Podcast: How Threat Intelligence Leads to Counterintelligence

Hello everyone, and welcome to another edition of Cyberscoop Radio.

I am your host, Greg Otto.

This edition of Cyberscoop Radio is brought to you by Anomali.

And today we're going to talk about leveraging threat intelligence for practical counterintelligence.

One of the many benefits of threat intelligence is being able to disrupt adversaries through counterintelligence initiatives.

We're going to talk to Travis Farral, the director of security strategy for Anomali about what counterintelligence means for enterprises and dive into some practical counterintelligence measures aimed at not only disrupting adversaries, but also allowing for the collection of additional intelligence to aid in attribution, situational awareness and overall risk management.

Hey, Travis, thanks for joining us today.

Really excited to talk about threat intelligence and how you think this factors in to counterintelligence inside organizations.

Awesome.

Thanks to be here.

Greg, good talking with you.

So it's often said that good threat intelligence is a combination of information and insight.

How can organizations achieve that?

Well, there's a lot of components that go into that.

That is absolutely right.

It is information and insight.

Obviously, the insight piece comes from analysts.

Getting the right information to them is important.

It may start with something like an IP address, but I think the common misconception is that's the intelligence, the IP address or the URL or whatever it is.

But the trick I think, is being able to get in service enough context around that IP address.

Where was it discovered?

How is it matched?

Where did this IP come from?

What is it associated with?

What other things is it related to?

And get that in front of an analyst.

Hopefully they'll be able to pull from their experience and from their training and knowledge some additional insights that they can add to that.

And that is really when that turns into intelligence.

Once organizations glean the right insights from the right information they can begin to craft a counterintelligence plan.

We talk about the term counterintelligence.

Some other people call it threat hunting.

But what is the idea behind that term and how should it apply to security plans?

Counterintelligence is exactly what it sounds like.

It's being able to sort of influence the intelligence that the adversary has on you.

So you have to consider as you're building up intelligence on the adversary, whether you know exactly which adversary it is, APT 22, 28, whatever, or really just an actor profile that you started to notice some similarities in different attacks that have occurred in the environment of different campaigns and things, and you start to associate those with maybe a particular persona.

This adversary, maybe you come up with your own nickname for them internally, but there are certain behaviors and preferences that that particular persona has as you observe attacks.

And so now that you know those things, now you can start gleaning some insights into that adversary.

What they're after, what things they like to do, and things like that.

And as you know these things you can start to build up a counterintelligence plan that's really aimed at sort of dissuading that particular adversary from attacking your environment or shifting them to maybe more benign assets or simply just disrupting the campaigns that they have against you.

This could involve deception for any number of techniques.

So part of counterintelligence operations like you just said is understanding how adversaries view your organization.

How does that differentiate among the size of organizations?

Really I think it's not so much the size of the organization as really the maturity of the organization.

The adversaries nowadays used to be general conception of adversaries that the bigger you are, the more likely you are to face high end adversaries.

But I think as we've seen the attacks of the last few years even individuals and smaller organizations suddenly start to become important to certain adversaries depending on who they are and what they're trying to do.

For instance, IoT devices.

If your organization happens to have IoT devices that are exposed to the internet in a way that they can be turned into a botnet suddenly you might be interesting to an adversary.

So the size of your organization may not matter to the adversary, but that's not to say that the organization can't engage in some kind of counterintelligence operations, even with the limited stuff that they have, if they think that they're going to be a target for certain adversaries.

I know you talked about it a little bit previously, but what are some of the ways organizations can weave deception against adversaries?

This is a good question because this gets to the heart of what counterintelligence really is.

Number one, it's understanding who the adversaries are.

If you can't really understand how they see you, then it's very hard for you to impact that visibility that they have into your organization.

So the more you know about the adversary the easier it is to craft these deception campaigns or other counterintelligence campaigns against them.

For instance, if you know that particular adversary is constantly sending certain types of malware and trying to send phishing e-mails, may be polluting their ability to understand who is an active email address inside your organization is a way to sort of corrupt and disrupt those campaigns.

Another way to do that might be to simulate certain systems as being infected and basically suck up a bunch of their time and resources and chasing rabbits for systems that really aren't connected to anything, have no access to anything and are really benign, but they think that they're actively infected systems inside the environment.

OK.

So let's say we are a savvy mature organization like we were talking about earlier.

So when it comes to counterintelligence, what are some advanced tactics that we could use against adversaries?

Advanced tactics might be-- and of course, this depends on the adversary too.

I think a savvy organization is number one going to understand where it's important for them to engage, what types of adversaries are worth their time for developing counterintelligence campaigns, for instance, and which ones aren't.

So if it Tom and malware that's basically sort of the spray and pray variety that everyone sees, having the maturity to be able to understand doing-- we might do some low level counterintelligence here, maybe some automated stuff, but we're not going to really chew up a lot of analysts time coming up with something really advanced against these guys.

Now if it is an advanced actor you can use-- the savvy organizations could use counterintelligence to learn more about these adversaries that are coming against them, especially if it's an adversary that's more of a targeted nature and what they do.

So they may simulate, like I spoke of before, you simulate an environment that looks like it's inside the organization, maybe using the same external IP space but it's isolated, has some systems in their benign data and actually look to actively engage the adversary.

Hopefully the deception works and they're able to observe, capture tools, capture techniques, different procedures that they like-- the ways that they like to laterally move and things like that.

And in the course of that they can continue the counterintelligence deceptions or whatever it is that they can to continue to keep them engaged and continue collecting very valuable intelligence on them.

This process of collecting intelligence, does it work on a loop?

Your threat Intel feeds into your counterintelligence programs, which then give you even better threat Intel, and on the cycle goes.

So is that generally the way that they should work inside a mature organization?

Yeah, I think it absolutely is.

It can work that way.

It's really up to the organization on what their goals are.

If they're trying to really surface a lot more intelligence about an adversary, engaging in a counterintelligence campaign may be the right answer for them.

And yes, it could absolutely lead into a loop because as they learn more things through the counterintelligence campaign, that may lead to new questions and new desires for different types of collections to try and answer those questions.

So yeah, absolutely.

It could be a cycle, it could be a one time thing.

It really just depends on what the organization's goals are.

So finally, how do you think a type of program like this factors in to the overall risk management profile of an organization?

It's got to be deliberate.

Counterintelligence is not something for everybody and it's not something that should be used all the time.

And to do it right it requires resources and it requires energy and effort.

Really understanding what the goal should be are very important to make sure that the time and the resources are used valuably.

And I think it's really a situation of when you're trying to get to the next level, when you're trying to understand the risk against your organization and understand the adversaries in a better way so you can align your defenses the right way.

Counterintelligence should be a component in being able to answer those risk questions.

OK.

Travis, thank you for joining us and giving us some insight on how threat intelligence and counterintelligence can be used inside enterprises.

Awesome.

Thanks, Greg.

Thanks again to Travis for taking some time to talk with us today.

And that will do it for this episode of Cyberscoop Radio.

For more on counterintelligence, direct intelligence and all things cyber security.

Check outside the scoop.com I'm Greg Otto.

Thanks for listening.