ThreatConnect proposes a framework for evaluating and triaging indicators based on physical energy properties
All variety of scientists, from chemists to physicists and engineers, measure kinetic and potential energies to better understand how objects are acting or will act within a given situation or system. We posit that these energy concepts can be applied to threat intelligence as a framework to better understand and evaluate indicators and the intelligence associated with them.
Cyber threat intelligence consumers or producers can use this kinetic and potential energy framework to accomplish the following:
- Scrutinize indicators for the relevant context that would ultimately constitute "intelligence."
- Evaluate and triage indicators, reported activity, and intelligence feeds or reports based on basic, inherent intelligence requirements.
- Identify intelligence gaps and collection requirements to further enable a threat intelligence program.
- Share the necessary context or calculated energies to facilitate a consumer's integration of provided information.
We'll start by describing some common issues with threat intelligence that we hope the application of this framework can mitigate or deter.
Issues with Cyber Threat Intelligence
At many organizations, incident responders or security operations center (SOC) personnel might be dual-hatted and also serve as threat intelligence analysts. Organizations with dedicated threat intelligence teams or individuals are uncommon, and many times those organizations still have issues integrating intelligence analysts with the typical incident response function and wind up not seeing or realizing the full potential of threat intelligence. Those shortcomings often manifest in specific problems like a lack of intelligence requirements.
If you're asking what are intelligence requirements and why do they matter, don't worry, you're not alone. To summarize, intelligence requirements essentially identify what intelligence analysts at a given organization focus on. If you consider the intelligence cycle, intelligence requirements are a part of the planning and direction step.
The Intelligence Cycle
Let's say you're an organization operating in the healthcare sector. A very basic intelligence requirement for your organization might be to identify activity targeting the healthcare sector. That requirement would then dictate the sources of information that you collect or procure, how you would process and exploit that information, the specific intelligence analysis that you produce from exploiting that collection, and what and how you disseminate and integrate that analysis at your organization.
Oftentimes organizations don't have any identified intelligence requirements. When that's the case, threat intelligence research without intelligence requirements is just surfing the web. Conversely some organizations will say that they want to know about everything so "everything" is their intelligence requirement. If everything is your intelligence requirement, you'll end up being inefficient with your defensive resources. Intelligence requirements also have to be relatively specific so that the execution against them within the intelligence cycle can be tracked.
For organizations that are getting started with threat intelligence or don't already have identified intelligence requirements, there are basic intelligence requirements that your organization can use. These might seem overly simplified - which they are - but they are still significantly more specific than "everything" and can give threat intelligence teams a general heading. Those basic intelligence requirements include the following:
- Activity targeting my sector
- Activity targeting my organization
- Activity targeting specific data types that my organization secures (eg. protected health information or PHI)
- Activity emanating from my known adversaries
"Intelligence" Feeds or Reports
Indicators in and of themselves are not threat intelligence, but too often feeds and reports will claim to be intelligence when really they are only indicators. Context maketh intelligence. Consider the Grizzly Steppe Joint Analysis Report from two years ago. There were hundreds of indicators shared in that report, but the context that was shared with each of those indicators was insufficient to actually qualify them as intelligence. Ideally, cyber threat intelligence feeds and sources would answer all (or at least two) of the following, which generally correspond to the vertices and axes on the Diamond Model of Intrusion Analysis:
- Who the bad guys are
- What they are doing
- How they are doing it
- Who they are doing it against
- Why they are doing it
- What they will do next
Focus on Known Bad
Finally, the last issue worth noting is a general focus on known bad activity or indicators. Don't get us wrong, this is completely necessary. But it fails to recognize the fact that, if we are employing threat intelligence to its fullest extent, we can proactively identify indicators that might be used in malicious activity in the future but aren't yet known to be malicious. What you're left with is playing whack a mole with indicators that possibly are not even being used in operations by the time that you hear about them.
By using this kinetic and potential energy framework, organizations can triage indicators and activity using basic intelligence requirements, scrutinize reports for relevant intelligence, evaluate their intelligence sources or reports, and include a more proactive approach to defense that incorporates suspicious indicators.
A Quick Thermodynamics Lesson
Kinetic and potential are different states of energy that describe the capability of an object to do work. Kinetic energy results from an object in motion, such as a moving car. Potential energy comes from an object's position and may be converted into kinetic energy, such as a ball held above the ground or a compressed spring. To measure and understand these energies over time scientists have to measure things like an object's velocity, vector, height, and compression, while also taking into account energy-degrading factors like friction or gravity.
To better explain kinetic and potential energy, let's consider a bow and arrow. A bow and arrow by themselves have no energy. When a bow is drawn to shoot the arrow, energy is put into the bow and arrow system. This energy is potential energy and is held in the drawn string of the bow. That potential energy can then be transferred into the arrow by releasing the string and shooting the arrow. At that point, the arrow that is flying through the air has kinetic energy while the potential energy in the bow is gone. This kinetic energy will then degrade as friction from the air and gravity act on the arrow until it hits its target or falls to the ground.
