The Politics of Intelligence

they're doing a really good job here it's it's very well run it's nice not having to deal with any audio video problems so that's that's awesome um so the background on this talk is that for the last three years I've been doing a lot of Consulting with a lot of different companies and really seeing a lot of people struggling with threat intelligence and um when I for you know my free time I like to trade off reading like a technical book and then read a book for fun so I'm reading like history books spy books and then I'll mix in like a forensics book that way to break it up so I'm not just reading about editing a disc and hacks all the time so a little bit of background on me like I said I was previously at crowdstrike and I've just switched over to a new rule working with the internal team internal IR team over at Splunk um see I've been in the industry for about 15 years working mostly in incident response and forensics and I'm super super into IR I'm kind of like an IR gentleman junkie which has led to uh some work life imbalances hence me getting out of Consulting and wanting to work more uh at a slower pace so I recently left crowdstrike um but I've spent a lot of time in targeted Industries over the time so I've had a lot of experience dealing with uh nation-state threats and um that's led to kind of some interest in helping people better defend their organizations um so the book that kind of inspired me to come up with this talk combined with my work where I was seeing people spending a lot of money and not getting Roi from threat intelligence was a book from Christopher Andrews which I would highly recommend everybody uh check out it's not even that new of a book but it's fascinating and he's written a lot of books his other most famous book is about the KGB so I would recommend that one as well but what I wanted to cover was kind of like the current state of affairs what's going on with red Intel um so how many people here at least consume threat Intel is there anybody here that does full-time threat Intel is their job okay we got a couple great um so I'm going to cover that first and then go over some some older stuff um some stuff way before you know sigint and way before computers even existed because I think there's some lessons there to be learned and highlight which may not make sense now but I want to make five key points about how organizations can be better about how they run their threat Intel team um and I thought it was pretty cool that the professor that kicked off the uh conference this morning he mentioned that the problem you know was a lot of it was you know human and sociology so a lot of this is how to manage c-level psychology and get them to get on board with threat intelligence because a lot of the problem is they're just not interested in it they don't they don't see it as they're not sure that it even matters to their business so um first thing with threat intelligence there's I guess two major breakdowns of threat intelligence uh the first is tactical threat intelligence which is much easier to ramp up and I think that's where most organizations are having success how many people are you know taking in indicator feeds and building detections and finding evil from you know data like this like iox indicators of compromise so I think that that's it's well understood and I compare that to like being able to sink a three foot putt it's it's very consistent there's Frameworks it's mostly all within your security organization so like the person that's producing it also reports the same person that's consuming it so there's less friction you don't have to depend on a lot of people to be really good at tactical threat intelligence um and it's it's more uh what I would call binary so it's like either this md5 is this hash or it's not or this cert was signed or this compile time was this or it's not so it's much less gray than maybe strategic intelligence um which I would compare to try to hit a 300 yard drive to a certain spot on The Fairway every single time it's it's your chances are when you write a threat insole import report report you're guessing a lot you're saying like with medium confidence I think this is going to happen and the reality is you can't be right every time and you're never going to have like complete information and so for that reason strategic threat Intel is really really tough to do and that's where I see people building things but not really doing fresh analysis they're just repackaging Intel from other companies so I think that's something to point out and then there's some other themes that uh are happening right now there's it's kind of an obsession with how many data feeds do you have I mean I I really I had a very large vendor uh try to sell me when I was working for a client I was representing them and they said well we have over 80 feeds and how could you possibly do threat intelligence without our data Lake I'm like okay I don't think he even knew what he was saying and I just kind of laughed at him and just said okay we're not going with these guys um so a feed is a part of it but that's really just something that you would just feed straight into your detection and there's not a lot of context around it um but there's a for some reason obsession with like having you know 50 feeds 100 feeds like we have the latest threat intelligence and I think a lot of that is is just creating a lot of busy work um I'm also seeing and I touched on this earlier specifically around strategic threat until companies are creating these fusion centers which have really awesome displays they look great they look like something from an episode of like 24 and uh I'll go in and take a tour and look at it and they're either empty or I'll like talk to the people and say hey you know what are you guys doing and it's you know somebody from legal just checking their email or it's somebody from uh the server team like just doing his daily job and nothing to do whatsoever with combining intelligence and it just I keep seeing this over and over again I'm like well I don't know what's going on but these guys just spent you know over a million dollars building this Fusion Center and it's not really producing any results um and then also the whole concept of just repackaging so they'll take you know feeds from fire eye and Flashpoint and crowdstrike and just repackage it into a summer into here but no real new analysis is being done so that's something that I think people can improve on um hiring so another Trend that I've observed is companies kind of tend to get fooled by hiring people from from