75
© Springer Nature Switzerland AG 2019 I. Alsmadi, The NICE Cyber Security Framework, https://doi.org/10.1007/978-3-030-02360-7_5
Chapter 5
Cyber Intelligence Levels
• Strategic cyber intelligence. Those are high-level goals of the organizations tar- geting threats or malicious actions. At this level, it’s important to identify threats’
sources, main goals, and possible consequences.
• Operational cyber intelligence. At this level, more operational information about threats are targeted. For example, cyber intelligence team will try to acquire the following information about each possible threat: capabilities and resources attackers have or will require to have to be able to successfully meet their strate- gic goals. Cyber intelligence team will try also to predict their entry targets, intrusion and propagation methods, etc. that the cyber attacker will require to carry out the attack to further their strategic goals.
• Tactical or technical cyber intelligence. Knowledge at this level will be related to what kind of real-time methods and tools (e.g., software) they will use and what will be the possible counter or response mechanisms from the defender.
Sources of Cyber Intelligence or Collection Capabilities
Currently, there are several categories or sources of cyber intelligence, also called collection capabilities, or intelligence gathering disciplines. This list continuously grows vertically and horizontally.
• Open source intelligence (OSINT): Cyber intelligent team should learn how to gather data points, transform these data points into actionable intelligence that can prevent target attacks. They should learn how to identify, repel, or neutralize targeted intelligence gathering against organizational assets. OSINT includes data collected from publicly available sources, free or subscription-based, online or offline.
Fig. 5.1 Smart input data for actionable intelligence (http://aescit.com/
cyberintel)
77
• OSINT can include many sub-categories such as:
– Classical media: Such as newspapers, magazines, radio, and television channels
– Online social networks (OSNs) or Social media intelligence (SOCMINT):
Blogs, discussion groups, Facebook, Twitter, YouTube, etc.
– Internet public websites and sources – Communication Intelligence (COMINT)
– Measurement and signature intelligence (MASINT) – Search engines (e.g., Google, Yahoo)
– Deep or dark web intelligence
Deep web: Those include web pages, documents, etc. that are not indexed by main search engines and/or that cannot be read or accessed by conventional methods.
In percentage, the public or visible web is much smaller than deep web. Deep web can include the following categories: Dynamic web pages, Blocked sites, Unlinked sites, Private sites, Non-HTML or Scripted content, and Limited or local access networks or content not publicly accessible through the Internet.
Dark web or net: Those include web pages, documents, etc. that are accessed by anonymized methods (e.g., TOR browsers) and are often used for criminal activities.
The dark web has become a port for hacking communities, offering cyber criminals the ability to discuss offer and sell new and emerging exploits (e.g., zero-day vulnerabilities or exploits). Zero-day forum is a popular example of darknet websites (website link continuously varies, e.g., http://qzb- kwswfv5k2oj5d.onion.link/, http://msydqstlz2kzerdg.onion/).
Some of dark web forums are accessible only via the TOR network, while others are accessible via traditional web browsing. Those dark web forums start to have their own strict vetting processes to ensure that they will not be targeted by intelligent teams and face criminal charges and legal conse- quences. As such, it is common to have some users in those websites who are decoy intelligence personnel, police officers, FBI, etc.
The website is a market for buying and selling zero-day vulnerabilities. In addition to zero-day vulnerabilities, these forums offer a variety of “services”
ranging from illegal drug sales, forged items (e.g., passports, driver licenses, credit cards, bank notes), weapons, identity theft information (e.g., PII; per- sonal identifiable information), or botnet services.
For security intelligence, one of the main goals to study dark webs is to develop a functioning system for extracting information from those commu- nities and apply machine learning methods to predict cases of considerable threats. The fact that humans heavily depend and use the Internet these days in all life aspects, gives hackers a platform rich of data and resources for hack- ers to collect data and learn how to hack and attack users and information systems (ACS 2016). Not even dark websites, but public websites can also be
K0409: Knowledge of Cyber Intelligence/Information Collection Capabilities…
used as effective hacking or attacking tools. For example, websites such as:
Shodan: (https://www.shodan.io/), Zomeye: (https://www.zoomeye.org), and https://www.go4expert.com/ can provide a wealth of information for attack- ers about candidate targets with very good introduction details to start further investigations and analysis. Table 5.1 shows examples of darknet market- places or websites (Anomali 2017).
