The post-truth of “Threat intelligence”

Is that the new name for selling surveillance capabilities?

In the context of identifying the root cause of security breaches or attacks, we often see the threats emerging from weapons such as botnets, viruses, malware, etc. However, the biggest network security threats can also reside within a company, such as the employers themselves. For this reason, modern techniques of network security forensics — the process of identifying the root cause of network-based crimes — rely on threat intelligence. Threat intelligence facilitates the implementation of a range of preventive measures. Let’s have a look into one of the many definition of this term.

Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard.”

- Gartner

With the increase of attacks on the internet and the supporting infrastructure, the efforts to make these systems more secure has seen a rapid rise. The cyber security industry is shifting from the traditional “detect and improve” approaches towards “predict and prevent” methodologies, as they aim to build fail-safe security solutions. The advancements in the fields of machine learning, artificial intelligence, data mining, and pattern matching had contributed substantially to predict the future attacks based on the previous failures of the system when they were attacked and compromised. Undoubtedly, these technologies have provided new dimensions of protecting any internet companies’ assets, which the classical cryptography failed to address. Indeed, the “predict and prevent” methodologies of securing internet businesses is a must have weapon to survive in the constant arms race of the internet.

The network security companies selling threat intelligence products rely on many machine learning techniques to intelligently predict the future occurrence of security breaches. The expression threat intelligence is not only trending in the world of internet jargon, it has also made its way to the most frequently used word everywhere in the sales pitches of the security industry. This fancy buzzword may attract more customers (mainly big corporations) to adapt the threat intelligence products within their systems. However, it raises some privacy concerns from an end-user point of view.

Traditional threat intelligence software includes honeypots, firewall policies, and various pattern recognition techniques. However, due to the increased demand for addressing insider threats, modern software is very much focused on recording and recognising anomalous human behaviour. In simpler words, nothing but the software could monitor people’s computers (mainly desktops) and present insightful analytics in a very sophisticated manner. Not so surprisingly, some of these companies can be found in the Surveillance Industry Index (SII) built by Privacy International and Transparency Kit.

This article investigates the modus operandi of Modern Threat Intelligence Software (MTIS) to highlight the privacy risks associated with it. This is an exploratory analysis based on live demos, information in brochures and websites, and individual interactions.

System Overview

Think of MTIS as a piece of software working in client-server mode. The client consists of a a background daemon process covertly running on your computing device which will be installed by your employer. This client communicates with a remote server which runs several analytics on the data presented to it. The server contains an admin dashboard, which is explained in detail in the later sections.

Several MTIS considered in the context of this article follow similar modus operandi in spite of being built by different companies. These software tries to efficiently log the journey of target components right from their creation until deletion, including all the modifications made in between. Figure 1 below gives an overview of them in a nutshell.

Figure 1: System overview of modern threat intelligence software.

Description about different components of the system is as follows:

Target component: The target component of the system specifically deals with three aspects — (1) Source object, (2) Associated attributes and (3) Origin of the source attributes of the source. The target components are primarily based on metadata and file attributes.

• Source object attributes: The MTIS mainly target the files on the hard disks as the source objects. Also, the e-mails are considered either as a source or as an associated attributes.
• Associated attributes: Associated attributes for files contain the audit log of information such as creation/last modification timestamp, version history of file modification, creator of the file, list of people with access to the file (such as access control list) and directory hierarchy of the files. It is important to note that no operating system keeps track of version history by default. The associated attributes for the mails simply comprise of email metadata from the headers — to, from, subject and timestamp, along with other information such as its first/last seen, attachments, whole mail chain (reply/forwards) until the creator of the mail.
• Origin attributes: Origin attributes contain the origin of the files or emails, again as an addendum of aforementioned associated attributes. These attributes are used for auditing whether a file was downloaded from an email, website or copied from a folder/trash bin.

Monitoring: The monitoring component is a background process which monitors and records all the ongoing activities of a user’s device around the clock. The data captured by this component is displayed as described in the next section entitled “Methods of Display”.

Security Policies: Security policies could include activities such as copy/modification of specific files, general norms of computer usage (such as using VPN and login mechanisms) and acceptable range of events (e.g. number of usual email trends). Based on the initial policies set by the company, the MTIS tries to learn the usual behaviour of specific users and general trend of all the employees.

Event: Even though the MTIS logs every activities of the users, if anyone strongly violates the security policies, it immediately reports the admin. Depending the action set for the violation, the account can be detained or subjected to further actions. In simpler words, event is triggered when somebody violates the security policies.

Insightful User Interfaces: Modes of displaying information

By the flamboyant look and feel of the MTIS, it is evident that the emphasis is definitely on graphically appealing User Interfaces (UI) and interactive data visualization methods. The interactivity not only makes it easy to understand the underlying complex relationship between the files and the users, but also it helps to seek useful insights on user behaviours. The admin panel, which has access to the dashboard represents the monitored interactions of the users with target components in the following two ways:

• Social graph of files: Based on the file access control lists and audits logs of files, the MTIS build an interactive social graph as shown in Figure 2. It is more or less similar to the demo of one of the popular JavaScript libraries represented here. The admin can start by clicking on the target component which was detected to be suspicious/malicious, and the software allows him to navigate and explore the origin attributes, associated attributes, sub-events, and a list of users who have access to it. The details also include the timestamp associated in a reverse chronological order.

