Some threat actors love to make noise. Be it a tweet, a forum post, or a chat room message, communicating in the open often takes place. This creates a challenge for analysts, as it provides a myriad of single source reports. Relying on single source intelligence reporting is often like looking through a drinking straw. Your vision is limited, and you can miss important details on the periphery.
While single source reporting is important, it collects fragments. These can often be difficult to process, with time being spent discarding false positives, assessing credibility, applying context, and conducting collateral investigation, all delaying the intelligence being received by the end consumer. This ultimately increases the length of the intelligence cycle and exacerbates the risk of intelligence failure.
One tool for this challenge is Activity Based Intelligence (ABI), an intelligence discipline that has been gaining traction in the military over the past several years.
The purpose of ABI is to pull single source fragments together into a fused picture of activity and exploit them together. This can lead to new insights from data, as well as a faster time to production. Instead of looking at a single source intelligence fragment, ABI considers thousands of intelligence fragments at once.
So what can ABI do for cyber threat intelligence?
- Indication and warning (I&W) of attack – ABI can provide rapid warning of possible attacks from acceleration in trending of actors, operations, or key words. By tracking activity on threat actor social media, for instance around a specific operation, we can measure acceleration of operational activity. This can provide rapid indication and warning of impending attacks, informing both security teams and executives.
- Insight – Which groups are active? What are they doing? Which exploits are being discussed? ABI can quickly provide insights into these questions through following threat actors, and looking at key words related to operational activity.
- Timeliness – ABI can provide indication fast, such as an alert that activity is increasing. This can then be further investigated using single source reporting.
At Digital Shadows (now ReliaQuest) we frequently use ABI to provide further insight into the threats that we are tracking. For example, Figure 1 shows that, with ABI, we can quickly update our assessments on the threat from OpPetrol – an Anonymous operation targeting the oil and gas sector – based on a large sample of posts, and use the acceleration and de-acceleration in the trend.
Figure 1 OpPetrol – ABI analysis of Twitter mentions of OpPetrol shows this is highly unlikely to be a threat due to a clear lack of recent activity, and that it was predominantly active in late June 2014. Moreover, the increase in activity during June 2014, and lack of activity during June 2015, suggests that this operation will possibly not be repeated during 2016.
Also using ABI against OpPetrol, we can quickly look at the operation during June 2014, and compare all mentions to those that included operational terms such as “tango down” or “DDoS”. Figure 2 demonstrates how we can provide an insight into noise vs. operational activity.
Figure 2 OpPetrol activity in June 2014 vs. operational activity. This suggests the operation consisted of mostly noise, and little in the way of attacks.
Moreover, ABI can quickly show activity across the threat landscape. Below is a graph showing social media activity from hacktivist actors we were tracking during a two-week period in November.
Figure 3 ABI analysis of our hacktivist threat landscape shows a spike on 05 Nov 2015, which corroborates single source reporting that OpRemember would attract activity.
This was a gentle introduction to ABI, and a demonstration of how we utilise it at Digital Shadows (now ReliaQuest). ABI isn’t a panacea or a silver bullet, and must be used in conjunction with other sources and assessment methods. That said, ABI provides an insightful, and rapid look at threats.