Let's now consider that there is an arrow that we have to physically defend our organization against. Generally, this arrow has several characteristics that we want to understand to determine if and how we defend against it:
- Whether the bow has been drawn
- Whether the arrow has been shot
- Where the arrow was shot from
- What the arrow was shot at
- How fast the arrow is traveling
- Who shot the arrow
Correlation to Threat Intelligence
Those characteristics about the arrow that we want to understand are essentially threat intelligence and those arrows aren't significantly dissimilar from indicators. In some cases there are indicators that we aren't going to care about because they weren't shot at our organization or any similar organizations.
Those things that we want to know about arrows relate to our intelligence requirements. Many of those intelligence requirements manifest in the physical energy properties - was the arrow shot, how fast and where is it traveling, is the bow drawn -- so maybe indicators have relatable energies that we can measure to evaluate and better understand them.
Factors to Measure
When considering kinetic and potential energies for indicators there are certain variables that we want to make sure to include in our equations to capture the necessary data points for the indicators we're evaluating. These factors mimic those that scientists measure to calculate energies. For kinetic energy, we want to include velocity, vector (or direction), and it's degradation over time:
- Velocity is simply going to be binary -- is it active or not.
- Vector will be a combination of binary, relative factors. Depending on your frame of reference -- the organization you're in, your sector, the data you safeguard -- that calculated vector will be different.
- Degradation, much like gravity or friction ultimately reduce kinetic energy, time will reduce the kinetic energy of an indicator.
For potential energy, it is a bit more nebulous. The main variables we're interested in are the compression or height and the degradation over time:
- Compression/Height is where things might get sticky. This is going to be binary and relative to our frame of reference, like the vector for kinetic energy, but it is going to necessitate a better understanding of our adversary and their tactics.
- Degradation is similar to what it is for kinetic energy with time ultimately reducing the potential energy of an indicator.
As we considered those factors that play into kinetic and potential energy, we ultimately generated the below equations to measure those energies. Keep in mind that these are the equations that we've developed to account for the aforementioned factors in the cyber world. The way that your organization views these factors and ultimately uses them to measure kinetic and potential energy may differ. More on that later.
Kinetic energy for a given indicator is relative, meaning it is going to be different based on who is evaluating it and what organization they are a part of. Usually, any indicator with a kinetic energy greater than 0 deserves additional attention and the higher the kinetic energy, the more pertinent the indicator is going to be to the individual/organization evaluating it. Let's break down the different factors in the equation:
- Velocity: To start off, if the indicator hasn't actually been used in an operation, U is going to be 0 so the kinetic energy is going to be 0. In that case, we'd move to potential energy and evaluate that.
- Vector: S+O+D+A really represents those distilled, basic, inherent intelligence requirements referenced earlier. For our equation, we're treating all of these factors equally, but when doing this for your organization, you might choose to change it up a bit. This part of the equation represents essentially where that indicator is directed.
- Degradation: The kinetic energy is going to decrease over time and ultimately approach 0 based on a deprecation period.
Potential energy should only be evaluated when an indicator is not known to have been used in an attack. Potential energy correlates with what might happen that is relevant to a given organization based on known adversaries. When indicators with potential energy greater than 0 are addressed, organizations are being proactive in defense. These are the factors in the potential energy equation:
- Compression/Height: Potential energy necessitates an understanding of your adversaries and their tactics. When those things aren't known, that can be considered an intelligence gap.
- Degradation: Like with kinetic energy, potential energy will also degrade or deprecate over time. It should be noted however that the period over which you deprecate these suspicious indicators might be different than the period over which you deprecate known bad indicators.
Applying the Equations
Now we'll apply these equations and use these energies to better understand a group of indicators. We'll evaluate these indicators from the perspective of five different organizations. A financial company specifically working with cryptocurrency, and pharmaceutical, media, sporting, and think tank organizations. The indicators we'll evaluate include the following:
- Arkouowi[.]com was identified in an Accenture report on 2018 Hogfish (aka APT10) operations targeting organizations in Japan; however, no context was given for the type of sector or data that was targeted. APT10 is known to have targeted financial and pharmaceutical organizations, among others.
- Ikmtrust[.]com was identified in an Arbor Network 2018 report on Fancy Bear lojack operations, but no targeted sector or data type were included in the report. Fancy Bear is known to have targeted media, sport, and think tank organizations, among others.
- 222.122.31[.]115 was identified in an Intezer report as part of a Hidden Cobra operation targeting the financial sector. Specifically they targeted data and organizations related to cryptocurrency. Hidden Cobra is known to have targeted financial and media organizations.
