Threat Intelligence has become a bucket for a lot of things – from Indicators of Compromise (IOC), to malware reverse engineering, to deep and dark web scans. And while all of these elements provide insight into the criminal underworld, in many cases it takes a more robust capability to process it and translate it into the context of a specific business – and identify a specific risk. As a former Marine with expertise in counterintelligence, Human Intelligence (HUMINT) and Technical Surveillance Counter-Measures (TSCM), Jason Passwaters leveraged his international war fighting experience and built uniquely qualified teams at iSIGHT Partners, and then in co-founding Intel 471. His military service taught him to emphasize three areas that can make threat intelligence more targeted and actionable for organizations.
Security: What is your background? And current role at Intel 471?
Passwaters: I'm the co-founder and COO at Intel 471. I spent the better part of the last 14 years working around the globe building and managing cyber threat intel teams and doing intel. My current role is focused on helping define the company’s overall strategy and overseeing its execution. Prior to Intel 471, I was the Senior Director of Global Research at iSIGHT Partners where I led a globally dispersed intelligence department across 14 countries.
Before jumping into the commercial cyber threat intelligence space, I led a team of forensics and intrusion analysts at Crucial Security, acquired by Harris Corp., assigned to the FBI’s Investigative Analysis Unit (IAU). I supported cyber agents around the country in network forensics as well as tracking some of the world's most sophisticated cybercriminals.
My primary expertise was related to Eastern European and Russian cybercrime. My traditional intelligence experience was gained through nearly 12 years in the U.S. Marines where I served as a Counterintelligence and Human Intelligence (HUMINT) specialist, a Technical Surveillance Countermeasures (TSCM) specialist and an Infantry Scout.
Security: How has threat intelligence evolved over the years?
Passwaters: I look at this from two different points of view: threat intelligence as an industry and threat intelligence as a discipline. Ten to 12 years ago, the industry revolved around vendors performing the full intelligence cycle to some level but only selling the final, polished output. Aside from some indicators of compromise (IoC) feeds or those IoCs found in a broader report, they wouldn’t expose the raw data and intelligence collection directly. Rather, vendors would deliver longer form intelligence reporting, which traditionally is called finished intelligence (FINTEL). The vendors were the ones staffing the traditional intelligence analysts to publish the product, which took a long time to curate and rarely was delivered in a timely manner. A shift then started first in the financial industry where you saw actual intelligence teams and capabilities being built out. This has evolved into what we see today where organizations have built or are building out capabilities complete with their own analyst teams and intelligence management functions. They’ve been pulling in experienced government and military intelligence professionals to cooperate with their traditional cybersecurity professionals. At the end of the day, an intelligence analyst working on the inside and who is intimately familiar with their company will know what’s relevant significantly better than any vendor analyst ever would. What hasn’t changed is the fact that threat intelligence vendors are best positioned to do the externally focused intelligence collection and reporting. This is often outside of the risk tolerance or resources of a typical commercial organization. Lastly, recently we’ve seen several threat intelligence vendors progress in figuring out how to scale and package threat intelligence for organizations that aren’t Fortune 1000, where budgets typically are much smaller. This moves the threat intelligence industry toward some common use cases and business problems that are more broadly relevant across multiple sectors with pricing that less-funded security teams can afford.
As a discipline, we’ve seen threat intelligence now spread across nearly all major industries. Having an intelligence capability used to be reserved for those with deep pockets, but we’re now seeing more and more organizations invest in building an intelligence capability to help their leadership make more informed decisions. One aspect that’s really started to take shape over the last five years is threat intelligence support outside of the cybersecurity operations use case. Threat intelligence teams are getting out and engaging with other potential stakeholders in their business, educating them on their mission and value add and soliciting requirements they can factor into their overall intelligence effort. For example, threat intelligence teams have been orienting toward supporting the third-party vendor/supplier risk issue (probably the most challenging issue in information security today) for some time and especially since we saw the SolarWinds incident as well as the shift in ransomware groups exposing sensitive data of victims to force payment. Lastly, we’ve seen a large push across the industry to standardize around common language and frameworks such as MITRE ATT&CK and even our own General Intelligence Requirements (GRI) framework, which is used by a multitude of organizations of different sizes and across many sectors. There’s still work to be done, but it’s this constant maturation of the discipline matched with an ever-present and changing threat that has made threat intelligence an essential capability for organizations today.
Security: In your opinion, what can cyber threat intelligence learn from the military?
