When Tolkien first sat down to write Lord of the Rings, he probably never imagined it would go on for over 1,000 pages. The same can also be said for network defenders tackling ransomware attacks. Years ago, I distinctly remember saying that ransomware would never catch on…how wrong I was. As we near the halfway point of 2021, ransomware continues to play an increasingly dominating role in the cyber threat landscape. Here at Digital Shadows (now ReliaQuest), we have produced over 800 intelligence updates on ransomware in 2021 so far. If things carry on at that rate, we’ll be at nearly 2,000 for the year. That’s at least 2,000 victims of a ransomware attack in a single year. And the actual figure will be much higher as many victims will have paid the ransom to avoid publication of their data.
One of the most significant ransomware events of 2021 was the attack on US fuel giant Colonial Pipeline, two weeks ago, by the operators of the “DarkSide” ransomware. Other notable attacks include a “Babuk” ransomware attack on the Metropolitan Police Department of Washington DC, the “Conti” ransomware attack on Ireland’s Health Service Executive, and an attack on insurance giant AXA by “Avaddon” ransomware after they stated they would be removing reimbursements for ransomware payments. I’m a great believer in the famous adage “prevention is better than cure.” So, with that in mind, I thought I’d take the opportunity to discuss how the intelligence cycle can help prepare organizations for a ransomware attack.
What is the intelligence cycle?
The intelligence cycle is a vital part of any threat intelligence capability. It is used by military and law enforcement analysts around the globe. It is the name given to the process that many analysts will follow to convert information into assessed intelligence. The intelligence cycle has its fans: It provides a straightforward method for new analysts to follow. Those more experienced analysts can also use it as a basis to build upon. It is a helpful framework that provides consistency amongst intelligence peers.
While the intelligence cycle is a good model, putting it into practice can be tricky. Decision-makers rarely give detailed intelligence requirements to an analyst. In addition to this, they will often make decisions before knowing the outcome of the tasked analysis. In a perfect world the collection and analysis phases of the cycle run in two defined parts, but in reality it is more common for them to be run in parallel. An analyst may also need to repeat the collection and analysis phases several times before moving on to the dissemination phase.
Regardless, the intelligence cycle is a good starting point that network defenders can move through to understand the risks to their business from a ransomware attack. Moving through the cycle can help assess the likelihood their organization will be targeted in a ransomware attack, identify the likely ransomware type behind the attack, and create defensive and preventative recommendations.
Stage 1 of the Intelligence Cycle: Direction
The first stage of the intelligence cycle is direction. You might see online that differing versions of the intelligence cycle have “planning” and “direction” separated into two sections of the cycle. For me, the term direction covers all aspects needed at this point in the cycle; receiving direction and planning how to meet that direction must be done before collection can commence.
The direction phase is when you need to define and agree on intelligence requirements. These are the questions you will be seeking to answer throughout the cycle. Intelligence requirements for a network defender wanting to know more about the threat to their business from ransomware attacks could include:
- Which ransomware types frequently target my organization’s sector?
- Which ransomware types frequently target the geographic region/s my organization operates in?
- What is known about the operators of these ransomware types? Do they operate an affiliate model?
- Which tactics and techniques do these ransomware types employ? Do they conduct data exfiltration or distributed denial of service attacks for added pressure on victims?
Once agreed upon, intelligence requirements should then be transferred to an intelligence collection place (ICP) which provides structure to the collection of information. It allows an analyst to identify the information or knowledge they already hold to meet the intelligence requirements. Consequently, it will also help analysts identify when they don’t already have the answer—their intelligence gaps—and plan how to fill those gaps. It’s helpful here to consider the sources of information you will likely use during the collection phase of the intelligence cycle. And if you don’t have a way to access the information you need, now’s the time to plan how you will get it. Suppose part of your ICP relies on collecting information from a third party; it is a good idea to engage with those parties early to avoid unnecessary delays. ICPs should be updated regularly to track progress and identify barriers to delivery at an early stage.
Direction, arguably, is the most crucial stage of the intelligence cycle. This stage is where you get to know how to meet your manager or client’s needs— if direction is not defined and agreed upon properly, the work you put in throughout the rest of the cycle could all be for nothing. It’s also important to agree to a delivery timeline with your client and understand what your intelligence will be used to inform. This will all help to tailor how you approach and complete the task.
