Sunday, August 13, 2017

The need for dump analysis in Cyber Threat Intelligence (CTI)

Over the last year, there have been numerous dumps of stolen classified data posted on the Internet for all to see.  The damage from these dumps has obviously been huge to the US intelligence community.  In this post, we won’t discuss the actual damage of the dumps to the intelligence community (many others have already pontificated on that).  Instead, this post will focus on the need for CTI analysts to perform analysis of the dumps.

For the first time, CTI analysts have a view of what appears to be a relatively complete nation state toolset in the Shadow Brokers dumps and insight into tool development and computer network exploitation (CNE) tool requirements in the Vault 7 dumps.  These are game changers for CTI analysts. We define threat as the intersection between intent, opportunity, and capability.  These tools and documents highlight the capabilities of an APT adversary. Whether you believe the US intelligence services have the intent to attack your network, it is likely (almost certain) that other nation state attackers have developed similar capabilities.  Analyzing the data you have available (Shadow Brokers and Vault 7) can help shed light on what you don’t have available (every other nation state attacker’s toolset in a single dump).

Note: We understand that this is a sensitive topic. When classified data is released, it is still considered classified until declassified by a classification authority.  There is no evidence that any classification authorities have declassified the data in the Shadow Brokers or Vault 7 dumps.  It is likely that they remain classified to this day.  The advice in this article may put those with security clearances at odds with the advice of their security officers.  Please proceed with care.

Read the full post on the Rendition Infosec blog.