Analytic techniques and cybersecurity

Blog post | 01-12-2023 | NCSC

Bart van den Berg is a Senior Threat Analyst for the NCSC

Cyber Threat Intelligence (CTI) is a new field that evolves rapidly. The National Detection Network (NDN), an important NCSC asset to map and get a grip on cyber threats, was established a little over ten years ago. And the famous APT-1 report in which Mandiant describes activities of a Chinese state actor was only published in 2013.

In recent years, CTI has become a large industry with a variety of technical methods to map digital threats. Threat Intelligence Platforms allow organisations to exchange threat information quickly. A lot of threat information is also commercially available. Organisations can pay to gain access to a large quantity of technical information on cybersecurity threats, such as Indicators of Compromise (IOCs).

However, CTI is about much more than just technical threat information. It also focuses on understanding and establishing the context of cybersecurity threats. What attack methods should concern us? How are these impacted by upcoming technologies and geopolitical escalations? And to what cybersecurity risks does this give rise?

Structured analytic techniques are mostly derived from the traditional intelligence and security domain, developed to gain insight into a wide range of security-related issues. [4] And this presents opportunities since they are not yet being used in the cybersecurity community on a large scale.

Lessons from a different discipline

I myself first encountered structured analytic techniques in my officer training at the Department of Defence. These analytic techniques are a central consideration in planning military operations. The planning is executed step-by-step by a military staff, registering interim results in detail.

An error in an interim analysis, such as a mistaken assessment of a river’s fordability, can have enormous consequences, causing an infantry fighting vehicle to get stuck in the river due to its slippery stream bed, for instance. This is not a pleasant surprise, especially if the crew of the recovery vehicle that drags you out takes their time laughing at you and wondering out loud how you assessed that river so very wrong.

The infantry fighting vehicle would not have gotten stuck if analyses had been conducted prior to the operation according to a traceable process. An incorrect action was taken because a step, i.e. the analysis of a specific part of the terrain, was forgotten. A devil’s advocate would have been able to ask probing questions about assumptions, such as whether the river was indeed fordable.

Joint analysis

The NCSC devotes a lot of attention to developing and using analytic techniques to enhance the quality of our analyses. This stands in stark contrast to analyses performed by a single expert that depend heavily on personal insight and intuition. Furthermore, by using tried and tested methods, we can also conduct analyses faster and in collaboration with partner organisations.

Our publication Four cybersecurity lessons from one year of war in Ukraine, for instance, is based on the knowledge and expertise of cybersecurity experts at different government organisations. We used the analytic technique called cluster brainstorming to achieve this. Organisations participating in a joint analysis have access to unique perspectives and insights with regard to any issue. The eventual effect? A richer and better analysis.

Examples

We use different analytic techniques depending on the issue at hand. There are hundreds of techniques that may be valuable in analysing an issue. Many of them have been described in English-language literature. This year, Willemijn Aerdts and Ludo Block at Leiden University published a manual in Dutch. We use some of the techniques described in these books in the field of cybersecurity, such as:

• We use cluster brainstorming to map different facets of an issue. This is an imaginative technique that, in the end, contributes to improving awareness of different perspectives of a problem. We applied this technique to create the Four cyber security lessons from one year of war in Ukraine, for instance.
• The key assumptions check or devil’s advocacy allows us to check whether the facts and assumptions on which the analysis is based, are accurate. Prior to a publication, we then ask each other critical questions as to whether assumptions are correct. Sometimes devil’s advocacy leaves us unsure as to statements on malware made by an external party. In such cases, we decide to investigate the malware ourselves to confirm or refute that external party’s statements.
• Indicators and triggering events help us paint a picture of how threats may change over time. We know, for instance, that rising social tension has an impact on hacktivism. By analysing this in advance, we gain insight into cause and effect relationships that have an impact on the threat landscape.
• Developing scenarios allows us to take a complex and uncertain situation into account in the event of a crisis. We developed scenarios, for example, on how an invasion will affect the digital threat landscape of Dutch organisations well before the Russian invasion of Ukraine. We discuss these in the second season of the Enter podcast.
• A paired comparison allows us to create a hierarchical structure for a range of cybersecurity threats and risks, for instance. We do this by comparing a list of threats or risks to determine which ones have the highest potential impact or probability from a relativistic perspective.
• A probability assessment enables us to estimate the probability that an event will occur within a specific timeframe. This is a structured analytic technique in which multiple analysts consider different facts and assumptions to come to a well-founded assessment.
• We can also look at drivers behind different cyber threats, for instance technological, social or political developments that have an impact on the threat landscape. The quantum computer, for instance, can be a technological driver for changes in the cybersecurity landscape. We follow this development closely and on this basis are able to make a statement as to the prognosis for a longer period of time.
• Some analytic techniques were developed specifically for cybersecurity purposes. The cybersecurity community is more familiar with these techniques. In 2021, Noortje Henrichs described several CTI analysis methods that are commonly used within the NCSC. These include the Diamond model, Cyber Kill Chain, Pyramid of Pain, VERIS framework, and MITRE ATT&CK framework.

Prognosis

Structured analytic techniques can help map and gain insight into cybersecurity threats and risks. There are opportunities to enrich and control analyses with a structured analytical process particularly in the field of CTI, where large data volumes are available. This requires knowledge of analytical techniques, rather than expensive tooling.

Qualitative and quantitative analytic techniques are mutually reinforcing. An indicator identified for a scenario, for instance, can be enriched with up-to-date data from sensors. This results in a rich and up-to-date map that can help organisations make well-informed decisions.

The NCSC wishes to contribute to the further implementation of structured analytic techniques in cybersecurity. We will publish more articles on our experiences in the coming months. Would you prefer not to wait for that? The following publications may already inspire and help you implement structured analytic techniques in your organisation:

• A Tradecraft Primer: Structured Analytic Techniques for Improving Intelligence Analysis, CIA, 2009
• Analytic Culture in the U.S. Intelligence Community, CIA, 2005
• ATP 2-33.4: Intelligence Analysis, US Army, 2020
• Willemijn Aerdts and Ludo Block, Gestructureerde inlichtingenanalyse voor opsporing en ordehandhaving [Structured Intelligence Analysis for investigation and law enforcement], Leiden University Press, 2023
• Randolph H. Pherson and Richards J. Heuer Jr., Structured Analytic Techniques for Intelligence Analysis, Sage, 2019
• Richards J. Heuer, Jr., Psychology of Intelligence Analysis, CIA, 1999

Written by:
Bart van den Berg
Senior Threat Analyst