Society has entered an era of hybrid warfare, where there could be a battlefield with boots on the ground and combined cybercapabilities, or a war that only takes place behind a computer screen. In these scenarios, no one may notice the criminal, state actor or proxy that not only significantly damages a nation’s critical infrastructure, but also weakens its military defence and deterrence.
Since the beginning of the 21st century, military and defence have moved from platform to network-centric warfare, with a strong focus on communications and encryption. However, over the past few years, the cyberthreat landscape has changed dramatically due to a plenitude of software, the rise of the internet of things and complex supply chains. People, values and assets can only be defended if one understands the enemy by creating cyber situational awareness for every kind of threat. This is the purpose of cyberthreat intelligence (CTI), which provides actionable and relevant information on state actors; tactics, techniques and procedures (TTPs); and the indicators of an attack, among other key factors.
Intelligence continues to define the battlefield environment, describing its effects, evaluating a threat and determining the best course of action (COA). Superior intelligence was the key to success in Israel’s defence during the Six-Day and Yom Kippur wars, which saw its military take different COAs, using preventative strikes in the former. During the latter war, Israel opted to wait and defend against an attack. With CTI, commanders can decide on the right COA for hybrid warfare, from selecting whether to make an offensive or defensive cyberaction to secure the availability and integrity of weaponry as well as intelligence, surveillance and reconnaissance systems, plus network and supply chains to the theatre.
Intelligence is a tradecraft with its own intelligence cycle, which combines automated source ingestion, normalisation, correlation, enrichment, prioritisation and dissemination with human brains for the deep analysis of threats, TTPs and cybercampaigns, as well as exposure to these. Traditionally, this was a very labour-intensive process. As cyberthreats do not stop at the border, defence cyber units started to share intelligence with each other and friendly nations, National Cyber Security Centres (NCSCs), partners for critical infrastructure and the defence sector. Supporting the CTI analyst’s work process, and the sharing of intelligence in an efficient and secure fashion, is the function of a threat intelligence platform (TIP).
Threat intelligence technology
EclecticIQ is a fast-growing player in the CTI field that is active in Europe, the US, Middle East and Asia-Pacific. The company offers an analyst-centric TIP called EclecticIQ Platform that stems from the collective, and extensive, experience of CTI analysts and other team members. This platform is based on the open standards of Organization for the Advancement of Structured Information Standards (OASIS) for Structured Threat Information Expression (STIX)/Trusted Automated Exchange of Intelligence Information (TAXII). It offers a plug-in architecture and integration with security operations technology, including world-leading security information and event management (SIEM) software. EclecticIQ Platform dramatically reduces complexity in regard to efficacy, security, scarce resources and costs related to the multitude of tools and silos used today. The company’s clients are civil entities and their defence counterparts, including NCSCs, computer emergency response teams (CERT) and security operations centres (SOCs). It also works in highly regulated industries, such as finance and telecoms.
Defence organisations alone cannot detect all cyberthreats, nor understand how they will impact their own environment. Collaboration with the outside world is vital; a couple of developments have fuelled this effort, including the rise of cyber research and investigations, the availability of CTI, and support for STIX/TAXII as a standardised protocol for describing and transporting CTI. The first two have boosted global capacity for the deep analysis of cyberthreats, while the latter has improved the exchange of CTI in a structured and machine-readable way. But how can the defence sector benefit from third parties?
CTI bundles
There are more than 50 commercial vendors of CTI, plus a growing number of open-source suppliers and CTI communities. These provide valuable intelligence and have their own specialisms, perspectives and objectives, which raises various questions:
- How do clients manage and acquire a portfolio of relevant intelligence sources?
- How do they match requirements against it and measure the portfolio’s value?
- How do companies deal with all the different formats and taxonomies?
- And finally, how do they procure these sources?
The company answers these questions with EclecticIQ Fusion Center – a service that is supported by EclecticIQ Platform, which sees CTI analysts blend their profession with the company’s collective knowledge base and multiple CTI sources to produce thematic bundles of CTI.
The various bundles include critical infrastructure, espionage and electronic crime. New ones are introduced frequently, or can be assembled and customised to meet client requirements. These bundles are more than a collection of observables, as they also contain highly structured and contextual data that can be used at every level in an organisation, with users ranging from analysts to commanders and security operators. Structured data is at the very core of human-readable reports that are produced by the company. This information also feeds SOCs and TIP.
EclecticIQ Fusion Center analysts aggregate the sources into the STIX structure to enrich, cross reference and add context to them. This process becomes even more valuable with qualification taxonomies and tags. Analysts measure overlap, uniqueness, quality, responsiveness, relevancy and other factors that are used to periodically realign the portfolio of sources.
With this service, clients can benefit from the global supply of CTI sources, without spending hours every day reading extensive reports, identifying and extracting observables, comparing with other environments and previously processed reports. This labour-intensive process can be automated as a means of updating security operations, incident response systems and threat intelligence practices, so a scarce number of cyber analysts can focus on triage and the right COA to take.
EclecticIQ enables defence clients to improve their time -to-intelligence and cyber situational awareness, with less complexity, as well as clear and predictable costs. This results in intelligence-powered defence.