Threat Intelligence Lessons from Paris AttacksActionable Intelligence Requires More Than Just Sharing Data
The unfolding investigation into the Nov. 13 Paris attacks carries lessons for any organization or agency that is attempting to share threat-related information. As anyone who's ever dabbled in big data knows, simply amassing information doesn't do any good. Instead, that data must be turned into actionable intelligence to answer the question: "What do we need to do next?"
See Also: Gartner Magic Quadrant for APM
"We all have finite resources that we can use," information security consultant Brian Honan told me in an interview at a recent cybercrime conference in Dublin (see Irish Cybercrime Conference Targets Top Threats). "We can't respond to every individual snippet of information - every rumor, every shred."
"There's always been a fashion du jour in infosec, and the current one is information sharing."
Such constraints have long been true in the information security realm. "If you go back and check your firewall logs, you can't respond to every port scan, even though a port scan could be attackers looking to scan your firewall to see what ports are open and then launch an attack," says Honan, who's also a cybersecurity adviser to the association of European police agencies known as Europol. "You just don't have the capabilities to do that."
Enter the concept of information sharing, which posits that by sharing data on threats, organizations can better learn from how they're each being attacked and defend themselves. But the difficulty of transforming data into intelligence shouldn't be underestimated. And, of course, this isn't a problem restricted to just information security circles.
Paris Attack Parallels
The latest news from the investigation into the Paris attacks, for example, is that French law enforcement agencies failed to act on crucial information relating to the suspected attackers that was provided by the Iraq and Turkish governments. Likewise, French officials apparently failed to connect the dots on a crucial piece of family-related information that might have helped them to arrest Abdelhamid Abaaoud, a known Islamic State operative who's the suspected mastermind behind the terror spree that killed 130 people.
Abaaoud was the cousin of Hasna AÃ¯t Boulahcen, who was already being tracked - and her phone tapped - by law enforcement agencies as part of an unrelated drug-trafficking investigations, the The Wall Street Journal reports. But French officials didn't glean that that the two individuals were related until days after the Nov. 13 attacks, when Morocco shared that crucial piece of information, thus allowing them to trace Abaaoud back to Boulahcen's apartment. Both suspects - together with an unidentified third person - were killed after a two-hour gun battle with police on Nov. 18.
Better intelligence sharing, of course, might have helped prevent the attacks, although security experts say EU countries are notoriously bad at sharing, due to fears over leaks.
Last year, however, Europol began attempting to position itself as a clearinghouse not just for cybercrime-related information, but also for counterterrorism-related information, Honan says. On Nov. 19, meanwhile, many members of the European Parliament called for much greater information sharing between EU intelligence agencies.
Sharing such information, however, is no panacea. On Nov. 17, for example, German chancellor Angela Merkel was due to attend an international soccer match in Hanover, Germany. But officials called off the match 90 minutes before kickoff after French intelligence warned of a plot to explode five bombs, including three in the stadium during the game, according to German newspaper Frankfurter Allgemeine Sonntagszeitung.
As the Guardian notes, however, German state broadcaster ZDF contradicted that report, citing German intelligence sources who said that the country's intelligence agencies receive tip-offs about five- to seven-person terrorist cells "almost weekly," and suggesting that the supposed terror plot - ascribed to a German citizen named only as "Abdul F." in media reports - might not be real. In the wake of the Paris attacks, however, EU intelligence agencies are reportedly taking such reports more seriously, despite not yet being given any additional resources.
Corporate information security programs face similar challenges. "We're talking about information sharing, but I think it's more intelligence sharing - where information actually has context on it, so that people can understand what the importance of the information is, what is the criticality of it," Honan says. "Why is it important and why should they act on it, and indeed, what should they do to act on it?"
But too many supposed information sharing products and services aren't adding that necessary context, Honan contends. "There's always been a fashion du jour in infosec, and the current one is information sharing," Honan says. "But when you look at these solutions, you say: 'What is the context of that information and can you action that information?' There's no point in having lots and lots more information if it doesn't make your security program more effective."