Our Commercial Brethren

Posted on 7 April 2011 by


Recently on an IACA listserver discussion post someone asked about what tools commercial enterprises use for intelligence analysis. The answer is not all that simple, but since I have experience in that world, I thought I would proffer something of a primer in how commercial organizations view intelligence.

I’m going to be speaking on this issue at the upcoming 2011 Spring Training Symposium in Vancouver.

The corporate world is slow to react to trends, but financial services firms especially have seen the need to gather intelligence about those who attack. The issues they face are less about the technologies to suck, juggle and blow the data into more useful forms and more about the cultural and organizational barriers to sharing within these enterprises.

The skills required to be a good commercial enterprise intelligence analyst absolutely translate to those required to be a better law enforcement intelligence analyst. One problem for us in law enforcement is that a commercial intelligence or security analyst can make substantially more than a law enforcement analyst; the average holder of a CISSP (Certified Information Systems Security Professional) is something like $85K; commercial analysts typically make six figures. A really good crime analyst job I saw advertised recently topped out at $76K. And anecdotally speaking, that was an anomaly – I’m used to seeing these jobs top in in the fifties.

So what we need is better cooperation and collaboration between public and private sector on an individual basis. This will create better informed LE analysts and also forge crucial relationships between LE and private firms that will be essential to prosecution of cyber crimes in the coming years*.

Generally speaking, the technology families that commercial enterprises use to conduct investigations are inward-looking, making determinations about attacks based on traffic and activity on their own networks. In more enlightened firms, these activities are informed by external intelligence of several flavors which guides analysts in their search activities.

The intelligence that the firms are viewing can be broken into external and internal intelligence feeds.

Internal intelligence feeds are gleaned by examining local traffic, understanding internl data flow, and breaking barriers between stovepipes – those organizational “cylinders of excellence” which occur when HR (which looks, for example, closely at social media presence of employees) don’t speak with marketing (which looks, for example, closely at social media presence of the brand and the competition) who don’t speak with sales (which dissect the public sales information of all the competition). Understanding when the brand is under attack, or when employees are saying things about the company, or when ex-employees are collectively working at a competitor, etc, are examples of threats that might be gleaned through analysis of intelligence gathered from those activities.

External intelligence is that provided by analysts seeking information about specific attacks occuring at competitors, those in related industries and in the Internet at large; ie malware attacks, trojans, fraud campaigns, botnets, DDOS attacks etc. Information about these these comes from a range of suppliers the best of which include Cyveillance, Team Cymru, Symantec, Prevx, and anti botnet firms such as Arbor Networks, Damballa, FireEye and UmbraData. We’ve just been speaking with Procysive, a new vendor in the commercial OSINT space, and will be writing about them and this space in detail here on PLI and on our forthcoming law enforcement technology analysis service, CSG Analysis.

Analysts provide the hybrid: informing their internal views with information about what is happening externally – “That thing that happened out there looks awful. I wonder if there is any evidence of that happening in here.”

The typical commercial enterprise security or intelligence analyst’s tools fall into these major categories:

Anti Fraud. Software that delves into the “normalcy” of relationships with clients, using Bayesian or heuristic approaches to find patterns in transactions (and by “transactions” I mean any time one computer speaks with another across a network, not necessarily a financial transaction) that stand out from the norm: “Based on what we know of how Bob does business, that there thing that happened was weird.” Firms include Guardian Analytics, RSA Security (multiple products), NICE Systems and many others.

Signature-Based. Software that seeks specific strings or actions known to be “bad”. Your anti-virus software is signature-based. It assumes that someone else will be “patient zero,” and relies entirely on the ability of the company to update an ever growing list of “bad”. This is why your anti virus (and all signature-based technology) sucks: the malware industrial complex – those who write malicious code for profit – is much more innovative, dynamic and speedy at creation than the companies writing signature detection can possibly be.

Log Management. Every time a computer does something – anything – it creates a log entry for it. The logs become a rich source of forensic evidence. They are also ginormous (Terabytes and Terabytes are generated from the thousands and tens of thousands of log entries generated each second in a decent-sized company) and hard to manage. Log management software helps manage and search through logs. Examples: Splunk, LogLogic, AccelOps, Nitro Security, Loggly, IBM, RSA, the security division of EMC, etc etc etc.

Network Forensics. By copying not just logs from the network but actual network traffic – a lossless network buffer or gigantic Network TiVo – analysts can look at the actual traffic from a given period and see what it comprised. If you know where to look, this is a gold mine of forensic information. Knowing where to look is a product of your understanding of internal traffic and analytic maturity. Products include NetWitness (bought recently by RSA), Niksun, Fidelis Security SystemsSolera, Wireshark, Wild Packets and others.

Information Management & Analysis. Listening to all the things that go bump in the wire is hard, so enterprise security information management systems (aka Security Information and Event Management) help aggregate and correlate traffic then alert on a range of things. Players include HP’s ArcSight, Q1 Labs, LogRhythm, Nitro Security, TriGeo Network Security and many others. Another firm that plays in a related space here is Palantir, which takes data from multiple sources and provides an analytical workbench on which to view them.

Computer Forensics. The line between law enforcement and the enterprise starts to blur when it comes to viewing individual computers for forensic evidence of a specific act – this can be child pornography or a malware attack. Companies playing here are Guidance Software (EnCase), Open Source Digital Forensics, Microsoft’s COFEE and the like. Reverse engineering software from firms like Zynamics (bought recently by Google) etc help delve into how software does what it does.

Have questions about this? Leave a comment! Let’s talk about it.


* It’s my personal theory that right now the biggest obstacle to prosecuting cyber crime is that cops don’t understand what it is. Analysts can provide a necessary translation layer between victims and LE to help both sides understand what has happened and what needs to happen to prosecute a cyber attack.