Cyber Intelligence Conceptual Framework Comprehensive analysis. Better decisions. SEI Cyber Intelligence Research Consortium About Contact Us The SEI Emerging Technology Center helps the government stay on the edge of technology. The world is innovating software and information technologies very rapidly and the Center assists the government by identifying, demonstrating, extending and applying emerging software technologies to meet critical government mission needs. We focus on promoting government awareness and knowledge of emerging technologies and their application, and shaping and leveraging academic and industrial research. Software Engineering Institute 1 4500 Fifth Avenue, Pittsburgh, PA 15213-2612 Phone: 412.268.5800 | 888.201.4479 Web: www.sei.cmu.edu/goto/cyber-intel Email: cyber-intel@sei.cmu.edu 2 Environmental Context The Cyber Intelligence Conceptual Framework Overview Cyber intelligence is the acquisition and analysis of information to identify, track, and predict cyber capabilities, intentions, and activities to offer courses of action that enhance decision making. For an analyst to put this definition into practice, we developed a nonlinear, interactive conceptual framework to distinguish and organize our recommendations for success. It consists of six components: Analytical Acumen, Environmental Context, Data Gathering, Microanalysis, Macroanalysis, and Reporting and Feedback. Background The conceptual framework evolved from lessons learned from conceptual models used in traditional intelligence analysis, risk management, decision making, and cybersecurity. We combined this information with knowledge gained from our initial work in cyber intelligence to form a framework that balances the rigor, agility, and creativity needed to conduct comprehensive analysis in the complex and ever-changing cyber domain. We use the term “comprehensive analysis” to emphasize that our approach involves using the art and science of intelligence work to analyze a cyber issue in context, from the way it functions to its strategic impact on a target, and everything in between. The Conceptual Framework For an analyst to effectively analyze a cyber issue in context, our framework consists of six components: •Analytical Acumen: facilitates timely, actionable, and accurate intelligence on a cyber issue •Environmental Context: provides scope for the analytical effort •Data Gathering: acquires and aligns data for analysis •Microanalysis: assesses the functional implications of the cyber issue •Macroanalysis: assesses the strategic implications of the cyber issue •Reporting and Feedback: offers courses of action to enhance decision making Reporting & Feedback Environmental Context Reporting & Feedback Data Gathering Analytical Acumen Microanalysis Data Gathering Analytical Acumen Macroanalysis Analytical Acumen facilitates timely, actionable, and accurate intelligence on a cyber issue. As previously described, this component is the framework’s center of gravity. It conceptualizes an analyst’s interactions with the other components to enable the development and dissemination of intelligence to help decision makers and practitioners make better judgments and quicker decisions. Creating and communicating cyber intelligence is an art and a science. It is an art because no analyst produces intelligence the same way. Personal instincts, biases, experiences, and a host of other influences impact the Microanalysis creativity and imagination that shapes how an analyst addresses a cyber issue. An analyst will seek technology, conceptual frameworks, information collection methods, and other outlets to best channel their creativity and imagination into intelligence—the science of their work. We refer to the art and science of intelligence work as analytical tradecraft. How an analyst leverages their tradecraft determines their analytical effectiveness and efficiency. A cyber intelligence analyst should use the components of our conceptual framework as a guide to maximize the use of their analytical tradecraft to best conduct comprehensive analysis and put cyber issues in context. Within their operating environment, an analyst comes across a cyber issue in many ways: personal research of internal and external information, informal questions from peers or leadership, or official requests for information. In the context of our conceptual framework, a cyber issue can emanate from any component, but Analytical Acumen facilitates the ingestion, digestion, and emission of intelligence. Environmental Context Reporting & Feedback Data Gathering Analytical Acumen Environmental Context Reporting & Feedback Macroanalysis 3 The Analytical Acumen component is the framework’s center of gravity. It conceptualizes an analyst’s interactions with the other components to facilitate the development and dissemination of intelligence that helps decision makers and practitioners make better judgments and quicker decisions. Analytical Acumen interacts with the other components in numerous ways, depending