Personalized Threat Intel from a Secret Service Point of View

Imagine this: You’re hired to work as a senior-level software programmer for a networking company. Your responsibilities include building a security framework and ensuring the secure delivery of new products and services. Out of (seemingly) nowhere, Code Red hits and your company, along with many others around the world, experience outages. The communications and PR teams rush to address the situation and assure customers and stakeholders that the issue is under control. As part of the networking team, you are keenly aware of the reality of the problem, but you’re behind the scenes, helping restore services.

Until the CEO asks you, the only fluent English-speaking employee, to directly address the press. This is a career-altering moment, and not one most programmers are prepared for, at least not on a moment’s notice. Yet, this was Kumar Ritesh’s reality in July 2001. He was thrust into the spotlight, and given the visibility of Code Red, his involvement gained the attention of UK’s Secret Intelligence Service. Shortly thereafter, Ritesh was invited to join another software company, unbeknownst to him, one run by the Secret Intelligence Service, based on his handling of the situation. At first, Ritesh thought he was working for a private company and getting the opportunity to work on really interesting projects.

In time, he learned he was working on behalf of the Service and was instrumental in building out their cyber warfare capability. It was a tremendous experience, and Ritesh even had the opportunity to work in the field with agents (a real-life James Bond adventure), observing their communication channels and building better products. He gained invaluable expertise in cyber threat intelligence during this period, and after soaking up as much as he could, moved back to the private sector to head up cyber security for one of the world’s largest mining companies. Ritesh was hoping to apply his knowledge of intelligence in this role, but what he found was, despite the ample security budget at his fingertips, he wasn’t able to find the right intelligence to inform his risk guidance, much less present to fellow executives and board members.

“With all the sophisticated security controls I had and all the systems I had for data collection and analysis,” Ritesh told me during a recent call, “I still didn’t have the confidence to say, ‘we’re secure,’ or, ‘we have to prepare for this type of attack.’ The intelligence just wasn’t reliable enough. I knew what was happening on the inside, but what was missing from my data was the attacker’s point of view—what we looked like from the outside.”

Building from the practitioner perspective

To build what he needed as a practitioner, Ritesh left his job to start a company focusing on delivering quality threat intelligence from an external point of view. Today, Ritesh leads CYFIRMA with a mission to improve the caliber of “outside-in” threat intelligence companies can use to answer the “5 Whys”:

  1. Who: Who are the attackers likely to target my business?
  2. What: What are they after? What specific data and systems do they want to access? What do they want to do once they have successfully exploited my company?
  3. When: Are the attackers ready now? Is there an imminent threat? Is this something we can prepare for?
  4. Why: Why us? What do we have that’s attractive to attackers, and why does that make us a prime target?
  5. How[i]: How are attackers likely to try to exploit my business? Which tactics and techniques will they use?

Beyond the need to answer the above questions (and more), Ritesh wanted the output of CYFIRMA’S threat intelligence to be categorized into one of three buckets: one for overall strategy, another for management decisions, and the third for operational actions. Before officially launching the company and product in 2019, Ritesh and his team spent a lot of time talking to would-be customers, asking them what was missing from current threat intel products and services, learning how they use threat intel strategically and tactically.

Seeking tailored answers

“It’s been a fairytale since the beginning of 2019,” said Ritesh, “because we’ve heard from the market that organizations want more than IOCs on a dashboard.” The company’s product, DeCYFIR, is a cloud-based threat discovery and cyber intelligence platform. DeCYFIR collects more than 100GB of data from disparate deep and dark web sources every eight hours, then uses a mathematical model to correlate and analyze the data in different ways so that the results always help answer the “5 Whys.” “If the model can’t answer those questions, it keeps searching for more data,” said Ritesh. “If we can’t get a tailored view per our customer’s threat profile, we keep looking. The goal is to sit outside each customer’s environment and see what they look like to attackers and identify personalized motives, methods, and campaigns.”

DeCYFIR is deployed as automated and configurable agents that troll deep and dark web sources looking for signals related to the individual company or company’s industry. Bots crawl for targeted attacker motives and plans, using methods to access channels where cyber criminals post messages and discuss tactics and techniques. There, the bots listen to conversations and correlate data so CYFIRMA can craft custom intel for each customer.

“I learned early in my career that cyber criminals aren’t going to come out and say, ‘I am going to attack ABC Company on X date.’ Instead, they’ll send messages that look more like, ‘We’re meeting for breakfast on Wall Street at 11 AM ET on Wednesday.’” It’s this type of context and understanding of the intelligence space that allows Ritesh and his engineers to build a product that produces a storyline customers can follow. And it’s because of this that Cyfirma has won some big-name clients in less than a year. “Our customers are household names and they need to see what they’re up against—specific attack techniques, timeframes, and targets—otherwise, the intelligence isn’t actionable and we won’t send it.”

Targeted views

On a more tactical level, after DeCYFIR finds personalized intel that answers the 5 critical questions, it is parsed into four views that can be used effectively by different participants in the cyber risk discussion. There is a Threat View for SOC operators and analysts that shows which threat actors are targeting the company or industry; a Risk View for executives who want to see how the company is trending, their risk score, and how they look from an attacker’s point of view, i.e., their “hackability”; a Risk Dossier, which shows various elements of a threat, like identified impersonations, who has registered malicious domains, the IP address of malicious hosts, and what type of malware is being propagated out of that address; and the Report View, which is the company’s 24-hour snapshot of activity.

DeCYFIR is a robust platform that gives companies the “hacker’s view” of their organization plus some very actionable information that can help them prepare for an attack. This isn’t a one-size-fits-all approach to cyber threat intelligence; DeCYFIR surfaces very specific, very tailored intelligence, which might not be a match for companies that want to see the entire threat landscape, including correlation with internal telemetry and/or have awareness of greater industry trends that are not likely to impact the organization. CYFIRMA’s product is the bottle service of threat intel, and sophisticated SOC teams and MSSPs could improve their actionability with a tool like DeCYFIR.

_____________________________________________________________________________________________________

[i] Not a “w,” but nonetheless crucial to the equation.