Stage 2 of the Intelligence Cycle: Collection
The next phase of the intelligence cycle is, naturally, collection. Time to put your ICP into practice! Collection should include a wide variety of information sources. Sources can generally be divided into two; open and closed. Open source information is data or information available to the general public. In contrast, closed sources are not freely available to the public.
The most common type of open source information is that found on the internet. The surface, deep and dark web will all come under the banner of open source information, as will the information gathered by a Freedom of Information request. So while it is a plentiful collection source, it can lead to information overload. Sticking to the original intelligence requirements is vital to ensure the collection of information is refined and targeted.
Digital Shadows (now ReliaQuest)’ Threat Intelligence library is an excellent source of information on ransomware types and their operators. We regularly publish new ransomware threat profiles and ensure our existing profiles are updated promptly to include the most up-to-date information. These profiles contain information on the sectors and geographical areas most targeted by the different ransomware types. To do this, we actively track the activity on approximately 25 ransomware data leak websites (used by ransomware operators to leak the details and data of their victims who do not pay a ransom demand).
All Digital Shadows (now ReliaQuest) intelligence is aligned to MITRE ATT&CK, including the tactics and techniques of prominent ransomware types. Some of the most common MITRE ATT&CK techniques used by ransomware groups are:
- Compromise Infrastructure: Botnet T1584.005
- Supply Chain Compromise: Compromise Software Supply Chain T1195.002
- Phishing: Spearphishing Attachment / Spearphishing Link T1566.001 / T1566.002
- Exfiltration Over C2 Channel T1041
- Exfiltration Over Web Service T1567
- Data Encrypted for Impact T1486
- Inhibit System Recovery T1490
- System Information Discovery T1082
- System Network Configuration Discovery T1016
- Exploitation of Remote Services T1210
- Impair Defenses: Disable or Modify Tools T1562.001
- Remote Services: Remote Desktop Protocol T1021.001
We also have an excellent research paper on initial access brokers (IABs), which you can read here. IABs are a popular resource for ransomware operators when seeking to gain access to a network. These individuals sell access to victim’s networks on cybercriminal forums. From there, ransomware operators can buy and exploit that access. However, following the attack on Colonial Pipeline, forum administrators have banned any content concerning ransomware to avoid unwanted law enforcement attention. Whether that will impact the way ransomware operators gain initial access to networks remains to be seen.
To end this section, remember to ask yourself these important questions;
- Is the information relevant, credible, and valid?
- Does the information answer the requirements?
- Does the information add value?
If the answer to these questions is yes, store that information securely for when you are ready to move onwards through the intelligence cycle.
Stage 3 of the Intelligence Cycle: Analysis
While some argue that direction is the most critical phase of the intelligence cycle, others make a strong argument for analysis to take pole position in the importance stakes. This is the stage when analysts get to flex their analytical muscles and use their skills to transform information into intelligence.
To do this, analysts might use their intuitive judgment, but this can cause problems. Using our judgment may make any outcome less reliable as we are all susceptible to bias. Intuition shouldn’t be avoided entirely, though. Coupled with using a structured analytical technique, an analyst’s experience and intuition can be a real asset. It’s why those of us who have been around longer provide some pretty good insights every now and then.
Structured analytical techniques are good for overcoming our biases and providing consistency and transparency within analysis. For analysts needing a quick outcome, a method like SWOT can be an easy win. If you have a lot of event data, then geospatial and temporal analysis can be helpful tools. These techniques map geographic and time data, respectively, providing analysts with a visual representation of data making patterns easier to spot. For example, geospatial analysis is how the 1854 cholera outbreak in Soho, London, was narrowed down to one contaminated water pump. That water pump is still there to this day—thankfully, it doesn’t dish out water anymore.
For those with more time, you might consider using analysis of competing hypotheses (ACH) or the Cone of Plausibility (CoP).
ACH provides analysts with a platform to consider alternative hypotheses to a problem, rating the evidence for each hypothesis as they go, as either consistent or inconsistent. As analysts move through their chosen hypotheses, they can adjust their belief in a hypothesis based on the credibility of that evidence. At the end of this consideration, analysts choose the most likely hypothesis based on it being the outcome with the least inconsistency. ACH encourages critical thinking and basing decisions on the available evidence. However, the criteria for hypotheses can be inconsistent across analysts and can leave room for subjectivity.
The CoP technique provides analysts with a tool to make future predictions, which we are asked to do quite a lot. The technique involves considering different possible outcomes and comparing those outcomes.
