Professionalizing Intelligence Operations in the Cyber Threat Landscape: Adversarial Perspective
By Brandon Rudisell & AdvIntel Product Team
Advanced Intelligence, LLC (AdvIntel) is a threat prevention and loss avoidance firm with the mission of protecting customers from a wide variety of dangers in the cyber threat landscape. According to the Cybersecurity and Infrastructure Security Agency (CISA) the current cyber threats are derived from national governments, organized crime, industrial espionage, hackers, hacktivists, and terrorists. To address these threats AdvIntel analysts utilize collected and evaluated information, creating contextualized threat intelligence products, providing support and protection for clients relating to their cybersecurity. These intelligence products are the result of AdvIntel analysts combining structured analytical techniques, intelligence collection disciplines, and integrating them within the intelligence cycle. This integration is the foundation for AdvIntel’s professionalization of intelligence operations in the cyber threat ecosystem.
AdvIntel security researchers utilize the intelligence cycle as their foundational process to support clients at the operational and strategic levels. According to the U.S. Joint Intelligence Publication 2-0 the intelligence cycle consists of planning and direction, collection, processing and exploitation, analysis and production, and the dissemination of intelligence. This process enables AdvIntel to provide intelligence products for clients to make informed decisions regarding their protection and interests.
Application of intelligence cycle within AdvIntel’s operations
Stage 1: Planning & Direction
AdvIntel begins the intelligence cycle with the planning and direction phase of this process. This phase enables us to clearly focus and define what information needs to be collected and investigated. This can be achieved by focusing on custom requirements designed for a specific client. When focusing on specific client requirements, one of the main ways of our intelligence productions is set via requests for information (RFI) related to a specific topic. RFIs allow clients to receive intelligence comments and actions regarding matters that are time-sensitive in nature. At the same time, on a broader level, Priority intelligence requirements (PIR) support AdvIntel analysts in determining and prioritizing what type of information needs to be gathered and analyzed, supporting the general mission of providing security for clients. PIRs can be arranged by needed priority or categorized into different threat types.
AdvIntel's Andariel RFI Submission System
Stage 2: Collection
AdvIntel employs three intelligence collection disciplines to gather data and information for both answering RFIs and PIRs. Some of the main areas AdvIntel focusses on during collection includes ransomware, CVEs, anatomy-of-attack, novel fraud schemes, and card shop reporting/card services monitoring, as well as disruption of DarkWeb carding services, DarkWeb auxiliary services (fake IDs, etc), threat actor profiles, social media manipulation, APT threats, open-source intelligence, hacktivism, and many other areas. The three collection disciplines are as follows:
Signals Intelligence (SIGINT) is the collection and interception of electronic transmissions. AdvIntel’s HAWK Botnet Compromise Prevention System enables the collection of information related to botnet infections and remote desktop protocol (RDP) compromises by threat actors who perform illicit operations, such as ransomware operations.
Andariel HAWK Botnet Compromise Prevention System reports on the number of infections for different botnet infrastructures 24/7
Human Intelligence (HUMINT) is the collection of information derived from human sources. The Andariel platform enables AdvIntel customers and analysts to observe the interaction and conversations of threat actors on the DarkWeb. Via Andariel our Subject Matter Experts (SME) are also able to conduct interaction with threat actors on the DarkWeb, enabling them to collect unique and insightful information related to cybersecurity threats.
AdvIntel's Andariel Platform - DarkWeb Collection enables to track actor activity and patterns of malicious operations
Open-Source Intelligence (OSINT) is the gathering of any type of information publicly available from a variety of sources that could include the media, professional documents, academic reports, etc. AdvIntel utilizes this collection method within our the “watcher” system to establish a holistic understanding of cybersecurity topics, providing analysts with additional contextualization and credibility to previously gathered information.
Collections via AdvIntel event “watcher” enables monitoring of data leaks, open-source threats, malicious phishing websites, and suspicious domain systems.
Stage 3: Processing & Exploitation
During this phase in the process, AdvIntel formats collected data in an organized and understandable manner. This data has not been analyzed to create intelligence products, but it can be utilized by analysts, clients, and other consumers. Examples of AdvIntel processing and exploiting collected data would be translating information into English and organizing the exclusive Andariel Botnet Tracking list into readable categories.
