An enhanced version of the old all-source intelligence discipline could serve the purpose.
By Boris Giannetto
Hybrid, interconnected and complex threats require hybrid, interconnected and complex tools. An enhanced version of the old all-source intelligence discipline could serve the purpose.
Today’s society hinges on technologies and they will have most likely an ever-increasing clout in the future, thanks to the development of supercomputing, artificial intelligence, quantum and space technologies. However, we do believe that the human element will maintain a central role.
Global systems and infrastructures are hackable targets (and they are more and more hacked). Technical experts break their head by wondering whether there will ever be a non-hackable system (discussion on quantum and post-quantum cryptography are just an example). Yet, that is not the relevant issue. Cyber operations are often not even detected (especially those below the threshold). Uncertainty appears to us as the main emergent behaviour in global dynamics.
The hiatus between (some) intelligence agencies and other players in the cyber arena is huge. Intelligence units have – and they keep on developing – the most powerful (secret) cyber paraphernalia. Asymmetry is a euphemism.
Cyber intelligence has proven to be of some use both for private organizations and other institutions, but this activity often struggles to find conclusive evidence (smoking guns), attribute attacks to a threat actor (without a doubt), ascertain real motivations or make reliable predictions.
To put it concisely, cyber intelligence is a valid and promising tool, but nowadays it is often (not always) characterized by shaky predictions and lack of conclusive evidence. As is common knowledge, anonymization, obfuscation, antiforensics, re-use, and infrastructure hijacking put frequently cyber intelligence (and cyber threat intelligence) in a doom of overall ignorance or at best in a mist of blurred knowledge. Misleading IOCs, bogus threat actors and phantom APTs are a tough nut to crack. As to APTs, different naming criteria and mimickers breed a tricky situation: with regard to state actors, it is useful to analyse directly the activity of intelligence units. False flags, name & shame and plausible deniability only increase a smoke screen and put to the test analysts’ capabilities.
Non-IT cyber intelligence (cyber is not simply the same as IT; multidisciplinary approach and expertise are key) can help the technical analysis, being it founded on strategic intelligence, geopolitical, scenario and context analysis (in this regard, there are aspects of connection with strategic CTI, even though the two disciplines must be kept separate). Nevertheless, real and sound non-IT cyber intelligence is rarely employed. Furthermore, one ought to boost also archeo-cyber intelligence: cases are filed too quickly, without understanding many things; a deeper ex post study can crack the case and reveal many prospective trends.
Members of nation state or state-sponsored tiger teams laugh often unpunished at mistaken cyber intelligence analysis bulletins published with great fanfare. Rules of thumb, bias, and gimmicks dominate well-known and widespread frameworks; oversimplifications fill pages of nonsensical reports released by improvised and self-declared cyber pundits worldwide. Among such simplifications, one can often read misleading assumptions, for instance: no state pursues economic gain in cyber-attacks; threat actors use specific TTPs and not others; official investigative sources said this and one have to take it for granted; intelligence units do not have recourse to simple and cheap tools in the wild, and so on. Time is however a severe judge and sometimes restores the truth, proving that those reports were inaccurate or at worst wrong. At any rate, threat actors remain for a long time empty puppets and real motivations remain unknown to most. On the contrary, on the technical side (but that relates to cybersecurity in general), alerts and advisories on CVEs – especially on zero-days – show some usefulness, indeed. However, it represents an endless game, characterized by continuous patches and workarounds.
As far as a fairly recent (and rising) trend is concerned, the application of intelligence tools to private and administrative state institutions could engender encouraging organizational advancements (and in rare cases, positive sectoral effects); but some snags could occur at a systemic level. Even if one ought not to preclude such activities in these contexts, private companies and administrative institutions have different purposes, capabilities and powers from intelligence agencies and law enforcement units. This could bring about some inefficiencies and dispersion of information. Possible problems could derive from pre-existing procedures, mind-set of incumbent management (not used to secrecy protocols and intelligence modus operandi), and selection of personnel (in any case, it is useful one more to underscore that some features – e.g. ingenuity and intuition – cannot be taught).
In a complex future scenario, a gamut of different tools – simultaneously and harmonically used – may be the keystone for information gathering and strategic analysis activities. CYBINT is (just) one of them.
All-source intelligence is fundamental in both information acquisition (collection, evaluation, integration) and analysis (tactical, operational, and strategic). Indeed, it is advisable to adopt a synoptic approach during all the (squeezed) intelligence cycle (direction – collection, processing – analysis, production, dissemination). Platforms and technologies ought to be assessed for their intrinsic nature: they are tools and should be regarded as functional means.
Actually, SIGINT, HUMINT, GEOINT, MASINT, TECHINT, IMINT, OSINT (and so on), as well as active defence and offensive operations, are mostly carried out by intelligence agencies and law enforcement units (mainly because of legal restrictions). A close cooperation between these units and other players is desirable.
A broad-scope strategic analysis is essential too, in order to comb raw data, consolidate a sound information base and produce actionable intelligence in an all-encompassing manner. With regard to analysis, specific domains and topics could be addressed by specific disciplines (f.i. FININT). To this end, best minds from different sectors and specializations must be brought together.
A single-INT is not capable of covering the entire spectrum of threats, which even more overlap and interact faster and faster. Cyber and physical domains incessantly permeate each other (hence, the importance of cyber-physical systems). To properly handle and predict phenomena, it is crucial to understand (intelligĕre) emergent collective behaviours in advance, according to a syncretic approach.
About the author: Boris Giannetto
(SecurityAffairs – hacking, intelligence)