The “Probable Future” would occur if current patterns and trends continued without intervention or unexpected influence. But the CoP does take unexpected developments into consideration – enter the “WildCard” option. These options are the outer limit of what could occur. Wildcards allow analysts to think freely and develop worst-case or even outlandish scenarios. “Preferable Future” is where analysts can consider the best case or the opportunities that exist. The cone helps analysts consider all possible options and assess, using judgment and evidence, which is most likely to occur.
I’ve used the word “likely”a lot in this section, but what does “likely” mean in an analytical context? Analysts frequently use the language of uncertainty in their analysis, which comes from a tool called the uncertainty yardstick.
Like most of the topics I’ve discussed throughout this blog, the yardstick has its positives and negatives. Similar to structured analytical techniques, the uncertainty yardstick provides analysts with a common language to use when assessing how probable an outcome is. It removes the subjectivity I referred to earlier when discussing ACH and provides a common understanding of a threat. However, the chance of an outcome being a “realistic possibility” is between 25 and 50 percent. That’s quite a big difference, really. We discuss the language of uncertainty in more detail in one of our previous blogs: Uncertainties in the language of uncertainty.
In the context of defending against a ransomware attack, how can these techniques help? After identifying which groups frequently target your operating sector, using analytical techniques could allow you to assess the likelihood of one of those groups specifically targeting your organization. Next, you could determine the likely outcome of that attack and whether data exfiltration would occur. You could also consider the risk of further attack based on the MITRE ATT&CK techniques used by that group. Some like to remain in a network for extended periods and use their access to conduct additional attacks.
At the end of your analysis, it’s a good idea to provide some recommendations to your customer. What do you think they should do with your information, based on all the options you have considered. Perhaps this will include updating the ransomware response playbook to ensure creation of multiple data back-ups and storing them separately. Or updating network defenses to protect against the new techniques ransomware operators are using. Whatever the recommendation, always back it up with analysis. That way, you will deliver a stronger position, and dealing with questions or criticism will be simple – it’s all there in the analysis.
Stage 4 of the Intelligence Cycle: Dissemination
Once the analysis is complete, the next phase of the intelligence cycle is dissemination, or in other words, delivering your findings to the customer. At this point, it’s time to consider the best format to deliver those findings and recommendations. Depending on the original task and who your customer is, would a verbal or written briefing be best? Should it be short and snappy, or long and detailed?
It is critical to ensure that all of your hard work is disseminated to your customers in the best way to suit their needs. Reports should be written using straightforward, easy-to-understand language, avoiding any jargon that might confuse the message. Intelligence reports should also be delivered on time while ensuring that information is provided to customers securely; speed should not supersede security. This is particularly important if dealing with a sensitive, ongoing matter. Following good practice during the dissemination stage of the intelligence cycle will contribute to the overall success of the intelligence product and boost your reputation as a capable analyst.
Stage 5 of the Intelligence Cycle: Review
Finally, review completes the intelligence cycle. This part of the process is when an analyst can evaluate their work and gain feedback from the customer of the report. However, review can often be overlooked when working in a busy environment. Analysts may feel that they simply don’t have the time to review all work they deliver, but review breeds improvement.
Reviews can be held with the customer to ensure that the product met their expectations and requirements. If it didn’t, it’s critical to find out why so that you can improve for next time. Even if it did push all the right buttons, having feedback conversations is still a helpful exercise; there is always room for improvement, and sharing thoughts with someone who has different knowledge and experience could elicit ideas that otherwise may never have crossed your mind.
Reviews can also be held internally, covering similar ground to an external review. However, in an internal review, we might look at the analysis conducted and question how accurate it was, whether the proper techniques were used, and how the process can be improved. The importance of feeding this information back into the intelligence cycle cannot be understated. Collecting feedback is redundant if you don’t act on it. Processes can be streamlined, analysis techniques can be refined, and customer interaction can improve.
In summary, while the intelligence cycle is not perfect, it is a useful tool to guide analysts, old and new, through the production of assessed intelligence reporting. If you want to learn more about intelligence then Securing the State by Sir David Omand (ex-GCHQ head) is an excellent introduction. Likewise, if you want to know more about structure analytical techniques then Richards Heuer’s 1999 paper, Psychology of Intelligence Analysis is a must read.
Conversely if ransomware is your thing and you are interested in learning more, we recommend a 7-day free trial of Threat Intelligence with SearchLight. SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) clients receive real-time, actionable intelligence updates regarding ransomware activity, including analysis from our team of global analysts and intelligence on new posts to ransomware data leak sites across open and closed sources.