xorl %eax, %eax

Why tasking is important in a threat intelligence team (using NSA’s UTT as example)

leave a comment »

Following the theme of my previous posts, I have published an educational video that goes through the well known PRISM slidedeck from the NSA. That slidedeck has tons of useful information for anyone working in threat intelligence, but I’d like to focus on one area only to make this blog post quick and comprehensive. I want to focus on the Unified Targeting Tool (UTT) that was mentioned and explained there.

What I liked about UTT was its pure focus in tasking (meaning assigning intelligence tasks such as collection, exploitation, etc. when the information is not readily available to analysts), something that in the private sector we tend to usually ignore. The job of your analysts isn’t to go out and chat with cyber-criminals, create sock puppet accounts, negotiate with vendors, etc. it is to use all the available information to build intelligence. The above operations are part of the tasking & collection.

Here is a screenshot of the UTT slide I reconstructed for my video and in summary what it says is that the analyst uses UTT to fill in a web form with the information they need from PRISM (but for the sake of this blog post assume your own threat intelligence data lake). Then UTT had two paths, one was for searching in records it already had and the other was for searching for near-realtime information (AKA surveillance). This distinction is CRUCIAL in tasking as intelligence gathering is usually not as time-sensitive as surveillance. Then it does a series of checks (like is this for a U.S. citizen) and if the information wasn’t available the FBI was tasked to go the relevant companies and get/collect that data and feed them back to PRISM.



Now if I had to redesign this for a private entity, what I would do is something like what you see below. Having a solid tasking process for threat intelligence is extremely beneficial for the entire intelligence function. But before going there, what I wrote is basically… First someone needs to review the analyst(s)’ request in case they try to access something which they are not allowed. Then, if it’s something you already have you pass it and if it isn’t, you open a ticket to your collectors to find it. If it’s a near-realtime (AKA surveillance) request, then you need to create the equivalent tracking rules and alerts. The great part is that most of that can be automated with modern TIP and SOAR solutions out there.



So what’s the value of a concrete tasking process (ideally accompanied with a tool like UTT)? Here is what:

  • Provides visibility on what analysts are interested in (AKA helps develop/improve PIRs)
  • Helps identify the best vendors/sources to focus on
  • Create/maintain only alerting for threats the analysts care about
  • Ensures analysts cannot just “read everything” which could result in serious privacy violations
  • Useful to prioritize the intelligence collection and technical requirements
  • Removes the need for analysts to get familiar with all the tools/vendors used (and change over time)
  • Can help in deduplication of work when multiple identical requests are issued
  • Analysts use their time to do analysis, not collection

Written by xorl

February 1, 2021 at 15:50

Passive collection of satellite traffic for threat intelligence

leave a comment »

In Black Hat USA 2020 there was this interesting talk, the: Whispers Among the Stars: A Practical Look at Perpetrating (and Preventing) Satellite Eavesdropping Attacks which touched on a cyber intelligence collection method that became popular in the early 2010s.

In October 2020 I published an educational video showing how DFS, that’s Japan’s military signals intelligence agency, was doing its first steps in exactly this space. That is, using traditional SIGINT (eavesdropping on satellite broadcasts) to detect cyber threats. Japan’s DFS did this in close collaboration with the NSA since their satellite SIGINT stations were operated jointly by both agencies. I published that video because it was a unique opportunity to see the early stages (in 2011-2013) of a SIGINT agency using their skillset and resources to adapt to the rising domain of cyber threats. This is a photo of the MALLARD station in Japan which was (is?) jointly operated by DFS and NSA for satellite SIGINT collection.



And the following slide (this is from my reconstruction of the slidedeck) shows the process that DFS was following to take advantage of this new intelligence source. To simplify this for the average reader… Think of J6 as your cybersecurity department, DFS as your threat intelligence team(s), CIRO as the leadership of your threat intelligence team(s), MOD as your company’s leadership, and SIGINT collection as eavesdropping on internet traffic from satellites that are broadcasting it back to earth.



Some of the challenges that DFS faced back then was not knowing which communication satellites/frequencies/channels to monitor (and NSA was helping by providing details on that), but also handling the amount of broadcasted data in near real-time meant that their processing and storage requirements skyrocketed. Nowadays, another challenge would be that some parts of the internet (like web traffic) are mostly encrypted, but this Black Hat USA talk surfaced an interesting area that I’m sure threat intelligence companies will be considering which is… Why not replicate what signals intelligence agencies have been doing for more than a decade now in the private sector?

