Security

All-source intelligence: reshaping an old tool for future challenges

An enhanced version of the old all-source intelligence discipline could serve the purpose.

By Boris Giannetto

Hybrid, interconnected and complex threats require hybrid, interconnected and complex tools. An enhanced version of the old all-source intelligence discipline could serve the purpose.

Today’s society hinges on technologies and they will have most likely an ever-increasing clout in the future, thanks to the development of supercomputing, artificial intelligence, quantum and space technologies. However, we do believe that the human element will maintain a central role.

Global systems and infrastructures are hackable targets (and they are more and more hacked). Technical experts break their head by wondering whether there will ever be a non-hackable system (discussion on quantum and post-quantum cryptography are just an example). Yet, that is not the relevant issue. Cyber operations are often not even detected (especially those below the threshold). Uncertainty appears to us as the main emergent behaviour in global dynamics.

The hiatus between (some) intelligence agencies and other players in the cyber arena is huge. Intelligence units have – and they keep on developing – the most powerful (secret) cyber paraphernalia. Asymmetry is a euphemism.

Cyber intelligence has proven to be of some use both for private organizations and other institutions, but this activity often struggles to find conclusive evidence (smoking guns), attribute attacks to a threat actor (without a doubt), ascertain real motivations or make reliable predictions.

To put it concisely, cyber intelligence is a valid and promising tool, but nowadays it is often (not always) characterized by shaky predictions and lack of conclusive evidence. As is common knowledge, anonymization, obfuscation, antiforensics, re-use, and infrastructure hijacking put frequently cyber intelligence (and cyber threat intelligence) in a doom of overall ignorance or at best in a mist of blurred knowledge. Misleading IOCs, bogus threat actors and phantom APTs are a tough nut to crack. As to APTs, different naming criteria and mimickers breed a tricky situation: with regard to state actors, it is useful to analyse directly the activity of intelligence units. False flags, name & shame and plausible deniability only increase a smoke screen and put to the test analysts’ capabilities.

Non-IT cyber intelligence (cyber is not simply the same as IT; multidisciplinary approach and expertise are key) can help the technical analysis, being it founded on strategic intelligence, geopolitical, scenario and context analysis (in this regard, there are aspects of connection with strategic CTI, even though the two disciplines must be kept separate). Nevertheless, real and sound non-IT cyber intelligence is rarely employed. Furthermore, one ought to boost also archeo-cyber intelligence: cases are filed too quickly, without understanding many things; a deeper ex post study can crack the case and reveal many prospective trends.

Members of nation state or state-sponsored tiger teams laugh often unpunished at mistaken cyber intelligence analysis bulletins published with great fanfare. Rules of thumb, bias, and gimmicks dominate well-known and widespread frameworks; oversimplifications fill pages of nonsensical reports released by improvised and self-declared cyber pundits worldwide. Among such simplifications, one can often read misleading assumptions, for instance: no state pursues economic gain in cyber-attacks; threat actors use specific TTPs and not others; official investigative sources said this and one have to take it for granted; intelligence units do not have recourse to simple and cheap tools in the wild, and so on. Time is however a severe judge and sometimes restores the truth, proving that those reports were inaccurate or at worst wrong. At any rate, threat actors remain for a long time empty puppets and real motivations remain unknown to most. On the contrary, on the technical side (but that relates to cybersecurity in general), alerts and advisories on CVEs – especially on zero-days – show some usefulness, indeed. However, it represents an endless game, characterized by continuous patches and workarounds.

As far as a fairly recent (and rising) trend is concerned, the application of intelligence tools to private and administrative state institutions could engender encouraging organizational advancements (and in rare cases, positive sectoral effects); but some snags could occur at a systemic level. Even if one ought not to preclude such activities in these contexts, private companies and administrative institutions have different purposes, capabilities and powers from intelligence agencies and law enforcement units. This could bring about some inefficiencies and dispersion of information. Possible problems could derive from pre-existing procedures, mind-set of incumbent management (not used to secrecy protocols and intelligence modus operandi), and selection of personnel (in any case, it is useful one more to underscore that some features – e.g. ingenuity and intuition – cannot be taught).

In a complex future scenario, a gamut of different tools – simultaneously and harmonically used – may be the keystone for information gathering and strategic analysis activities. CYBINT is (just) one of them.

All-source intelligence is fundamental in both information acquisition (collection, evaluation, integration) and analysis (tactical, operational, and strategic). Indeed, it is advisable to adopt a synoptic approach during all the (squeezed) intelligence cycle (direction – collection, processing – analysis, production, dissemination). Platforms and technologies ought to be assessed for their intrinsic nature: they are tools and should be regarded as functional means.

Actually, SIGINT, HUMINT, GEOINT, MASINT, TECHINT, IMINT, OSINT (and so on), as well as active defence and offensive operations, are mostly carried out by intelligence agencies and law enforcement units (mainly because of legal restrictions). A close cooperation between these units and other players is desirable.

A broad-scope strategic analysis is essential too, in order to comb raw data, consolidate a sound information base and produce actionable intelligence in an all-encompassing manner. With regard to analysis, specific domains and topics could be addressed by specific disciplines (f.i. FININT).  To this end, best minds from different sectors and specializations must be brought together.   

A single-INT is not capable of covering the entire spectrum of threats, which even more overlap and interact faster and faster. Cyber and physical domains incessantly permeate each other (hence, the importance of cyber-physical systems). To properly handle and predict phenomena, it is crucial to understand (intelligĕre) emergent collective behaviours in advance, according to a syncretic approach.

About the author: Boris Giannetto

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, intelligence)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

13 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

19 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

1 day ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

1 day ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

2 days ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

2 days ago

This website uses cookies.