on the cyber issue being analyzed. Sometimes a repeatable process can be introduced or a technology integrated to augment these interactions, but enough flexibility must be built into the process or technology to account for a cyber issue’s propensity to change quickly and often. Our framework attempts to account for all these possibilities by visually projecting a nonlinear, interactive approach to performing cyber intelligence. Analytical Acumen Macroanalysis Microanalysis Environmental Context Data Gathering Environmental Context provides scope An analyst Analytical can better understand the Acumen for the analytical effort. Ideally, one of state of the operating environment by the first steps an analyst will take is to considering the internal and external assess the cyber issue as it relates to factors affecting it. We suggest the operating environment. For example, examining the internal and external if the issue involves employees factors relating to the network and the Microanalysis Macroanalysis downloading corrupt software from the organization at large. Examples for the internet, and the analyst knows the network include topsight (infrastructure, organization’s computer network does access points, system vulnerabilities, not connect to the internet, the analyst identification of critical data) and cyber can quickly report the limited threat footprint (physical assets, data storage, this situation poses without performing web and mobile presence). For the more extensive analysis. If the network organization at large, factors include does connect to the internet, then the business operations (risk management, analyst begins to put the cyber issue physical security, and compliance), in context to determine what other organizational dynamics (mission, information is needed to assess and objectives, stakeholders, culture), and report the potential threat’s impact on external interests (brand reputation, the organization. market space, geopolitical issues, and partnerships). While considering Environmental Context is important at the onset of analysis, it should occur throughout the analytical effort because issues in the cyber domain change quickly and often. This component also highlights the importance of both technical and nontechnical factors in cyber intelligence. Deciphering the functional details of a cyber issue is vital to putting it in context, but so too are many factors that have nothing to do with technical expertise. 4 Macroanalysis Reporting & Feedback Microanalysis Data Gathering Analytical Acumen Environmental Context Data Gathering Macroanalysis Reporting & Feedback Data Gathering Macroanalysis Microanalysis Analytical Acumen Data Gathering conceptualizes how in the Microanalysis and Macroanalysis an analyst acquires and aligns data components and soliciting feedback from Microanalysis Macroanalysis for analysis. Knowledge gained from fellow practitioners and decision makers, Analytical Acumen and Environmental an aspect of the Reporting and Feedback Context enables someone to ask the component. Information gleaned from right questions to get the right data the Environmental Context component through technological means. By using also contributes because knowing the the analytical tradecraft described in scope of the analytical effort prevents Analytical Acumen, an analyst has the an analyst from having too little data to opportunity to utilize their own cognitive support analysis or too much data, which abilities and those of others (the art), could overwhelm the analyst and obscure as well as intelligence repositories the necessary information. (the science) to appropriately gather Environmental With this knowledge, the analyst Context data. This can occur by accessing leverages tools and technologies to preexisting analytical work represented Environmental Context Reporting & Feedback Data Gathering Analytical Acumen Macroanalysis Reporting & Feedback Microanalysis identify the data sources, collect the data, and aggregate it for analysis. The data should come from multiple internal and external sources, when possible, and be updated when necessary. Examples of internal sources are network logs, physical access logs, user demographics, risk management analysis, and business intelligence. External data sources include third-party intelligence providers, information-sharing partnerships, open source intelligence, and social media. Macroanalysis represents the assessment of the strategic implications of a cyber issue. Working through our framework’s Analytical Acumen component, an analyst performing Macroanalysis incorporates the intelligence produced during Microanalysis with the scope of Environmental Context and capabilities from Data Gathering. These interactions enable the analyst to add perspective, context, and depth to the cyber issue. There are numerous ways to add perspective, context, and depth. The analyst can conduct trend analysis of multiple cyber issues or use several Microanalysis products to correlate Data Gathering