The following link (7839 Awesome Deep Web Links List, https://darkweb- news.com/deep-web-links/) includes a large list of dark websites.
• SIGINT (signal or electronic mediums such as satellites). It can also include:
GEOINT (geospatial intelligence, e.g., images taken from aircraft, satellite) and MASINT (measurement and signature intelligence; e.g., radar data). For example, Google earth and different mapping and location-based services now provide details and collect geo-related activities and information that possible many governments were or are not able to collect using intelligent resources. High- quality geo-images used to be expensive and have many restrictions where now they can be offered for free. Several references and studies indicated that websites such as Google track users’ locations even when data or location-based services are not enabled.
While OSINT information is available largely for free, however several chal- lenges exist related to information overload, the collection, and aggregation pro- cess. Additionally, transferring such information into actions is not trivial. Several recent security incidents in the USA showed that significant information was avail- able before many events. The problems were related to making timely proper actions or synchronizing information from the different sources.
The Intelligence Lifecycle or Activities
Cyber intelligence is a cycle process of collection and utilizing data. Followings are the major steps:
• Initial analysis and planning and direction: Similar to any project first stage should include requirements analysis and planning. We should have defined goals or else data analysis and intelligence will be very time-consuming and unfocused. The process can be however evolutionary where initial requirements and plan can be a good start (in the first cycle). Outputs from earlier cycles can be used to improve further analysis and planning in next cycles.
Table 5.1 Examples of darknet marketplaces (Anomali 2017)
Marketplace URL
Sky-Fraud http://sky-fraud.ru/
Exploit.in https://forum.exploit.in LeakForum https://leakforums.net HackForums http://hackforums.net/
PaypalTheRealDeal http://trdealmgn4uvm42g.onion Alphabay http://pwoah7foa6au2pul.onion
79
• Data collection stage: Data is collected, manually or through tools from the dif- ferent sources we have mentioned earlier. Programming and scripting languages such as: Python, R, Ruby, Java, Go, etc. can be used to automate the parsing process. Many websites may resist the parsing or crawling process (especially OSNs). Alternatively, those websites offer their own APIs (largely with limited capabilities) to parse their data (e.g., see: https://developers.facebook.com, https://dev.twitter.com/docs, https://www.npmjs.com/package/google-trends- api). Data can also be collected from logs such as: Honeypots, Firewall logs, Intrusion Detection System logs, and scans of the Internet.
• Data processing: Several data preprocessing techniques are typically employed in the data analysis activities. For example, this stage may include how to prepare data for analysis (e.g., stemming, stop-words’ removal), data storage, and retrieval methods. In some cases, data can be stored into text file, small-scale databases, or big data repositories.
• Data analysis and production: This is the main goal and most time-consuming task in the cycle. In this task, knowledge and intelligence, according to the proj- ect goal are extracted.
• Data dissemination and usage: In an evolutionary process, this can trigger further data analysis in future cycles. In later cycles, knowledge and intelligence are produced to decision-makers or target audience.
Areas of Cyber Intelligence
• Cybercrime
Cyber intelligence can be part of forensic analysis and investigation for a digital forensic team. They can be related to a single incident or crime or a large-scale national or international malware, hacking, etc.
• Hacktivism
Political, social, or environmental causes may drive some people to participate in hacking activities. A noble cause however does not justify an illegal or unethical mean. As such, Hacktivists utilize similar hacking techniques to avoid detection.
Anonymous is an example of a popular international Hacktivism organization, largely for political agenda.
• Cyber espionage or cyber spying
Cyber spying between governments witnessed a significant increase in the last few years especially from countries such as Russia and China on the USA. Government sponsored cyber spying can be persistent with many illusive groups, activities, and targets.
• Advanced Persistent Threat, APT
Some malwares and attacks were persistent. They may come back periodically using different forms or shapes or with slightly different attacking mechanisms, while persistent on similar targets. Table 5.2 shows examples of the noticeable or significant APTs (ISACA2018).
K0409: Knowledge of Cyber Intelligence/Information Collection Capabilities…