Stage 4: Analysis & Production
The analysis and production phase of the intelligence cycle is where the gathered data and information receives a detailed examination, resulting in the production of a variety of intelligence products to answer RFIs and PIRs. AdvIntel analysts are able to achieve insightful analysis by utilizing a variety of analytical techniques to examine collected information. Intelligence products designed by analysts at this stage include breach alerts, botnet lists, threat actor profiles, and in-depth reporting from SMEs. The following report Breach of Trust: How Threat Actors Leverage Confidential Information Against Law Firms is an example of an SME report from AdvIntel.
Stage 5: Dissemination & Integration
Dissemination and integration are when the completed intelligence product is distributed to clients and other consumers. AdvIntel disseminates intelligence products in multiple different formats depending on the needs and access of the consumer. Examples of how consumers can view intelligence products include the Andariel platform, direct to consumer, or AdvIntel’s research and investigation blog.
Andariel platform is designed for fast and clear intelligence dissemination via a special Intelligence report and adversarial dossier section, accumulating over 800 reports and presenting them in a structured tag-based system
AdvIntel’s Research and Investigation Blog
Stage 6: Evaluation & Feedback
AdvIntel considers this phase of the process an important element in the intelligence cycle. During this phase, all portions of the intelligence cycle are reviewed by analysts, collection managers, and planners to evaluate the effectiveness of AdvIntel’s intelligence framework. AdvIntel also highly values client feedback related to finished products, enabling the intelligence team to identify important areas of focus moving forward. This phase of the process can be conducted anytime throughout the intelligence cycle and is used on a constant basis to provide premier intelligence services.
Stage 7: Analytical Techniques & Integration
Structured analytical techniques and integrations with investigative frameworks such as Maltego, OpenCTI, Polarity, and IntelOWL assist AdvIntel analysts with creating sound analytical assessments. These techniques provide analysts with the ability to separate gathered information into subcategories, enabling them to assess the data to create a theory, which they then attempt to determine the validity of the theory. While AdvIntel analysts utilize a variety of analytical techniques, the following are two highlighted techniques:
Link Analysis is a technique that can show the relationships between individuals, groups, and places. The advantage of this technique is it allows for complex information to be understood in an easily formatted manner. AdvIntel utilizes Maltego as their link analysis tool, providing a valuable instrument for investigating the DarkWeb. For an in-depth look at AdvIntel’s utilization of this tool please read Maltego+Andariel a Force Multiplier For DarkWeb & Botnet Investigations.
AdvIntel: Maltego Utilization for njRAT Malware Tactics Techniques & Procedures (TTPs)
Sorting technique allows AdvIntel analysts to understand and analyze large quantities of data. This method enables analysts to gain insights correlated to similarities, discrepancies, and other information not discernible immediately. AdvIntel utilizes OpenCTI, an open-source repository for cyber threat intelligence, to help quantify large amounts of data related to indicators of specific threat actor groups and global kill chain analysis as they relate to the MITRE ATT&CK Framework.
AdvIntel’s Andariel Platform – OpenCTI integration
AdvIntel’s framework for intelligence operations has helped with the stated goal of reducing and mitigating potential threats from a variety of sources within the current cyber threat landscape by creating a holistic framework for intelligence and security team members. This has enabled AdvIntel to provide unique and insightful intelligence products for customers and other consumers. The continued utilization of this framework will enable AdvIntel to constantly evaluate and update itself, ensuring AdvIntel stays current with the everchanging cyber threat landscape and enables the creation of contextualized threat intelligence products that are relevant today and in the future.
Advanced Intelligence is an elite threat prevention firm. We provide our customers with tailored support and access to the proprietary industry-leading “Andariel” Platform to achieve unmatched visibility into botnet breaches, underground and dark web economy, and mitigate any existing or emerging threats.
Brandon Rudisell researches cyber threats with Advanced Intelligence LLC, along with a U.S. Navy veteran who conducted missions across the spectrums of expeditionary warfare, joint warfare, and major combat operations. He has extensive experience as an Intelligence Analyst covering a variety of threats and different areas of operation. Brandon recently graduated with his M.S. in Criminal Justice Advanced Counterterrorism and he became interested in cybersecurity while in school.