By that I mean monitoring/receiving satellite broadcasts (AKA passive SIGINT collection) and look for indicators and warnings of cyber operations – e.g. C2 traffic, spear-phishing campaigns, exploitation of certain vulnerabilities, etc. Now this brings a ton of ethical and legal considerations such as: Is it illegal if you are just “listening”? Most email traffic is still unencrypted, is it the same as people talking in public domain then? What happens if you start processing sensitive personal information? etc.

On the technical side, there are also some interesting challenges and opportunities such as: Would there be a need for a private sector XKeyscore utility for “selectors” or will industry-used technologies like Sigma rules and YARA cover those needs? Also, some cloud providers now offer satellite ground stations as a service. Does this mean that setting up a global SIGINT collection network is something trivial or there is still a need for company-owned resources?

In any case… I find it interesting that the private sector is catching up on this and I’m very curious to see what this is going to bring in the threat intelligence industry.

Written by xorl

January 26, 2021 at 12:36

On attribution: APT28, APT29…Turla: No, they are NOT the same

leave a comment »

Earlier today someone forwarded me (outside of work) a threat intelligence “report” – quotes because it was far from being a finished product – that was recommending that people impacted by one of those three nation-state actors should be communicated as “Russia targeting your organization”. I found this assessment dangerously wrong and inaccurate so let me explain here why and maybe my post will help others avoid similar oversimplifications.

I cannot reference classified attribution intelligence products, but one of the most reputable public sources is Välisluureamet, Estonia’s foreign intelligence service. In Välisluureamet’s 2018 unclassified report they attributed those groups to specific organizations within the Russian Federation government. So let’s assume that this is accurate for the sake of this blog post.



Why is it dangerously wrong to communicate that getting targeted by APT28, APT29 or Turla is “Russia targeting you” rather than the specific actors? Simply because they are significantly different organizations, with different modus operandi, different objectives, and different TTPs. This means that your threat model will be entirely different if you want to be protected against APT28 versus Turla or APT29. To be more precise…

APT28 (GRU’s 6th Directorate/Military Intelligence)
A military intelligence agency is usually after intelligence of military value. Specifically this agency has shown that they are one of the most active actors in cyber with massive resources but not extremely sophisticated. Of course, when there are big geopolitical events, military research, investigations on Russian military activities or military exercises they will be around, and they will be after any connected systems that can get them military intelligence that could benefit the Russian Federation and its allies. They have been seen using all intelligence disciplines without any noticeable preference on cyber over other means of collection.

APT29 (SVR/Foreign Intelligence)
This is the equivalent of the CIA for Russia and just like the CIA, their cyber operations are typically more on the targeted and less on the bulk collection. In numerous occasions they have been seen conducting close access operations, and their objectives typically are related to political and economical information. For example, finding dirt to recruit someone as an SVR agent or finding out the details of a commercial agreement or research that could benefit the Russian state or its allies. They are less in the SIGINT and more in the HUMINT space so they are more likely to recruit an insider to get them what they want than perform an extremely sophisticated cyber operation.

Turla (FSB’s 16th Center/Signals Intelligence)
Turla is the equivalent of the NSA’s Signals Intelligence Directorate (SID) and because of that, they are one of the most sophisticated cyber actors out there operating at a level similar to that of the NSA, including bulk collection. This means that they collect intelligence for a variety of agencies both for Russia but also Russia’s allies under various agreements. So their target space is massive and they are the most advanced cyber operators of the Russian government. They have a massive organization and their sole purpose is SIGINT. So if you are targeted by Turla then expect some very advanced and complex cyber operations. Also, if you are targeted by Turla it doesn’t mean that it’s Russia targeting you, it could be that they execute an intelligence collection agreement for an ally of Russia that doesn’t have such cyber intelligence collection capabilities, similarly to what the NSA’s SID and other large SIGINT agencies do.

And this is why oversimplifying in a threat intelligence product that any of the above actors should be treated as simply “Russia is after you” is dangerous for cyber security departments/customers that have to develop defensive controls to protect their assets.