Figure 2: POLE anaytics strategy used by NUIX to display threat intelligence insight reported in the form of social graph.

• Screencasting of the desktop: The MTIS has the capability to record literally EVERYTHING that is happening on a user’s machine. So, the admin from the dashboard can see the live or recorded screencast of the user’s desktop as if it is taking place in his own computer. It includes how the user copied/modified the files, opened the mailbox, composed an email and opened a browser to surf a specific website. The admin can play, pause, rewind and forward the screencasting as if they are watching a film on “How to evade someone’s privacy.” The screen capture of this sort adds an overhead of storage limitations. So MTIS efficiently captures the screencast in the form of compressed GIFs and uploads to the server periodically. Uploading the captures and related information to a remote server not only allows to save the hard disk space, but also it restricts the users themselves to see the what has been captured about them if its local copy is deleted.

Dashboard Analytic: Quantification of risk

Besides providing an interactive interface to primarily perform the forensic analysis of root cause of malicious/suspicious users and to monitor every tiny detail of their activities, the MTIS also provide further analytical features to the administrators. These software aggregate every users’ behavioural history based on the monitored information and violations of internal security policies (which is probably unknown to users) to quantify the risk associated with every user. The dashboard provides the analytics in the following formats:

Figure 3: Example of Exabeam’s dashboard showing location details.

• User behaviour history: The MTIS learns the general limit across all the users under their radar regarding the average number of emails that they send (which in turn does some time-series analysis probably); average number of files that a user create, modify, copy or delete on a daily basis; usage of encryption and VPN software, etc. The user behavioural history contains the location of their computer access in the form of a travel map (previously travelled locations and the current location as shown in Figure 3). It also includes the IP address, MAC address, and ISP details, along with the type of device that they are using (mobile, tablet or desktop). If the user is beyond any of the prior limit or any anomaly is found in his behaviour, the MTIS tags them as a target or suspicious insider, to assign a risk score for them.

Figure 4: Example of Exabeam’s dashboard showing aggregated user-based risk analytics

• Aggregated dashboard: The dashboard provides a comprehensive overview of all the users and an aggregated insight of their behaviours. Based on the risk score as mentioned earlier, the dashboard categorizes the users mainly into Notable Users, Users in Watchlist and Account lockouts (as shown in Figure 4), where the former being the least threat actors and the latter is the detained accounts per day due to anomaly beyond the certain threshold. It provides the insight by grouping the users based on specific behaviour to detail the Most Visited locations, Top travellers, Most risky mailbox, etc.

Privacy concerns of such threat intelligence

Under certain circumstances, the MTIS might be able to investigate the actual cause of anomalous user behaviours. For example, it logs the failed login attempts, and potentially this could be due to malware from a compromised device or bots mimicking a legitimate user using stolen credentials. However, from the privacy point of view, getting all your activities watched and allowing someone to access that without any particular reason is indeed no different than any mass surveillance programs. For any legitimate employee, usage of such software is a privacy nightmare on the following grounds:

Workplace privacy: Imagine you work for a company which uses the MTIS to defend their system against the insider threats. It means, none of your activities using a computing device of that company is no more private. *Does your employers care about workplace privacy if they use such corporate surveillance mechanisms?* Ethically it is wrong, as everyone has their personal space whether or not they are in their workplace. Specifically, this is a significant threat to personal privacy with the increased trend of Bring Your Device (BYOD) work culture, where there is a very little bifurcation between work life and personal life, as everything will be done through the same device.

Service agreements and ethics: In addition to the workplace privacy, the usage of MTIS makes service agreements and ethics of an employer debatable. When a person is employed by a company, how much is is obliged to be monitored? How does reading every mail and monitoring every bit of his activity justified? Is it done with the employee’s consent, at least with the long and confusing service agreements with sophisticated corporate law jargon? What about the ethics of such companies?

The above two points highlight the consequences of using MTIS in corporate environments. Now, think what if this software are sold to nation state agencies and police intelligence agencies (e.g., NSA, GHCQ, FBI). Isn’t it an even bigger threat to the whole civilians of the world?

Surveillance capabilities: We have already witnessed security companies selling surveillance and censorship products to government agencies, such as here and here. The technologies used by these companies make it easier to seek more insight on user behaviours, monitor their activities on a constant basis and thus, create a business opportunity to sell these systems of surveillance to governments at a premium price. It not only reduces the development effort of the government spying agencies, but it also allows them to scale these niche software into their surveillance needs. No wonder the companies building the MTIS are found in the surveillance index as we mentioned earlier.

Conclusion

Technological advancement is making many of our lives easier by helping us in our day to day life. Things which were complicated to understand, which were even more complicated to execute have become just “push of a button” task. This ease might have surprised many of us, but it disturbs those who are privacy fanatics.
Threat intelligence could be a sheer necessity for many of the modern internet businesses. But, due to the competition of gaining dominant market share, the companies building threat intelligence products have been very closed in nature. One might argue for those companies claiming that some of them are working for social good. However, without transparency and openness, from the public privacy point of view, these companies are nothing but just the task forces with surveillance capabilities.