Ultimately, intelligence has two critical features that distinguish it from information. Intelligence allows anticipation or prediction of future situations and circumstances, and it informs decisions by illuminating the differences in available courses of action (COAs). Joint Publication 2-0, Joint Intelligence.

Intelligence is a process that collects and analyzes information to support decisions. Because decisions cannot change the past, the timing of the intelligence and the decisions supported by the intelligence are inextricably intertwined. Or, as the old saying goes, “It’s too late to close the barn door after the horses have bolted.”

For cyber security, this information collection and analysis process is summarized in the Department of Homeland Security’s Computer Security Incident Response Team (CSIRT) process. This collection process incorporates the idea of sharing information from numerous sources so that information can be pooled to create a more comprehensive data set. The core of the CSIRT process is this cycle:

CSIRT Process - Detail

D/A stands for a random Department of America. US-CERT is the United States Computer Emergency Readiness Team. ISAC stands for Information Sharing and Analysis Centers, which are sector specific. When vulnerabilities are discovered, defensive measures can be taken and damages minimized.  In this process it is crucial to recognize the state of the attack at the time of “identify” to understand the nature and effectiveness of the response.  In traditional Advanced Persistent Threat (APT) engagements, the threat is identified by finding the damage left behind by the attackers after the systems have been infiltrated.  In this “connect the dots” process, the dot needed to connect the dots is the damage which intelligence seeks to avoid.

the chase

In this diagram, the standard monitoring and response process can be seen for what it is — a chase.  The bad guys by-pass defenses in order to obtain credentials which are used to access systems. With credentials in hand, the bad guys work to accomplish their objectives and engage in anti-forensics to evade detection while the good guys engage in intelligence to discover and thwart the attackers. According to FireEye/Mandiant, the average chase lasts 229 days. That is 229 days that the bad guys are having their way with the victim’s systems.

The Chase is not inevitable — attacks can be identified during the infiltration phase, before damage is sustained. In APT there is a common attack methodology that defeats traditional defenses and permits attackers to infiltrate systems and steal credentials. What is this attack methodology which so reliably defeats traditional defenses? Spearphishing — deceiving personnel with socially engineered emails. With the appropriate tools, it is possible to interdict the attack during infiltration and help prevent the compromise of credentials.

no chase

By providing the targets — human email recipients — with the appropriate instrumentation, the users can provide actionable email intelligence to IT. That instrumentation is SP Guard. Using email intelligence provided by properly instrumented users, IT can determine if a suspicious email is an attempt at deception and, if so, take appropriate defensive measures before damage is sustained.