MM-ISAC News

The Hermeneutics of Cyber Threat Intelligence Part 1: Tactical Briefings

MM-ISAC team

This article will be the first of a series on how centuries-old techniques in interpretation – Hermeneutics can be used to interpret information to create finished intelligence, develop and mature cybersecurity strategies, and provide tactical briefings.

I was in Vegas for a conference recently, and I took my son to a Cirque Show. We got great seats right up front on the corner of the aisle. However, these seats came with a few guidelines and warnings. The first was a quick safety brief from the first usher. They told us we would need to keep our feet tucked in and be careful not to trip or touch the performers. 

After we made it to our seats, a second usher came by to brief us. She told us there would be a lot of action, yelling, screaming, and martial arts and that it can be startling if you don’t know what to expect. Then, a couple of minutes later, a third usher greeted us and showed us exactly where people would be coming through the door. They pointed to the floor in front of us and the edge of the stage where a lot of the action would be happening, concluding with a friendly “Enjoy the show.” This short encounter demonstrates all the elements that make up a great tactical briefing. They kept it short and delivered it in easily consumable chunks. Each message builds upon the last, giving all the necessary information to keep their performers safe and for the audience members in those seats to mentally prepare to enjoy the show.

In this article, I will walk you through the steps to use hermeneutics as a framework for interpreting text to create finished intelligence in the form of a tactical briefing.

Great threat intelligence is the right information in a suitable format that people can use to prevent, detect, and build a more resilient cybersecurity strategy. Threat intelligence guides strategic decision-making, and decisions can only be as good as the information available. The right tools and software are essential to collecting, organizing, and curating information used in intelligence. However, we must exercise caution in our use of AI in Cyber Threat Intelligence. Over-reliance on AI can lead to potential risks and unintended consequences, especially when used to create finished intelligence products. One of the primary principles of CTI is that a human brain must analyze threat intelligence.

What is Hermeneutics?

Traditionally, Hermeneutics is the study and methodology of interpreting religious texts in the context of the historical period and the choice of words used in the original texts. Modern Hermeneutics expands to include nonverbal communication, such as signs and symbols, contextualized with assumed knowledge of the author and intended audience. Hermeneutics is a framework for interpretation that seeks to gain deeper insight into the people who wrote the text and its intended purpose. Cyber threat intelligence is a 21st-century application of modern hermeneutics.

Contextualizing Written Communications

This is an exercise of reading between the lines and understanding tone, intent, and context. We humans naturally don’t take words at face value. This can be anything written, such as websites, news articles, social media posts, emails, dark web forums, telegram channels, or ransom notes. Written communication is incomplete, so we contextualize it to the situation and impart our emotions, thoughts, knowledge, and experiences to them.

Considering the Source

  • Dark web forums
  • Telegram Channels
  • Social media posts
  • Cyber security research blog

Which of the above would you say has the most reliable information? Well, it depends. Each text must be analyzed for its own merit to determine reliability and confidence level. The source can give clues on reliability and the reputation of the author or the publisher. However, threat intelligence is tricky, which is why researchers investigate, look for other corroborating sources, clues or evidence, or log the information should something more concrete come up later.

We often mistakenly visualize reading as a linear process like this:

Figure 1: A Linear Process

However, reading for understanding often requires revisiting the original text after:

  • Challenging bias
  • Being provided with new information or context
  • Trying to understand from a different point of view.

If the process were linear, you would not be capable of changing your mind when presented with new information. Human brains process this information in a circular fashion. Revisiting the original text with fresh eyes and information beyond the initial understanding. The Hermeneutic Circle can represent this process.

As an aside, while the human brain can perform this recursive process well, Artificial Intelligence struggles with it. AI applies the linear process above, which is why it is ill-suited to producing threat intelligence reports.

Figure 2: The Hermeneutic Circle

Assumed Knowledge and Presuppositions

Because context is key, assumed knowledge is pivotal. During every conversation or written communication, there is an assumption of knowledge, or in some cases, an assumption of lack of knowledge. During an incident, what can you assume the threat actor knows or doesn’t know, and what is the threat actor hoping that you don’t know?

One of the basics of presuppositions is represented in “If then” statements. Developers are also familiar with these. However, there are differences between interpreting text and running a program.

This excerpt is taken from a ransom note sample:

This is an IF – THEN statement, where the threat actor is communicating that:

IF you DO NOT cooperate, THEN:

  • They will publish or sell your data
  • Continue to attack
  • Attack your partners and supply chain
  • You will face legal action for the data breach

The implied message is that IF you DO cooperate, THEN:

  • They won’t publish or sell your data
  • They won’t re-attack you,
  • They won’t attack your partners and supply chain,
  • You won’t face legal action.

This is not true, a false presupposition. Financially motivated threat actors aim to make money by any means or opportunity presented to them. Let’s look at each one individually.

  • Data will be published or sold — This could be 6 months from now, but if a threat actor has your data and can make some money on it, it will likely be sold, and potentially published elsewhere.
  • Re-attacked — There is nothing to stop a threat actor who knows that you have already paid a ransom from attempting to re-attack your company.
  • Attack Partners and Supply Chain — Attackers are opportunistic, so it is unlikely that a ransom payment would encourage them to avoid attacking your partners or supply chain. If they can, they will.
  • Legal action — This one is out of the attacker’s control. In fact, legal issues arise regardless; the severity depends on factors within your control. Did you do your due diligence? How did you respond? Did you send the appropriate notifications to affected entities? Companies that choose to keep their incident a secret and the data breach is discovered much later are the ones that have legal issues to worry about.

Putting it all together – Using intelligence to deliver a tactical briefing.

The first step is to understand your overall objective. What is the clear message you wish to deliver? What information does the team need to know? And what is the most effective method of getting this information across?

Using the Cirque story as an example of a well-done tactical brief, follow these few guidelines:

  1.       Keep it short. Only give the information necessary.
  2.       Break it down into easily consumable chunks.
  3.       Have one cohesive message.

For a company in the initial stages of an incident response. The objective would be for the company to maintain as much control over the situation without giving up any more control than the threat actor has already taken.

Open by drawing their attention to re-examine the ransom note. Explain the message that the threat actor is hoping you will believe. Follow up with the technical aspects. The investigation will lead to discovering your vulnerabilities, and controls will be put in place to ensure the attackers cannot attack in the same way again. You will leverage the experiences of others who have faced similar types of attacks by reaching out to your ISAC. And conclude with the importance of good and timely communication to inform your partners and stakeholders to avoid any unnecessary future legal issues. And leave them with the call to action. “Now, let’s take back control.”

If you would like to read more about applying hermeneutics to create finished intelligence for use in your organization, please stay tuned for part 2.