the government so not everybody not every job in the dod is created equal so one company that I work with they hired a person to lead their computer incident response from the dod but he was doing like uh fire incident response or environmental incident response and I'm of course he flamed out and didn't last more than a year but they were totally you know in love with you know we're hiring the next DOD guy but they didn't really vet and understand you know there's different uh Moses or there's different roles and you need to make sure you find it like an actual analyst who is you know looking at data and creating uh fresh fresh reports uh and I think generally I don't um I don't think the work product is very good and this it probably goes out to all the threat until vendors too I don't know if how people perceive this but I don't think a lot of the reports that people get either from vendors or that they do internally is all that does anybody have any different experiences or is anybody like found a vendor that they think is all yes I think most people are kind of like you know yeah it's like yeah so Flashpoint has some good stuff and I've heard I think um what was the company that that fire I bought I heard eyesight had a really good portal somebody told me that but I don't know what it's like now dark Trace what's it called Mas 360 okay I'll have to check that out um but yeah so that's a kind of like a survey some of the issues that I've been seeing um and now on to uh geeking out a little bit about history so before we get into some more modern stuff I wanted to dive into a little bit about um somebody that was like so far ahead of their time it's just ridiculous so there that quote up there was from George Washington and I'm like how did he back then even understand this like he understood that you know you were going to combine all these diverse sets of intelligence that separately don't mean anything but when you put them together he was able to determine you know what the British were doing and where to move his forces um he was able to uh basically when he had already been beat back and had less troops he was floating um misinformation to the British to inflate his troop total so that they didn't attack him um and he did this on multiple occasions where the uh French were coming into uh land and joined the Revolutionary War and what he did is he sent a courier that was captured to make them think that the the uh his forces were going to attack New York and that allowed the French army to land safely and not get attacked so it was a huge turn in the war that played out over and over again and if you've ever heard of this show on AMC I think it's maybe in season three I've only watched season one but it was pretty awesome it talks all about this and um he came up with this spy ring that was called the Culper spy ring and he named that after the county that he lived in it was Culpepper County in Virginia so he just named the Spy ring Culper um so all throughout this time uh he was you know using his intelligence mostly Military Intelligence to basically beat out a superior uh military and uh when he finally came into office as president he set up um the first you know informal you know first formalized like Secret Service that to do intelligence operations and uh after three years his little secret service thing was already 12 of the budget the federal budget which is if you compare that to today that's pretty massive but it turns out that was really short-lived because after he got out none of the the people that came after him were all that interested in threat intelligence and then by the time the next war broke out in 1812 it was all the way down from 1 million to fifty thousand a year and that that led to some some issues for them being ready um so can you guys see that text or is it just too small for you back there too small okay sorry about that um so from this area era that I'll call like the isolationist era there was a lot of um a lot of nothing there was a lot of presidents that really just didn't get intelligence um but there's some interesting stories that came out of this time most of the focus was on generals having their own spies so each little army had their own little Intel Force nothing centralized nothing coordinated um but there's a funny story that actually I guess isn't so funny when you look at it together but during Abraham Lincoln's inauguration there was a death threat on his life and uh he traveled with a guy named Pinkerton which if you've ever heard the Pinkerton agency that's still around today helped protect him and smuggled at him into the city so he wouldn't get assassinated um but during that time when he came into the city he was dressed up like a woman and the Press got a hold of that and just started making fun of him well it turns out ever since they made fun of him in the Press he is like well I don't want all that security leave me alone like just let me do my thing and of course then he got assassinated in the theater because he he didn't pay attention to his own personal security um something else interesting from that time that um the major you know form of communication and second during that time was the telegraph so Lincoln used to hang out there and they actually had three code Breakers that cracked the Confederate codes and allowed them to bust up some counterfeiting that was going on uh but they called them the sacred three and they were only 17 20 and 23 years old that's how old they were and they were breaking codes so it's pretty interesting um and of course intelligence played a role in the Gettysburg Gettysburg Battle as well where they were able to predict when the Confederates were going to attack um now during this time if you take a step back the U.S had nothing no foreign intelligence um no real capability but French Russia Germany all their peers had code breaking capabilities and they were reading everything all of our state department traffic from our embassies they were able to read this and um the British had something called room 40 which eventually became Bletchley Park which is the modern day gchq and that started all the way back then um another cool thing about um this time about World War One I know when I was in school I was taught that the reason that the U.S got into the war was because they sank the Lusitania and that Drew us into the war but that was actually two years before the U.S got into the war the reason that we got into the war was actually the Zimmerman cable which was a sigan intercept where Germany was plotting to have Mexico start a second front and attack