Passwaters: Obviously, there are several intangibles such as leadership, mission focus, resourcefulness and much more. But I’d like to focus on something very specific that has gotten a lot of attention over the last year. Intelligence efforts must be requirements driven and not a shotgun approach. There needs to be a method to the madness that links directly back to the stakeholder, their intelligence needs and even the vendors and what they provide. I’ve been in this industry since essentially the early days, and I’ve always felt we found it challenging to put some sort of standardization and tooling in place to help define relevance, synchronize the broader intelligence effort and leverage a feedback loop to link to the consumers we support. Military intelligence has well-defined processes and tools in place that revolve around intelligence and collection management that we need to pull from. We can look at things like the Marine Corps GIR Handbook as a good example. It codifies general intelligence requirements around specific focus areas and then sensitizes collectors and analysts to what is relevant. It also provides a routing mechanism to get intelligence and information to key stakeholders and consumers. Lastly, it can help drive a feedback loop and metrics that help show gaps or justify resourcing and investment. The military’s approach to managing intelligence is one we should pull from and tweak for the commercial intelligence space.
Security: Can you explain how your military service taught you to emphasize three areas that can make threat intelligence more targeted and actionable for organizations: 1. Know your Mission, 2. Know your Enemy, 3. Know the Battlespace? (please provide detailed answers for each of the areas)
Passwaters: In military parlance, this relates to what they call Intelligence Preparation of the Battlefield (PIB). IPB is a continuous analytic process that aims to reduce uncertainties and unknowns as they relate to the adversary. The objective is to present the full capabilities of the enemy and other environmental factors to leadership, including potential courses of action (COAs) across the battlespace. It’s much more than that, but this is the gist. Simply put, it's about commanders at various levels being intimately familiar with the enemy and the environment so the unit can execute on the best possible COAs. As an intelligence collector at the tactical level, I fed into this process in many ways to reduce the amount of unknowns or even to just flag what it was we did not know.
Know Your Enemy. There is an obsession in the military with understanding the enemy – understanding anything and everything about them. There are plenty of overused Sun Tzu Art of War quotes we could cover here, but I’ll refrain as I’m sure you’ve heard them all before. But this concept is absolutely essential to figuring out how to beat the adversary. In the world of cybercrime, which is the most likely business-impacting threat any organization will face today, you’re dealing with well experienced operators, mature business models and well-defined processes. You’re also dealing with geopolitical realities that prop up cybercrime. There’s so much there, but these are all data points. To adequately support decision-makers and devise viable COAs and intelligence to guide them, we must be obsessed with the adversary and every aspect of how they operate. This paired with an intimate understanding of your internal capabilities will offer the greatest opportunity to expand actionability and be proactive.
Know the Battlespace. The battlespace can be defined as the domain of land, air, sea or cyberspace where the battle is fought. Many commanders have failed due to a lack of knowledge of the environment where the fight took place. In cyber, the days of defending at the perimeter are long gone; to keep pace with the adversary, you need to meet them indirectly or directly on their turf. One external example of this is the underground marketplace or “deep and dark web” as some call it. The reality is it’s neither deep nor dark – it’s a finite and defined space where both financially motivated and nation-state threat actors are communicating, buying, selling and interacting on a regular basis. It’s not difficult for an analyst to dispel the deep and dark myth given adequate visibility into this space. For example, the marketplace, which generally is organized in a products, services, goods and consumer model, hosts a significant portion of the ransomware-as-a-service (RaaS) model. Visibility into this corner of the battlespace alongside knowledge of the specific adversaries themselves can be an extremely powerful tool for decision-makers.
Know Your Mission. My first enlistment in the Marine Corps was as an Infantry Rifleman. We were very tactical, and the mission was easy to understand: “locate, close with and destroy the enemy by fire and maneuver or repel the enemy’s assault by fire and close combat.” It would be a gross oversimplification to say that executing and accomplishing the mission was easy, as infantry Marines often have the hardest job on the battlefield. As I moved into Counterintelligence and HUMINT, the mission became a bit more nuanced and abstract at times. In both scenarios, however, success depended on a thorough understanding of the mission and what we were attempting to accomplish. As an intelligence collector, sometimes you were in situations where you didn’t have a tactical mission – it was more broad. You might find yourself in a situation that was more self-directed, but we always had the GIR Handbook in our pocket. The high-level mission was to collect and report – but collect what, specifically? What questions were I trying to answer? Who was my collection supporting and what decisions was I informing? This helped me fill in the gaps about what I was supposed to do when there wasn’t any real tactical mission or direction, but still a job to be done. The parallel here to cyber threat intelligence (CTI) is pretty simple: a thorough understanding of the general and tactical mission matched with a team that is completely mission focused will result in success at any level, be it specific tactical incidents or decreasing the amount of unknowns on a slow day by filling gaps in knowledge.