The UK’s Ministry of Defence defines intelligence as the directed and co-ordinated acquisition and analysis of information to assess capabilities, intent and opportunities for exploitation by decision-makers at all levels.
Information, on the other hand, is defined as unprocessed data of every description that may be used in the production of intelligence.
I describe intelligence as actionable information.
The key question to ask when presented with ‘intelligence’ is: “what can I do with it?
”Whatever the subject matter, the hallmark of intelligence is that it can be practically applied to the situation at hand in order to produce a visible outcome. It helps companies gain a competitive advantage in the market; it helps police investigate and prevent crime, and it directly informs military strategy. Within cyber security, intelligence is a key component of information security strategies that identify individual threats and address them with specificity.
Cyber security testing programmes based on information (rather than intelligence) are necessarily more academic in focus – they address topics in broad strokes without meaningfully exploring their unique impact to the organisation in question.
Information-led vulnerability assessments might identify flaws within the network, but they don’t exploit them or demonstrate the full impact of a potential breach. Likewise, conventional, information-led penetration tests attempt to exploit vulnerabilities, but they don’t typically evaluate either the wider business considerations (i.e. the geo-political context) or the current methods of threat actors.
An intelligence-led approach to testing asks the following questions before any testing begins:
If a security tester cannot provide plausible answers to the above questions, can they truly claim that their testing program is tailored to the client? No two organisations share the same risk profile.
The best way to answer the questions above is to conduct a threat assessment - a systematic examination of all potential threats in order to understand their individual credibility. The assessment identifies an organisation’s key assets, processes, technology and digital footprint before mapping these attributes to the most likely threat actors, their tactics, techniques and procedures (TTPs).
Likely threat scenarios are then constructed based on this process. This will involve the coordinated collection and analysis of information on matters relating to an organisation, and its associated threat actors. The end product will provide context, assessment and advice. A testing program that is based on the output of a threat intelligence assessment can be considered intelligence-led.
In 2015, five major hotel group groups were breached by attackers using malware to infect point of sale systems at gift shops, restaurants, bars and other on-property facilities, which in turn exposed the identities and payment card information of guests. It is likely that these cases involved the same or similar threat actors, with similar motivations, and possibly, similar TTPs.
If a sixth hotel commissioned an intelligence-led security test, a threat assessment would analyse the details from the 2015 attacks, and work with a penetration tester to conduct more robust, relevant and up-to-date security tests. Thus, an intelligence-led security test focuses on the most credible threats, and provides an organisation with the opportunity to increase their resilience to real-life cyber threats.
One of the main ways in which security testers can use the output of a threat assessment is to devise simulated attacks which mimic the modus operandi of likely attackers. Typically, a threat assessment will identify realistic scenarios, and document plausible attack sequences which the tester can emulate. Where traditional penetration tests are usually limited to technology, the scope of simulated attacks is limited only by the imagination (or willingness) of the participants – any exploitation opportunities around people, processes, facilities and assets are open for discussion.
This allows an organisation to test their security team’s detection capabilities, improve incident response processes and promote business continuity, disaster recovery and security awareness programs. Together with a threat assessment, an intelligence-led test could provide insight and a safe environment for the board to debate how they would interact with regulators, customers and the media in the event of an attack.
The move away from check-box compliance to risk based thinking can be demonstrated by the increasing number of intelligence-led security testing frameworks.
CREST have developed a framework to deliver controlled, bespoke, intelligence-led cyber security tests known as STAR (Simulated Targeted Attack and Response). The Bank of England have created the CBEST framework, which tests the resilience of the UK financial system and its infrastructure, against cyber security threats.
Other financial regulators around the globe are in the process of creating similar frameworks. Security Alliance is both a CREST STAR and CBEST approved organisation.
All security tests, whether they be vulnerability assessments, penetration tests or simulated attacks, provide information that an organisation can use to defend itself. However, an intelligence-led test, i.e. a simulated attack supported by a threat assessment, will identify the most pertinent risks to an organisation. They enable organisations to consider the most critical and attractive assets from the perspective of potential attackers, which in turn makes it easier to create and adopt security policies and training programmes that accurately reflect their unique threat landscape.
In short, intelligence–led security programmes help resource-constrained organisations prioritise the most dangerous and credible threats in their mitigation strategies.