activities and pursue attribution. The analyst also might put Microanalysis in the context of risk management or business intelligence to provide technical insight for decisions involving acquisitions, brand reputation, and marketing. Other analytical activities examine how a cyber issue will affect and be affected by cultures, economics, geopolitics, social media, and/or global cyber trends. These scenarios demonstrate that Macroanalysis enables more proactive and predictive intelligence. The analyst performing this work usually tries to answer “who” and “why” questions: who is responsible and why is it Reporting & Feedback Analytical Acumen Data Gathering Analytical Acumen Macroanalysis Microanalysis Environmental Context Microanalysis Macroanalysis Environmental Context happening? The answers populate threat actor profiles for tracking attack likelihoods, provide global situational awareness, and give information on potential strategic impacts to decision makers so that they can rely on cyber intelligence just like they do business intelligence or risk management. Similar to Microanalysis, our conceptual framework illustrates the analyst’s communication of Macroanalysis, and any resulting feedback to the analyst, in the Reporting and Feedback component, which interacts with Macroanalysis via Analytical Acumen. Reporting and Feedback Microanalysis Reporting & Feedback Data Gathering Analytical Acumen Microanalysis represents the assessment of the functional implications of the cyber issue. When performing such analysis, the analyst seeks to evaluate and estimate how the issue impacts the operating environment based on the issue’s technical complexities. Information obtained through Analytical Acumen and Data Gathering should be used to extract relevant data and examine the issue’s nature, ability, and quality. The primary purpose of Microanalysis is to answer “what” and “how” questions: what is happening to the network and how is it being done? The analyst successfully answers these 5 questions using the power of their analytical tradecraft and the continuous interaction with the tools, technology, and people gathering the data. component. As a reminder, throughout the entire process, Analytical Acumen facilitates the interactions among these components. Knowing how the cyber issue functions, the analyst uses multiple sources, when possible, to validate the credibility of the information and then puts the issue into technical context by applying knowledge to it. The analyst can use what is now intelligence to inform fellow practitioners and decision makers of the cyber issue’s functional implications. We describe this communication and the feedback that follows in the conceptual framework’s Reporting and Feedback Overall, Microanalysis usually occurs in reaction to an actual cyber issue, not the anticipation of one. This type of analysis is especially useful for network defense, cybersecurity, and incident response purposes. It also informs the individuals in an organization that examine the issue’s strategic implications and make business decisions. Reporting and Feedback conceptualizes how to offer courses of action to enhance decision making with cyber intelligence. The conceptual framework is arranged so that no matter the component where the intelligence originates, Reporting and Feedback represents the communication of and subsequent responses to the intelligence. An analyst should take into account the audience’s background and technical knowledge and tailor any verbal or written analytical products accordingly. This work usually is distributed to a variety of fellow practitioners, relevant stakeholders, and decision makers at multiple levels of leadership, from firstline supervisors to C-level executives. Microanalysis Macroanalysis These individuals then use the intelligence to guide their response to a cyber issue or adjust the overarching direction of the organization. Regardless of the intelligence being produced, the reporting mechanism is only as effective as its feedback counterpart. Responses in the form of casual observations or official requests for information help to rationalize what the analyst focuses on. Active participation from all audiences not only validates what an analyst does on a daily basis, but also identifies intelligence gaps for the analyst to fill, concepts needing further explanation, and opportunities for collaboration. This spurs continued development of analytical tradecraft, which improves an analyst’s effectiveness and efficiency in using cyber intelligence to help others make better judgments and quicker decisions. 6 Using the Conceptual Framework We consider our conceptual framework to be a living framework. It incorporates perspectives from government, industry, and academia to distinguish and organize how we think an analyst should approach cyber intelligence. As these perspectives evolve, so too will the framework. If you have any questions or suggestions, please contact us at cyber-intel@sei.cmu.edu. 7 8