Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

6/25/2020
02:00 PM
Doug Helton
Doug Helton
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Contact Tracing & Threat Intel: Broken Tools & Processes

How epidemiology can solve the people problem in security.

Like many others, I've alternated between a mild obsession with learning everything about COVID-19 and never wanting to hear about it again. I recently watched the governor of Massachusetts on CBS News' Face the Nation. He spoke of Partners in Health's use of contact tracing in Ebola- and Zika-stricken countries, and then said something that struck me: "It's not theoretical. They've done it before. They know how to do it." His message was: It works.

I began reading about how contact tracing worked for outbreaks like Ebola and researched what other countries are doing. In Israel, the Ministry of Health has released an app that uses cellular GPS data to provide alerts when people nearby are documented carriers of COVID-19. In the private sector, Google and Apple developed a contact-tracing app for the billions of people worldwide who use iOS and Android.

The World Health Organization (WHO) describes a three-step process for contact tracing: Contact ID, then Listing (investigating who individuals with confirmed cases had contact with), and finally, Follow-up. It hit me that this is eerily similar to what I have spent my career as an intel analyst doing.

Identification
Threat intelligence analysts use any number of tools for threat identification, plus additional tools to store these indicators. Traditionally, analysts use their own spreadsheets and Word documents as living workspaces or scratch pads to begin investigations. As they collaborate with others inside the organization, there is an enormous amount of cutting and pasting information from one tool to another. Analysts bounce from TIP to SIEM to instant messages to email in order to collect and stitch together analysis. It sounds crazy, but this is how modern, "digitally transformed" businesses are still identifying and tracking threats today.

Listing
This is where the investigation truly begins — tracing the activity of a malicious actor. Moving from aggregation of indicators to analysis, analysts ask themselves "what does the data tell us?" Unfortunately, collaboration inside and outside the organization is fragmented. Information sharing is happening in pieces, across multiple tools, with no single thread for each investigation. True collaboration, with a single set of unified data, is simply not happening. Analysts must find their own way to piece together the "big picture" and visualize exactly what happened.

Follow-up
This is where the process is completely broken for intel analysts. A malicious threat found a month ago, which was investigated internally and dismissed as low-level, may re-emerge as part of a larger campaign. However, capturing that earlier threat investigation is almost impossible because the analysts would need to search through disparate tools and communication methods. The "chain of custody" for who knew what and when, as well as what was sufficiently analyzed and what was missed, is nonexistent. Other than the final event annotation and a handful of indicators with partial context, there is no collective history of knowledge to build upon. Teams must essentially start their analysis over.

What Contact Tracing for Threat Intel Reveals
While I was impressed by what I learned about contact tracing's success as a public health tool, I am left with a nagging feeling that in the security business, our own "contact tracing" reveals that our tools and processes are broken; it's no longer acceptable from an investigation standpoint, for risk management, and especially not from a human resources perspective. Highly capable, skilled, and, frankly, expensive employees are still operating in silos, stuck in the land of a thousand tools, with limited information sharing, and no means for true collaboration. This only increases risk to the business by extending investigations and frustrating all involved.

How can we ever solve the people problem in security when this is the environment we have created for our most experienced, expensive resources? Just like with forensic evidence, start by assessing your business's capability to maintain a "chain of custody" of analysis. Ask yourself the following questions:

● Where does past analysis live?
● Can our organization reasonably answer "who knew what and when" for intelligence support to investigations?
● Where does cross-team collaboration occur? Does it support easy continuity of knowledge as people enter and leave investigations and teams?

If you find that you're unable to answer these questions confidently, start small. Discuss and document a process for how multiperson analysis should occur. Identify and use a single location for analysis to be centrally stored — ideally, one that is easily searchable. Be sure this includes analysts' contemporaneous notes and indicators, as they may be helpful in future investigations. Finally, practice. Have an analyst attempt to re-create another analyst's work, and assess where gaps in documentation, process, or access to intelligence sources may lie. Over time, improve on this by focusing on efficiency and completeness of analysis.

Related Content:

 
 
 
 
Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really bad day" in cybersecurity. Click for more information and to register for this On-Demand event. 

Doug Helton is chief strategy officer and VP of Intelligence at King & Union, a cybersecurity company based in Alexandria, VA, that has built and designed Avalon, the industry's first cyber analysis platform. His passion for intelligence operations began as a signals ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: I think the boss is bing watching '70s TV shows again!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-14451
PUBLISHED: 2020-12-02
An exploitable out-of-bounds read vulnerability exists in libevm (Ethereum Virtual Machine) of CPP-Ethereum. A specially crafted smart contract code can cause an out-of-bounds read which can subsequently trigger an out-of-bounds write resulting in remote code execution. An attacker can create/send m...
CVE-2017-2910
PUBLISHED: 2020-12-02
An exploitable Out-of-bounds Write vulnerability exists in the xls_addCell function of libxls 2.0. A specially crafted xls file can cause a memory corruption resulting in remote code execution. An attacker can send malicious xls file to trigger this vulnerability.
CVE-2020-13493
PUBLISHED: 2020-12-02
A heap overflow vulnerability exists in Pixar OpenUSD 20.05 when the software parses compressed sections in binary USD files. A specially crafted USDC file format path jumps decompression heap overflow in a way path jumps are processed. To trigger this vulnerability, the victim needs to open an atta...
CVE-2020-13494
PUBLISHED: 2020-12-02
A heap overflow vulnerability exists in the Pixar OpenUSD 20.05 parsing of compressed string tokens in binary USD files. A specially crafted malformed file can trigger a heap overflow which can result in out of bounds memory access which could lead to information disclosure. This vulnerability could...
CVE-2020-13496
PUBLISHED: 2020-12-02
An exploitable vulnerability exists in the way Pixar OpenUSD 20.05 handles parses certain encoded types. A specially crafted malformed file can trigger an arbitrary out of bounds memory access in TfToken Type Index. This vulnerability could be used to bypass mitigations and aid further exploitation....