Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

6/25/2020
02:00 PM
Doug Helton
Doug Helton
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Contact Tracing & Threat Intel: Broken Tools & Processes

How epidemiology can solve the people problem in security.

Like many others, I've alternated between a mild obsession with learning everything about COVID-19 and never wanting to hear about it again. I recently watched the governor of Massachusetts on CBS News' Face the Nation. He spoke of Partners in Health's use of contact tracing in Ebola- and Zika-stricken countries, and then said something that struck me: "It's not theoretical. They've done it before. They know how to do it." His message was: It works.

I began reading about how contact tracing worked for outbreaks like Ebola and researched what other countries are doing. In Israel, the Ministry of Health has released an app that uses cellular GPS data to provide alerts when people nearby are documented carriers of COVID-19. In the private sector, Google and Apple developed a contact-tracing app for the billions of people worldwide who use iOS and Android.

The World Health Organization (WHO) describes a three-step process for contact tracing: Contact ID, then Listing (investigating who individuals with confirmed cases had contact with), and finally, Follow-up. It hit me that this is eerily similar to what I have spent my career as an intel analyst doing.

Identification
Threat intelligence analysts use any number of tools for threat identification, plus additional tools to store these indicators. Traditionally, analysts use their own spreadsheets and Word documents as living workspaces or scratch pads to begin investigations. As they collaborate with others inside the organization, there is an enormous amount of cutting and pasting information from one tool to another. Analysts bounce from TIP to SIEM to instant messages to email in order to collect and stitch together analysis. It sounds crazy, but this is how modern, "digitally transformed" businesses are still identifying and tracking threats today.

Listing
This is where the investigation truly begins — tracing the activity of a malicious actor. Moving from aggregation of indicators to analysis, analysts ask themselves "what does the data tell us?" Unfortunately, collaboration inside and outside the organization is fragmented. Information sharing is happening in pieces, across multiple tools, with no single thread for each investigation. True collaboration, with a single set of unified data, is simply not happening. Analysts must find their own way to piece together the "big picture" and visualize exactly what happened.

Follow-up
This is where the process is completely broken for intel analysts. A malicious threat found a month ago, which was investigated internally and dismissed as low-level, may re-emerge as part of a larger campaign. However, capturing that earlier threat investigation is almost impossible because the analysts would need to search through disparate tools and communication methods. The "chain of custody" for who knew what and when, as well as what was sufficiently analyzed and what was missed, is nonexistent. Other than the final event annotation and a handful of indicators with partial context, there is no collective history of knowledge to build upon. Teams must essentially start their analysis over.

What Contact Tracing for Threat Intel Reveals
While I was impressed by what I learned about contact tracing's success as a public health tool, I am left with a nagging feeling that in the security business, our own "contact tracing" reveals that our tools and processes are broken; it's no longer acceptable from an investigation standpoint, for risk management, and especially not from a human resources perspective. Highly capable, skilled, and, frankly, expensive employees are still operating in silos, stuck in the land of a thousand tools, with limited information sharing, and no means for true collaboration. This only increases risk to the business by extending investigations and frustrating all involved.

How can we ever solve the people problem in security when this is the environment we have created for our most experienced, expensive resources? Just like with forensic evidence, start by assessing your business's capability to maintain a "chain of custody" of analysis. Ask yourself the following questions:

● Where does past analysis live?
● Can our organization reasonably answer "who knew what and when" for intelligence support to investigations?
● Where does cross-team collaboration occur? Does it support easy continuity of knowledge as people enter and leave investigations and teams?

If you find that you're unable to answer these questions confidently, start small. Discuss and document a process for how multiperson analysis should occur. Identify and use a single location for analysis to be centrally stored — ideally, one that is easily searchable. Be sure this includes analysts' contemporaneous notes and indicators, as they may be helpful in future investigations. Finally, practice. Have an analyst attempt to re-create another analyst's work, and assess where gaps in documentation, process, or access to intelligence sources may lie. Over time, improve on this by focusing on efficiency and completeness of analysis.

Related Content:

 
 
 
 
Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really bad day" in cybersecurity. Click for more information and to register for this On-Demand event. 

Doug Helton is chief strategy officer and VP of Intelligence at King & Union, a cybersecurity company based in Alexandria, VA, that has built and designed Avalon, the industry's first cyber analysis platform. His passion for intelligence operations began as a signals ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/17/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5421
PUBLISHED: 2020-09-19
In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
CVE-2020-8225
PUBLISHED: 2020-09-18
A cleartext storage of sensitive information in Nextcloud Desktop Client 2.6.4 gave away information about used proxies and their authentication credentials.
CVE-2020-8237
PUBLISHED: 2020-09-18
Prototype pollution in json-bigint npm package < 1.0.0 may lead to a denial-of-service (DoS) attack.
CVE-2020-8245
PUBLISHED: 2020-09-18
Improper Input Validation on Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11....
CVE-2020-8246
PUBLISHED: 2020-09-18
Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11.2 before 11.2.1a, Citrix SD-W...