Being a cyber threat intelligence analyst and operating in the fog of uncertainty

A lot has been said, blogged and marketed on WannaCry ransomware with many pointing fingers at who they think might be behind it. The objective of this blog isn’t to critique, support or disprove any specific hypothesis. The goal is to highlight what it means to be a cyber threat intelligence professional who will most certainly be faced with the reality of incomplete information and/or different levels of uncertainty. The ability to operate and make assessments under a fog of uncertainty is what intelligence analysts do…it’s a core competency!

Ultimately, those analysts willing to stand up publicly or within their respective organization to make a reasoned and well explained assessment should be applauded. My hats off to those intelligence analysts.

The value of attribution

There is a continuous debate in the information security community about the usefulness of attribution. First, attribution is attainable and happens at various levels all the time. Attribution comes in various levels such as a specific person, a group, a nation-state, an general effort, etc. Attribution absolutely can provide valuable insight that is relevant to decision-making at all levels.

As an example, let’s assume that we are a member of the information security team of an organization that had several machines infected with WannaCry. Our machines contained business critical files that were encrypted. Initially, we believe this ransomware is deployed by financially motivated cyber criminals. Conventional wisdom suggests that if you pay a criminal to decrypt your ransomed files, there’s a high probability they will be decrypted. At this point you advise your executives that if you paid the less than $1,000 USD, your systems will likely be decrypted.

You later learn, having not paid for your files to be decrypted yet, that North Korea is the most likely culprit for the ransomware on your systems. Your organization is based in South Korea and is involved with economic policy research. How would the likely attribution of WannaCry to North Korea change how your organization would respond to the ransomed systems?

Dealing with uncertain answers is the name of the game

As a cyber threat intelligence professional, it’s up to us to use our skills and experience to help our intelligence consumers understand the who, what, why, when, how…and what else. A lot of that involves dealing with uncertainty and a lack of information where (at the time) there is no right or wrong answer. At the end of the day the intelligence game is like criminal profiling. You hope that you will be right 99.9% of the time, but you operate under the assumption that you are right 100% of the time because the benefit of doing so greatly outweighs the disadvantages of doing so.

With regards to WannaCry and the companies that publicly expressed their opinion based on who was behind it, congratulations. I was very impressed with the reasoned arguments and confidence levels expressed. Props especially to Neel Mehta from Google, Kaspersky, Symantec, Digital Shadows (big props!) and of course the Intel 471 team. To those that ridiculed the organizations that had the expertise and courage to make and explain their assertions, hopefully you will be part of the cyber threat intelligence community in the future.

Express your opinion, the reasons behind it, your level of confidence and don’t be afraid to be wrong

Don’t be afraid to express your opinion, why you think it, your level of confidence, multiple hypothesis and even highlight your information gaps. On the Intel 471 side, despite publicly saying that we believed North Korea was the most likely culprit for WannaCry, we spent and continue to spend time and resources on researching financially motivated cyber criminals who might be the culprit. We are effectively researching avenues that would be counter to what we said publicly as our confidence level in our assertion was low.

If you just publish facts, you are more a journalist or police officer, not a cyber threat intelligence analyst

Former CIA Director John Brennan summed up the intelligence game versus evidence gathering well during a recent hearing:

A US Congressman asked if Brennan (former CIA Director) had “evidence” of collusion between Trump and Russia.
“I don’t do evidence,” Brennan replied.

If you sat on the fence of the WannaCry attribution debate and said there wasn’t enough information for you to form an opinion on who the likely culprit was, have a close look at whether in the past you have been simply reporting facts like a reporter or police officer doing an investigation. A true intelligence analyst must have the ability to deal with information gaps and uncertainty as well as effectively fight their biases. It’s a reality of the space we live in.

Sources:

https://twitter.com/neelmehta/status/864164081116225536

https://www.cyberscoop.com/wannacry-ransomware-north-korea-lazarus-group/

https://www.symantec.com/connect/blogs/what-you-need-know-about-wannacry-ransomware

https://www.digitalshadows.com/blog-and-research/wannacry-an-analysis-of-competing-hypotheses/

https://www.cyberscoop.com/wannacry-ransomware-intel-471-north-korea-south-korea/

https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group