FireEye has bought the cyberintelligence firm iSight for $200 million. They had previously bought the cybersecurity research and forensics firm Mandiant to built up their offering. The Wall Street Journal says one reason for the iSight acquisition is to try to prop up its sagging stock price which has slumped 76% this year in light of slowing sales. A cyberintelligence firm is much different that a traditional cybersecurity firm. What they do is use former law enforcement and intelligence agents to tap into their vast network of sources and public and private data feeds to uncovered current and future threats. They even employee hackers, plus they are hackers themselves. Police who have worked for Interpol, the FBI, GCHQ, NSA, or retired CIA officers and military presumably have access to databases of information and contacts inside the intelligence and law enforcement communities that would be useful for flushing out security threats. They would also know which hackers have even been caught and can be coerced or have come over to the the white hat hacking community to work for the good guys. What else do they do?
This week it was reported in The Washington Post that the FBI is planting viruses on the websites of child porn websites to uncover the real IP address of pedophiles who think they are protected by Tor cloaking software. This reveals one tactic that cyberintelligence firms could use as well, which is to penetrate hacker forums and markets and place viruses there to obtain secrets that way. Customers for cyberintelligence firms would be large corporations, governments, and industry groups who have a lot of money to spend.
The cyberspooks might look for, say, chatter on the internet that hackers are preparing to target power utility companies and then alert their utility customers. Or they might look for a threat to a specific executive or company. This is obviously an expensive service that only the largest customers could afford. Cyberintelligence might work where traditional cybersecurity does not. For example, if FireEye malware software worked all the time then companies would not be getting hacked even when they have that. No product works all the time. So using cyberintelligence changes the defensive posture of a company to an offensive one. In a paper explaining what exactly they do, iSight mocks their competitors.
The say, “These vendors are confusing ‘information’ with ‘intelligence.’” Their point is, sure, you can tap into raw data feeds and pile all of that into your security analytics system but that is “raw and unfiltered.” What their analysts do is sort through and interpret this information with “trained intelligence analysts.” But even iSight does not give a lot of details of how their analysts, trained or not, can sort through data feeds better than any computer, especially when there is too much information for a human to read. Then they cite this definition from Gartner:
“[Cyberintelligence is] evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard.”
Well, we are still are not any closer to explaining how any of this works so that we can have some understanding or level of confidence whether it works at all. OK, this explanation from iSight is better:
“Cyber threat intelligence needs to include much more than raw data - it requires rich contextual information that can only be created with the application of human intelligence (Humint). This contextual information includes an understanding of the past, present and future tactics, techniques and procedures (TTPs) of a wide variety of adversaries. It must also include the linkage between the technical indicators (e.g., IP addresses and domains associated with threats or hashes that ‘fingerprint’ malicious files ) and the adversaries and information about who is being targeted.”
This is something we can understand. If the analyst is looking into the dark web, working with informants and hackers, they could uncover information that the antivirus firms might not know. That could result in, say, the signature of a particular hacking tool which they could manually add to an anti-malware data feed. It is doubtful they would uncover many zero-day defects as those are sold for $50,000 and more, if they are important, so would be closely guarded unless someone were to open up their checkbook to obtain that. Human intelligence too might be actual intel on what hacking criminal mafias are doing.
That would require inside information from a spy in a hacker ring. Of course iSight is not going to say they have penetrating any hacking community or business, but you would have to assume that they have if they have intelligence people providing what they call HumInt above. As for Fireeye, the regular parent business, they build and sell security devices like a device to decrypt SSL traffic. You can do that when both sides of the data are on the same domain as they would be on an internal network.
This is a good way to spot company data being set out through the front door. Plus FireEye has various anti-malware products. And their Mandiant arm provides emergency forensics services for when a company has been hacked and needs to find out how that happened and do so right now. Adding human intelligence to cybersecurity is obviously a good idea. Having actual people with police and intelligence experience would definitely help uncover threats. It’s an interesting approach to an old problem that has no solution that works every time.