Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

6/25/2020
02:00 PM
Doug Helton
Doug Helton
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Contact Tracing & Threat Intel: Broken Tools & Processes

How epidemiology can solve the people problem in security.

Like many others, I've alternated between a mild obsession with learning everything about COVID-19 and never wanting to hear about it again. I recently watched the governor of Massachusetts on CBS News' Face the Nation. He spoke of Partners in Health's use of contact tracing in Ebola- and Zika-stricken countries, and then said something that struck me: "It's not theoretical. They've done it before. They know how to do it." His message was: It works.

I began reading about how contact tracing worked for outbreaks like Ebola and researched what other countries are doing. In Israel, the Ministry of Health has released an app that uses cellular GPS data to provide alerts when people nearby are documented carriers of COVID-19. In the private sector, Google and Apple developed a contact-tracing app for the billions of people worldwide who use iOS and Android.

The World Health Organization (WHO) describes a three-step process for contact tracing: Contact ID, then Listing (investigating who individuals with confirmed cases had contact with), and finally, Follow-up. It hit me that this is eerily similar to what I have spent my career as an intel analyst doing.

Identification
Threat intelligence analysts use any number of tools for threat identification, plus additional tools to store these indicators. Traditionally, analysts use their own spreadsheets and Word documents as living workspaces or scratch pads to begin investigations. As they collaborate with others inside the organization, there is an enormous amount of cutting and pasting information from one tool to another. Analysts bounce from TIP to SIEM to instant messages to email in order to collect and stitch together analysis. It sounds crazy, but this is how modern, "digitally transformed" businesses are still identifying and tracking threats today.

Listing
This is where the investigation truly begins — tracing the activity of a malicious actor. Moving from aggregation of indicators to analysis, analysts ask themselves "what does the data tell us?" Unfortunately, collaboration inside and outside the organization is fragmented. Information sharing is happening in pieces, across multiple tools, with no single thread for each investigation. True collaboration, with a single set of unified data, is simply not happening. Analysts must find their own way to piece together the "big picture" and visualize exactly what happened.

Follow-up
This is where the process is completely broken for intel analysts. A malicious threat found a month ago, which was investigated internally and dismissed as low-level, may re-emerge as part of a larger campaign. However, capturing that earlier threat investigation is almost impossible because the analysts would need to search through disparate tools and communication methods. The "chain of custody" for who knew what and when, as well as what was sufficiently analyzed and what was missed, is nonexistent. Other than the final event annotation and a handful of indicators with partial context, there is no collective history of knowledge to build upon. Teams must essentially start their analysis over.

What Contact Tracing for Threat Intel Reveals
While I was impressed by what I learned about contact tracing's success as a public health tool, I am left with a nagging feeling that in the security business, our own "contact tracing" reveals that our tools and processes are broken; it's no longer acceptable from an investigation standpoint, for risk management, and especially not from a human resources perspective. Highly capable, skilled, and, frankly, expensive employees are still operating in silos, stuck in the land of a thousand tools, with limited information sharing, and no means for true collaboration. This only increases risk to the business by extending investigations and frustrating all involved.

How can we ever solve the people problem in security when this is the environment we have created for our most experienced, expensive resources? Just like with forensic evidence, start by assessing your business's capability to maintain a "chain of custody" of analysis. Ask yourself the following questions:

● Where does past analysis live?
● Can our organization reasonably answer "who knew what and when" for intelligence support to investigations?
● Where does cross-team collaboration occur? Does it support easy continuity of knowledge as people enter and leave investigations and teams?

If you find that you're unable to answer these questions confidently, start small. Discuss and document a process for how multiperson analysis should occur. Identify and use a single location for analysis to be centrally stored — ideally, one that is easily searchable. Be sure this includes analysts' contemporaneous notes and indicators, as they may be helpful in future investigations. Finally, practice. Have an analyst attempt to re-create another analyst's work, and assess where gaps in documentation, process, or access to intelligence sources may lie. Over time, improve on this by focusing on efficiency and completeness of analysis.

Related Content:

 
 
 
 
Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really bad day" in cybersecurity. Click for more information and to register for this On-Demand event. 

Doug Helton is chief strategy officer and VP of Intelligence at King & Union, a cybersecurity company based in Alexandria, VA, that has built and designed Avalon, the industry's first cyber analysis platform. His passion for intelligence operations began as a signals ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9498
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
CVE-2020-3282
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
CVE-2020-5909
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
CVE-2020-5910
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
CVE-2020-5911
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.