- Fifacups[.]org was not identified in operations, but the domain was registered (Incident 20180326A: Domains Using Suspicious Name Servers and Hosted on Dedicated Servers) through a suspicious name server and as of July 24 2018 is hosted on a dedicated server at 5.135.237[.]219. Those tactics are consistent with previously identified Fancy Bear tactics.
- Atlanticouncil[.]org was not identified in operations, but the domain was registered (Incident 20180611A: Additional Patchwork Infrastructure) at essentially the same time and through the same registrar as domains identified in Volexity report on a Patchwork activity targeting US think tanks. As of July 23 2018, this domain is also hosted on a dedicated server at 176.107.177[.]7. Patchwork is known to have targeted US think tanks and Chinese political and military organizations, among others.
Based on the above intelligence related to these indicators, we can calculate the kinetic and potential energy for each based on the organizations we previously mentioned. For the purposes of these calculations, we'll assume that the financial cryptocurrency organization deprecates malicious and indicators after 180 days, while all of the rest deprecate them after 360 days. We'll also assume that all of the organizations deprecate suspicious indicators after 360 days. Here are examples for two of the indicators:
Since this indicator has not been identified in operations (our U variable is 0), the kinetic energy is 0 so we then proceed to evaluate potential energy.
Based on a calculation date of July 24 2018, we ultimately come up with the below measurements for these indicators' kinetic and potential energies.
When we rack and stack the findings for each organization, we can see how organizations might go about prioritizing the review of some indicators before others. For example, the 222.122.31[.]115 IP address would be a higher priority for the financial cryptocurrency organization while a lower one for the media organization.
We also see that, within these results, there are no potential energy scores for the financial or pharmaceutical organizations. If we conduct this analysis for a number of our sources and don't have any potential energy scores, that is something that can feed our collection requirements. In that case, we need to pursue different sources that focus on identifying suspicious indicators associated with our specific adversaries' tactics.
There are several important notes to mention now that we've employed the framework and gone through the analysis. To start off, it is important to note that potential and kinetic energy shouldn't be directly related because they aren't a one to one comparison. How you treat both most likely will differ.
When you're going through this analysis, everytime you say to yourself "I don't know" that is an intelligence gap. The more you work through those intelligence gaps, the more you'll build a baseline for who to follow and why. An important aspect of this framework is that it requires a general understanding of your adversaries or forces you to learn about them. It may be worthwhile to conduct a capability vs. intent assessment of adversaries prior to employing this framework to determine which adversaries are most pertinent to your organization.
Whenever you have a lack of or very low score of either type of energy, that is a collection gap. Procuring or acquiring additional sources may help mitigate those deficiencies and result in better intelligence for your organization.
From the intelligence publisher/creator perspective, this framework can be applied to improve the utility of what they share. If they find that they can't identify the variables that go into these equations from their reports, there is some additional context there that they should investigate and share if possible. Additionally, if they were to provide calculated kinetic and potential energies for affected organizations along with their reports, then that might facilitate consumption and integration of their intelligence.
It's also important to note that for some reports that are one instance of specific activity, you only have to calculate the scores for a single indicator. That same score would then be accurate for all other indicators in that report or directly related to its relevant activity. For example, the IP addresses 5.135.237[.]219 and 176.107.177[.]7, which respectively host fifacups[.]org and atlanticouncil[.]org, would have the same potential energy scores as the domains.
While we went over our specific equations for kinetic and potential energy, this idea and the equations are extensible. The main issue is capturing the velocity, vector, and degradation. But maybe you want to treat your assessment of that vector differently. Maybe you want to include other basic intelligence requirements like the country targeted, if so, this is how your equation might look, where L is whether your location/country was targeted in the activity:
Or maybe you want to exclude unknown variables to mitigate shortcomings in reporting. Using n, where n is the number of variables you're actually including, instead of 4 could do that:
Or maybe you want to weight certain variables differently to reflect more important intelligence requirements. This is maybe a way that equation would look, where activity targeting your organization is more important than the other variables:
Regardless of what intelligence requirements you want to include, the vector factor of the equation is where you can easily change things up based on your own organization's needs.
Caveats and Conclusions
There are several caveats related to this idea and framework that we should also mention. First and foremost, this framework isn't going to be for everyone and its utility may hinge on your threat intelligence program's maturity. Some organizations may completely discount it as they already have a different process in place to evaluate indicators against their intelligence requirements. Others might not have the resources to run through this framework. Others also might just not think this framework is useful. We're hoping though that some organizations might find this useful either as a thought experiment, or to audit their intelligence program and identify intelligence and collection gaps, or maybe to even incorporate into their daily processes. Regardless of where you fall on that spectrum, we'd love to hear back from you on this idea and any thoughts you have on it.
Finally, it's worth noting that at this point, this is a manual process and more of an analytic technique or framework; however, we are investigating ways to employ this at scale and include it in our own intelligence reports. A lack of standards in industry reports and feeds could ultimately complicate automation efforts, so that is something else we are taking into account.