What is counterintelligence?
Counterintelligence (CI) is the information gathered and actions taken to identify and protect against an adversary's knowledge collection activities or attempts to cause harm through sabotage or other actions. Cyber counterintelligence (CCI) is an emerging field that focuses on the active gathering of information about electronic threat actors, their methods and techniques, and responding to these threats.
What is cyber counterintelligence?
Cyber counterintelligence is the combination of traditional counterintelligence principles and modern cybersecurity practices.
Counterintelligence
In the U.S., the National Institute of Standards and Technology (NIST) defines counterintelligence as: "Information gathered and activities conducted to identify, deceive, exploit, disrupt, or protect against espionage, other intelligence activities, sabotage, or assassinations conducted for or on behalf of foreign powers, organizations, or persons, or their agents, or international terrorist organizations or activities."
CI is often associated with intelligence agencies, government organizations or the military, but businesses also benefit from including CI in their approach to security. The principles of CI have been established over countless years of adversarial relations between competing parties. The fundamental truth that "knowledge is power" is at its core. By gaining knowledge of an adversary through research and espionage, the advantage of surprise can be eliminated. And advantage can be gained by limiting available information to an attacker or feeding them false information.
Cybersecurity
Cybersecurity is the practice of securing digital assets. It is a discipline of risk management. Security controls are enforced to protect information. This is referred to as the information security triad of confidentiality, availability and integrity (CIA triad).
The NIST Cybersecurity Framework is a published standard of best practices. It has five main functions: identify, protect, detect, respond and recover.
Cyber counterintelligence
Cyber counterintelligence combines the two fields of counterintelligence and cybersecurity. It recognizes that in the cyber domain, an attacker can have a greater advantage over the defender and seeks to equalize the playing field through the defender taking a more active role by applying counterintelligence principles. The intent isn't to try to stop attacks or mitigate risk, rather the goal is to try to stop adversaries from gaining intelligence.
CCI, therefore, differs from traditional cybersecurity in that it takes an active role in finding threats instead of a simple passive, defensive role. To illustrate this difference, most traditional cybersecurity is defensive. If a network was a castle, that means strengthening the walls, locking doors and posting guards. Counterintelligence on the other hand is more active; it would be sending out spies and laying traps for threat actors.
Many organizations practice aspects of CI, but refer to it by different names, including data loss prevention (DLP), malware reverse engineering and network forensics. Government agencies and cybersecurity firms do focused investigations into advanced persistent threat (APT) groups. As more important systems and networks become interconnected, cyberespionage becomes a bigger threat to nations.
How counterintelligence works
Counterintelligence activities can be categorized as being either collective, defensive or offensive.
Collective CI efforts focus on collecting information about the adversary. It includes learning who the adversary is, how they collect information, what attack vectors they are targeting and what tools they are using. The Mitre ATT&CK framework is an open repository of knowledge about attackers and their methods. It is one of the primary sources of collected attacker information.
Defensive CI efforts focus on securing information and preventing an adversary from stealing or destroying it. It overlaps with traditional cybersecurity but differs in that it takes an assumed breach posture. In proactive threat hunting, security teams actively look for indicators of compromise in systems to try and detect attackers who have already bypassed defensive measures. User and entity behavior analytics uses heuristics to try and find malicious activity hidden in normal seeming activity.
Offensive CI activities focus on turning an attack into an opportunity to gain an advantage by using disinformation. Honeypots are attractive looking targets for attackers intentionally left for them to find. Their use has expanded into entire honeynets and honeytokens that can distract an attacker and alert when accessed.
While most information technology (IT) security administrators routinely conduct defensive CI and collective CI, the value of using offensive CI is not always understood. With the right implementation, deception technology can be used to improve collective, defensive and offensive CI.
Deception technology uses decoys, such as honeypots and virtual honeypots, to misdirect an attack and delay or prevent the attacker from going deeper into the network and reaching the intended target. By observing the tactics, techniques and procedures attackers use, defenders can gain valuable insight that can be incorporated into their defenses.