Joseph and the Amazing Primary Color CTI Function (Part One) — An Introduction to Primary Source Intelligence

Cyber threat intelligence (CTI) can be a vital pillar of an organization’s cyber security function. Yet not all intelligence is created equal—it can range from stale and outdated indicators of compromise all the way to zesty adversary attack details (and with juicy mitigation advice baked in for good measure).

When it comes to refining intelligence, quality typically trumps quantity. The majority of intelligence stakeholders are time constrained and have enough on their reading list already. The challenge, therefore, is to produce high leverage intelligence that equips stakeholders with decision advantage related to their most pressing challenges.

There are various ways that CTI functions can improve the quality of their reporting. Yet, few will have as dramatic an improvement as utilizing primary source intelligence.

Primary Source Intelligence 101

Primary source intelligence refers to reporting that is based on immediate and first-hand accounts. Within cyber security, this typically means reporting based on a direct connection to the threat at hand.

Much of Mandiant's own primary source data is gained from front-line experience in responding to some of the most significant network intrusions for example. Mandiant also benefits from rich telemetry by protecting millions of endpoints across multiple industries; an organic collection capability to monitor adversary infrastructure and behavior; multiple security operation centers located across the globe; and an Advanced Practices team that works to proactively discover and mitigate adversary behavior.

Yet, primary source intelligence does not possess a monopoly on useful insight. It is typically compared to secondary source intelligence that, by definition, is based on second-hand observations of adversaries. Secondary source intelligence could therefore be based on media articles, academic papers, or third-party reporting.

Many organizations, including FireEye, will therefore combine both primary and secondary sources in their reporting. This is because secondary source can undoubtedly provide high-quality insight. Ultimately, no single entity has omniscient visibility into the threat landscape. Utilizing external sources can therefore help to gain a more expansive perspective and additional insight.

Despite the clear contribution that secondary source intelligence can provide, we believe that a robust primary source-led approach provides a unique and highly effective perspective.

Benefits of Primary Source Intelligence

Build an Intimate Understanding of Adversary Behavior

Regular, first-hand observations of threat actors afford an opportunity to learn intimate details of an adversary’s modus operandi. Possessing an understanding at this granular level then provides the foundation for producing and disseminating intelligence in a variety of formats (whether that be relevant indicators, executive perspectives, MITRE ATT&CK playbooks, or even a technical annex for those determined to venture into the weeds).

Building intelligence off attacks observed in-the-wild is a key focus at Mandiant. For instance, Mandiant Threat Intelligence was able to provide in-depth analysis on the “TRITON” malware family after responding to an incident at a critical infrastructure organization where an attacker deployed malware designed to manipulate industrial safety systems.

Intelligence based off front-line understanding also removes ambiguity by reducing the risk that reporting is misinterpreted. Secondary sources introduce additional nodes in the communication chain between any initial observed adversary activity and a final report. These additional links increase the risk that adversary details are obfuscated, redacted, or amended as a story goes through different reporting iterations.

Detailed technical reports, for example, are often summarized into high-level media articles. Intelligence based off these media articles would then be unable to provide technical details that could be useful to relevant stakeholders. Primary source intelligence, by contrast, cuts out intermediaries.

Understand Adversary Activity From Multiple Angles

A variety of primary sources exist in cyber security and utilizing a breadth of sources will help organizations to better understand their threat landscape. This is because each source provides a different perspective.

Ransomware is one example where a variety of primary sources enriches our understanding. Incident response engagements help us to understand how a ransomware variant operates once it has reached a target system—an increasingly important issue given the rising popularity of post-compromise ransomware operations. Here, tracking malware and adversary infrastructure provides additional insight into many of the tools used in conjunction within these campaigns.

Endpoint telemetry on the other hand, can provide a broader perspective on the most prescient threat to specific regions and industry verticals. Access to dark web criminal forums also affords an understanding of the new variants being advertised for sale. Regularly monitoring data leak sites linked to ransomware operations allows us to confirm any publicized victims and to ascertain any data exposure issues that could impact organizations.

The point here is not that any one of these sources is superior, but that when combined, we are able to build up a much clearer picture of the threat landscape.

Speed

Timeliness is a key component of actionable intelligence. Whether it be relevant indicators or the use of a new MITRE technique, CTI functions should strive to shorten the window of time between adversary activity and the dissemination of relevant and actionable insight to defenders.

Threat actors are constantly innovating, and front-line experience allows organizations to move at the speed of the threat. By being close to the action and leveraging sources with a direct connection to the threat at hand, an intelligence function is able to provide intelligence in as close to real-time as is possible for finished and quality-assured intelligence products.

In Closing

A primary source-led intelligence capability offers unapparelled insight into adversary behavior. By developing a security strategy that builds off experience and expertise from the frontlines, an organization can map its defensive posture against the operational realties in their sector and region.

However, despite the clear added value of primary source insight, its benefits can only be leveraged if intelligence is appropriately integrated within an organization’s security function. It is therefore vital that organizations zoom out and identify the relevant processes and capability required to maximize the benefits of threat intelligence.

Stay tuned for part two of this blog series, which will provide some practical steps on how to operationalize primary source intelligence, and learn more about Mandiant Advantage: Threat Intelligence.