the U.S and that was two months before we got into the war or actually less than two months and we were in the war because of that so that's one thing that I think like the history book history books probably need to be updated for that um uh a lot of the a lot of the presidents just had no clue so along that theme of this time where it's just isolationists um would you would your Wilson and this is you know during World War One everybody's fighting he didn't even believe or understand that everybody was spying on each other he had no clue and he he admitted this publicly um but following that they finally stood up uh what was the precursor to the NSA which was a team called Black Chamber uh but that only lasted 10 years and because there was no you know existing War they ended up shutting it down um and of all the people um probably the one that people would say was probably the most inept about Foreign Affairs and and uh um Military Intelligence uh Truman he actually didn't even know what he was doing at the time I think he was duped but he signed all the major directives that established you know what would become um the CIA the NSA all those capabilities and National Security Council they weren't called exactly that at the time but he was the one that established it in in his Memoirs he didn't even want to admit that he did it because he he thought it was like ungentlemanly he didn't understand that countries were were doing this and spying on each other so um this is a long time from Washington to World War II where all these countries were way more advanced than code breaking way they were stealing our secrets they were light years ahead of the US and so we got a pretty pretty late start to the game and I think a lot of that was just because of the isolationists most most people just thought we were on our own here and didn't need to be involved in any of the uh European or Asian you know conflicts uh so the first thing that I wanted to touch on um is a concept about when we're trying to present intelligence to to leadership is failure of imagination they're never going to want to admit that something can happen um let's think of like um crypto Locker or wannacry right they if you would have told them that before that occurred you would have people swearing up and down that our manufacturing network is air gap there's no way that that we can get crypto lockered you know until after the fact then they see it and then they're all of a sudden like oh okay I get it now this is a real threat they just really they can't imagine it and I think that that's what we have to do as um as people that have to sell threat intelligence and build a successful program we have to help leadership understand like these are real threats and you can't just think of what you know you have to worry about things that you can't even comprehend that exist um there's this whole timeline so I apologize for the wall of text um but leading up to Pearl Harbor so it's I think considered the biggest intelligence disaster for the US um in September 1940 we had already broken Japan's code uh in May 1941 they knew we broke it but they they thought that their special Purple Machine was okay it was just some of their code so they kept using it even though they knew we were getting some of their information um and then there's this bizarre thing so everybody knows December was when Pearl Harbor occurred um and they had this Arrangement where the Army would provide updates one month and the Navy would provide updates the other month because the two agencies fought each other but it turned out the month November the month before Pearl Harbor the Army decided they weren't going to deliver updates uh so pretty bad timing there uh so the Navy I think tried to keep giving them information but it wasn't their job to do it um November 5th Japan actually decided that they wanted to make the invasion okay November 25th FDR tells his entire cabinet hey we're going to get attacked okay on 26 they observed that troops have left Shanghai from Japan and on the 27th they decrypt instructions that the embassies are that they know how to destroy their code machines their papers their books so that they're ready when they get the order they can do this so one FDR says hey we're getting attacked and they know that they're going to get um they know that the embassies have been warned so they can destroy their stuff then the next day he goes on vacation it's like what so we on the 28th he uh he goes on vacation and the next the day following that they send out a major alert to just the Asia Fleet so like think of uh the Western Pacific just they got the warning so they had no clue that they couldn't even comprehend that they would be attacked at Pearl they had all this all this information happening but um their imagination made them think that it was only this certain area of the country or of the globe that could be could be attacked and um even further leading up into that they intercepted messages from Tokyo to Berlin say and hey we're going to war so they had every they knew that the attack was coming they even warmed part of their Fleet but they never said anything to the base at Hawaii so they were caught completely unaware and that was strictly you know failure to even imagine that that could have occurred um it turns out when and obviously this is like super I guess you would call it like hindsight bias because we all know what happened so it's somewhat biased in the fact that we know how it played out um but the code that they were using the naval codes um they only assigned like two to five analysts in the entire military to break the certain Naval code so they didn't break it in time but after the war they went ahead and broke it and found out hey they were they were coming for Hawaii and they were they found all these plans that if they would have just assigned you know more than two to five people they would have broken no problem um the same thing failure you to imagine you think that that they would learn from this right they failed to imagine the Ted offensive in the in the 60s um they saw all this traffic about all these attacks on all these major cities and they just said no there's no way like this is a diversion and of course I think um U.S forces lost you know thousands of men uh in the attack and the whole time they were like no this didn't happen and um I it just baffles me that like they have all this intelligence and refuse to like even believe that this could occur um the next concept is like to me this is the most important one of all these this would be the one that would all