Cyber Intelligence

There are no rules, and no certainties

Coleman Kane - @colemankane


What is Intelligence?

Example definitions, borrowed from the pages of The Craft of Intelligence,
by Allen W. Dulles:

Foreknowledge is the reason the enlightened prince and the wise general conquer the enemy whenever they move. ‐ Sun Tzu

Intelligence deals with all the things that should be known in advance of initiating a course of action.‐ Task Force on Intelligence Activities, 2nd Hoover Commission


Let's define

Families of Intelligence Data

Recorded observations, facts, or datapoints.
Stored artifacts, documents.
Supporting evidence.

Recounted observations.
Derived information.
Courses of action.



How intelligence is often perceived at higher levels, unfortunately

B is a problem, effect, or symptom, while A is a cause .
There may be many causes, some known, some unknown.

Inference Chain

Given: A→B, B→C
Conclusion: A→C

We known that if A is true, it means that B is true.
We also know that if B is true, that it means that C is true.

Thus, when analyzing both of these artifacts, or data points, we can conclude a new piece of knowledge, that whenever we know A to be true, we can conclude C to be true.

Conclusions are our derived knowledge. This is often considered the Intelligence that is the output of our research.

Probabilistic Inference

P(B | A)

How intelligence more often behaves, in practice

Pop Quiz

P(C | A) = 0.75

P(C | B) = 0.85

Two values A and B have both been measured as likelihood indicators of C

If we find that A and B are both true, what is the likelihood that C is true?

Trick question?

P(C | ¬A ∧ B) = 1.0, P(C | A ∧ B) = 0.0

P(C | A) = 0.75, P(C | B) = 0.85

Intelligence in the Cyber Domain

Knowledge: What has been seen?
  • Attack reports
  • Vulnerabilities
  • Assessments
  • Attack surface
  • Business operations
Conclusions: How to respond?
  • Signatures
  • Watchlists
  • Analysis/Findings
  • Actions
  • Advice

Research cycle: Conclusions are derived from Knowledge, tested, and if they hold up to sufficient testing, reach a confidence threshold at which point they are stored in the knowledge base and treated equally to knowledge, until refuted in a manner that reduces confidence below an accepted threshold.

Models and Frameworks


Cyber Kill Chain®

Diamond Model for Intrusion Analysis


Role of Frameworks

All of these frameworks have a lot of utility, and often come with an implementation cost. Make sure you've identified your need and benefit ahead of implementation.

  • Cost: High (to produce), Low (to consume)
  • Useful if you anticipate high volume information exchange, or have intelligence providersthat supply information in STIX format.

Cyber Kill Chain®
  • Cost: Low
  • Nice initial step to breaking down attacks. Useful in particular if you have multiple teams that will handle remediation, investigation, and mitigation work. Organizies event information into what occurred at each phase.

Role of Frameworks (cont.)

Diamond Model
  • Cost: Medium
  • Very intelligence and adversary-focused analysis. Organizes activity into metadata that can be used to compare events to one another, as well as identify common factors across multiple events

  • Cost: High
  • Organize activity into techniques that are used in a finer-grained list of phases than the Cyber Kill Chain. Focus is on detection/prevention management. Attempts to provide an encyclopedia of TTPs. A good place to continue maturation after CKC.

What Frameworks Won't Do

These all represent additional effort, above and beyond the basic efforts of documenting events, collecting artifacts, IOCs, signatures, and building detection

Pyramid of Pain

David Bianco (@DavidJBianco),

Suggestions to get started

Imagined Attribution

Campaigns, Actors, and Attribution

You don't attribute indicators or signatures. You attribute events to adversaries. Easily an entire presentation worth of material. I'll direct you all to Florian Roth's thorough analysis on the topic: The Newcomer's Guide to Cyber Threat Actor Naming

Not everyone needs to do cyber attribution
Not everyone's conclusions will match.

Knowledge Gaps

Lack of detection coverage is just one type of knowledge gap

Some Other Examples of Knowledge Gaps

Action-Driven Intelligence

If we know X, we would do Y

Managing Cyber Intelligence

Find places to store & manage your knowledge

Detection Deployment is a Hypothesis

Hypothesis Testing

Fidelity Testing


Automate Early, Automate Often

Good vs. Bad Intelligence

A common question I'll hear: Is this a good indicator or signature?

Good vs. Bad Intelligence (cont.)

Other ways to interpret the good vs. bad question


Review (cont.)