If you are unsure about the attribution it’s better to stay away from attributing it at all until you have sufficient evidence, and focus on the lower level indicators and warnings that you can share to help defenders take some action. For example, what did you observe in terms of TTPs or even IOCs. It’s better to share high confidence intelligence than “it’s the Russians” that has zero practical application to develop protections without more context that can help in understanding the motivations and intentions.

The same applies if you are a briefer delivering those threat intelligence products, choose your words wisely. Finally, do not forget that some of those agencies collaborate on certain projects including sharing some software tools, libraries and TTPs (typically through lessons-learned sessions and internal policies).

Hopefully that clears it out…

Written by xorl

January 25, 2021 at 10:59

DeepINTEL 2020

leave a comment »

On 18 November 2020 I got the opportunity to present at DeepINTEL. This is an Austria-based TLP:AMBER conference for intelligence. Because of that I cannot say much about it but I’ll try to share some insights without exposing any sensitive information.

At DeepINTEL 2020 my presentation was about GEOINT based on some cases I worked on throughout 2020 while supporting a few investigative groups and organizations, outside of my professional career. In addition to that, the last 3 years I had completed several GEOINT trainings and certifications. So in that presentation I shared some real world examples and practical techniques for GEOINT analysts. However, that was a TLP:AMBER talk so I cannot share anything else in a public blog post.



This was my first time presenting at DeepINTEL and I was positively surprised with the level of professionalism, skill level of the participants, and that rare atmosphere of active participation. DeepINTEL didn’t have a large audience or dozens of tracks with talks, but everyone was actively participating with the goal of knowledge sharing in a quite open discussion. The organizers went to great extends to ensure the privacy of everyone involved and that was also reflected to all the participants.

If you are looking for a high quality conference about intelligence that reminds you more of a community gathering rather than an industry event, then you’ll love this event. Personally I cannot wait for the next one! :)

Written by xorl

January 21, 2021 at 11:57

Example of SIGINT-enabled cyber attribution from the NSA

leave a comment »

DISCLAIMER: Just to be clear, the following do not represent my employer. Also, I’m not a lawyer. Check the legislation on your own. I have personal experience doing what I suggest here since I regularly volunteer for such investigations in the private and public sector, so I’m not making a hypothetical recommendation.

The aim of this blog post is to demonstrate with a real practical example how traditional SIGINT enables threat actor attribution and also inspire cyber threat intelligence analysts to expand their scope beyond cyber when working on threat actor attribution.

In September 2020 I published an educational video of the 2016 GRU phishing campaign NSA analysis which was leaked to the press by former NSA employee Reality Winner. It’s a particularly educational slide deck for intelligence analysts and revealed some of the NSA’s tradecraft too.



Some of the digital artefacts that assisted in the attribution were:

  • The phone number used for the GMail account belonged to a GRU officer
  • The GMail was used to send an email to a personal account of a GRU officer
  • Connection of the GRU officers to the operations box, and from there to GMail

You might wonder, that’s great but I don’t have access to such traditional SIGINT sources (like mobile operators databases, access to adversary’s GMail accounts or packet capturing on ISP level) but I kind of disagree, and here is why…

Phone numbers
If you collect and maintain a searchable database from leaked (thus OSINT) phone numbers, government databases, etc. there is a relatively good chance that you can perform similar correlations without having near realtime SIGINT from telcos.

GMail use & operations box access
If you are working in an investigation with law enforcement it is very likely that if you can provide them with evidence that an email account or a hosted server was used for malicious activities they can get a search warrant, collect digital forensics evidence, and give you access to some details like that (IPs of who connected there or emails in the account) to assist your threat research. Of course if you are an email service or hosting provider that’s like standard operating procedure but this is limited to a small part of the industry.

To summarize… Do not limit yourself to cyber sources when working in threat intelligence. Work towards an all-source intelligence approach. You might not have access to SIGINT, but you might have access to OSINT, HUMINT or other intelligence disciplines that can increase your confidence level in threat actor attribution. Any time you wonder of what intelligence sources to use, remember the following from DNI’s ICD 203:

Based on All Available Sources of Intelligence: Analysis should be informed by all relevant information that is available to the analytic element. Where critical gaps exist, analytic elements should work with collectors to develop appropriate collection, dissemination, and access strategies.

Written by xorl

January 20, 2021 at 12:41