Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

6/25/2020
02:00 PM
Doug Helton
Doug Helton
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Contact Tracing & Threat Intel: Broken Tools & Processes

How epidemiology can solve the people problem in security.

Like many others, I've alternated between a mild obsession with learning everything about COVID-19 and never wanting to hear about it again. I recently watched the governor of Massachusetts on CBS News' Face the Nation. He spoke of Partners in Health's use of contact tracing in Ebola- and Zika-stricken countries, and then said something that struck me: "It's not theoretical. They've done it before. They know how to do it." His message was: It works.

I began reading about how contact tracing worked for outbreaks like Ebola and researched what other countries are doing. In Israel, the Ministry of Health has released an app that uses cellular GPS data to provide alerts when people nearby are documented carriers of COVID-19. In the private sector, Google and Apple developed a contact-tracing app for the billions of people worldwide who use iOS and Android.

The World Health Organization (WHO) describes a three-step process for contact tracing: Contact ID, then Listing (investigating who individuals with confirmed cases had contact with), and finally, Follow-up. It hit me that this is eerily similar to what I have spent my career as an intel analyst doing.

Identification
Threat intelligence analysts use any number of tools for threat identification, plus additional tools to store these indicators. Traditionally, analysts use their own spreadsheets and Word documents as living workspaces or scratch pads to begin investigations. As they collaborate with others inside the organization, there is an enormous amount of cutting and pasting information from one tool to another. Analysts bounce from TIP to SIEM to instant messages to email in order to collect and stitch together analysis. It sounds crazy, but this is how modern, "digitally transformed" businesses are still identifying and tracking threats today.

Listing
This is where the investigation truly begins — tracing the activity of a malicious actor. Moving from aggregation of indicators to analysis, analysts ask themselves "what does the data tell us?" Unfortunately, collaboration inside and outside the organization is fragmented. Information sharing is happening in pieces, across multiple tools, with no single thread for each investigation. True collaboration, with a single set of unified data, is simply not happening. Analysts must find their own way to piece together the "big picture" and visualize exactly what happened.

Follow-up
This is where the process is completely broken for intel analysts. A malicious threat found a month ago, which was investigated internally and dismissed as low-level, may re-emerge as part of a larger campaign. However, capturing that earlier threat investigation is almost impossible because the analysts would need to search through disparate tools and communication methods. The "chain of custody" for who knew what and when, as well as what was sufficiently analyzed and what was missed, is nonexistent. Other than the final event annotation and a handful of indicators with partial context, there is no collective history of knowledge to build upon. Teams must essentially start their analysis over.

What Contact Tracing for Threat Intel Reveals
While I was impressed by what I learned about contact tracing's success as a public health tool, I am left with a nagging feeling that in the security business, our own "contact tracing" reveals that our tools and processes are broken; it's no longer acceptable from an investigation standpoint, for risk management, and especially not from a human resources perspective. Highly capable, skilled, and, frankly, expensive employees are still operating in silos, stuck in the land of a thousand tools, with limited information sharing, and no means for true collaboration. This only increases risk to the business by extending investigations and frustrating all involved.

How can we ever solve the people problem in security when this is the environment we have created for our most experienced, expensive resources? Just like with forensic evidence, start by assessing your business's capability to maintain a "chain of custody" of analysis. Ask yourself the following questions:

● Where does past analysis live?
● Can our organization reasonably answer "who knew what and when" for intelligence support to investigations?
● Where does cross-team collaboration occur? Does it support easy continuity of knowledge as people enter and leave investigations and teams?

If you find that you're unable to answer these questions confidently, start small. Discuss and document a process for how multiperson analysis should occur. Identify and use a single location for analysis to be centrally stored — ideally, one that is easily searchable. Be sure this includes analysts' contemporaneous notes and indicators, as they may be helpful in future investigations. Finally, practice. Have an analyst attempt to re-create another analyst's work, and assess where gaps in documentation, process, or access to intelligence sources may lie. Over time, improve on this by focusing on efficiency and completeness of analysis.

Related Content:

 
 
 
 
Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really bad day" in cybersecurity. Click for more information and to register for this On-Demand event. 

Doug Helton is chief strategy officer and VP of Intelligence at King & Union, a cybersecurity company based in Alexandria, VA, that has built and designed Avalon, the industry's first cyber analysis platform. His passion for intelligence operations began as a signals ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/14/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
Why Cybersecurity's Silence Matters to Black Lives
Tiffany Ricks, CEO, HacWare,  7/8/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-14499
PUBLISHED: 2020-07-15
Advantech iView, versions 5.6 and prior, has an improper access control vulnerability. Successful exploitation of this vulnerability may allow an attacker to obtain all user accounts credentials.
CVE-2020-14501
PUBLISHED: 2020-07-15
Advantech iView, versions 5.6 and prior, has an improper authentication for critical function (CWE-306) issue. Successful exploitation of this vulnerability may allow an attacker to obtain the information of the user table, including the administrator credentials in plain text. An attacker may also ...
CVE-2020-14503
PUBLISHED: 2020-07-15
Advantech iView, versions 5.6 and prior, has an improper input validation vulnerability. Successful exploitation of this vulnerability could allow an attacker to remotely execute arbitrary code.
CVE-2020-14497
PUBLISHED: 2020-07-15
Advantech iView, versions 5.6 and prior, contains multiple SQL injection vulnerabilities that are vulnerable to the use of an attacker-controlled string in the construction of SQL queries. An attacker could extract user credentials, read or modify information, and remotely execute code.
CVE-2020-14505
PUBLISHED: 2020-07-15
Advantech iView, versions 5.6 and prior, has an improper neutralization of special elements used in a command (“command injection�) vulnerability. Successful exploitation of this vulnerability may allow an attacker to send a HTTP GET or POST request that create...