tactical) so that they can cover the full range of knowledge that can be extracted from threat intelligence functions.
The threat landscape is incredibly fluid and, therefore, to thrive, a cyber threat analyst must have an ability and desire to continuously learn and improve their craft.
This allows knowledge gaps to be filled which will not only help the individual analyst, but also the wider team’s function as a unit.
And finally, but certainly not least, although technical skills are important, cyber threat intelligence analysts must be able to communicate findings to both colleagues and clients that may not have the same depth of understanding of the cybersecurity field as they do.
This is going to transfer into both written skills, in the form of reports, as well as verbal presentations, through threat briefings.
Being able to translate complex cyber threats into understandable and actionable insights in high pressure situations will prove to be invaluable.
This will prove to be particularly important when communicating with individuals in the board room or stakeholder level as delivering cutting edge intelligence is fundamental to helping key decision makers take action to defend their organisation against a wide array of cyber threats.