Hacking Book | Free Online Hacking Learning


a detailed explanation of the structure of "national network intelligence system" in the united states

Posted by truschel at 2020-02-27

Cyber threat has become one of the most important national threats in the 21st century. Therefore, the office of the director of national intelligence (DNI) collects and studies all aspects of cyber Threat Intelligence, and strives to build a national cyber intelligence system, aiming to integrate the US intelligence community and find ways to improve the quantity, quality and impact of cyber intelligence from a strategic perspective.

The construction of "national network intelligence system" includes the following three main parts: 1. Determining the core challenges of network threats, 2. Developing "network attribution guide", 3. Establishing "network threat framework". This paper will introduce this system in detail. Help me build a cyber threat framework.

The article is for reference only, and the viewpoint does not represent the position of this organization.

Release date: December 2018

Compiled by: Academic plus Tan Huiwen

Original: https://www.dni.gov/index.php/cell-thread-framework

Module construction of network intelligence system

The director of national cyber intelligence is responsible for the integration of cyber intelligence within the U.S. government, and considers ways to improve the quantity, quality and impact of cyber intelligence from a strategic perspective.

To this end, the director of national network intelligence of the United States proposes a basic framework model to describe the process of Network Threat Intelligence and improve the quality of network intelligence, including the process of intelligence discovery, identification, sharing and use (see make sense share use), in which the process of how to effectively identify Network Threat Intelligence includes screening, association analysis, scenario interpretation, and finally forming intelligence. The model has been shared with some private organizations to jointly improve the ability to deal with various threats and complex information sharing environment.

The director of national intelligence and the office of national network intelligence jointly compiled the practice outline of the guide to network attribution, which is used to guide the practice of attribution of malicious network actions in the face of incomplete or contradictory information.

Download link to the full PDF of the Internet attribution Guide


Three ways of attribution of network behavior

Analysts can assess the responsibility of cyber attacks in three ways: 1. Origin, such as specific countries; 2. Specific digital devices or online roles; 3. Individuals or organizations guiding cyber activities. Among them, the third category is usually the most difficult to evaluate, because we must link malicious network activities with specific individuals in order to evaluate these specific participants more accurately.

Five key indicators of Internet behavior attribution

Attributing cyber attacks to a particular state or actor requires the collection of as much data as possible in order to be associated with cyber actors and other entities. But there are likely to be hundreds of contradictory indicators. Therefore, we propose several key indicators to achieve the goal of timely and accurate attribution. These key indicators include: espionage technology, infrastructure, malware, intent, etc. In addition, indicators provided by external agencies are also needed, such as the open source reports of private network security companies.  

① espionage Technology: often used for network attack or espionage. This is the most important indicator because habits are more difficult to change than technical tools. The tools, technologies and programs used by attackers can disclose their attack patterns, but once these unique espionage technologies are open to the public and other actors can imitate them, their importance will be reduced.  

(2) infrastructure: physical and / or virtual communication structure to realize network capability or maintain capability command and control. Attackers can build their own infrastructure by buying, leasing, sharing, or destroying servers and networks. They also often use legitimate online services to build infrastructure, such as free trial commercial cloud services and social media accounts. Some people don't want to give up infrastructure, while others don't care at all because they can rebuild it in a few hours. Some people often change their infrastructure in real time to prevent detection.

③ malware: malware aims to enable unauthorized functions on the infected computer system, such as key login, screenshot, recording, remote command and control, and long-term access. More and more network actors can modify some malware indicators in a few minutes or hours, and some people often change malware in actual combat to prevent detection.  

④ intention: the attacker performs certain behaviors according to specific situations. Prior to or during regional conflicts, covert, denial of sexual cyber attacks are usually launched, or hostile countries are suppressed and harassed.

⑤ external resource indicators: we also use reports from private enterprises, media, academia and think tanks to provide such data or share assumptions about saboteurs.

Three effective ways to determine attribution

In order to quickly and carefully determine these key indicators, the following three methods are proposed to identify network attackers.

① Look for human errors. All the success of network attribution is attributed to the discovery or utilization of the attacker's operational security errors. The mistakes made by network intruders are generally related to the use of espionage technology or network infrastructure. Hostile forces are also reducing mistakes in various ways.

② Timely collaboration, information sharing and recording. Attribution needs to integrate the expertise of regional, political and Cybersecurity analysts to form cooperation between cyber defenders, law enforcement, private cybersecurity companies and victims. It is very important to obtain, record and recover the data within 24 hours after the network attack, because the network attack of data deletion type can erase the login data for verification, realize the spread of malware in the computer memory, and the hostile strength may give up the network infrastructure within a few hours.

③ Rigorous analysis. Analysts presuppose some actors according to network events, goals and situations, but this will lead to cognitive bias, so special attention should be paid. To minimize this risk, analysts can use techniques such as competitive hypothesis analysis to evaluate multiple competitive hypotheses based on observed data and find data that may reveal other potential participants.

The best way to describe attribution analysis

① hierarchical judgment: the description of attribution should be clearly distinguished: the actual location of activity sources, individual actors or groups, and whether they are supported or guided by the leadership.

② setting the confidence level: our analysts generally evaluate the following three parts when using probability language and confidence level: timeliness and reliability of evidence, strength of logical correlation of evidence, type of evidence (direct, indirect, indirect or background). Therefore, the confidence level can be divided into three levels: highly credible, credible and less credible.

③ identification gap: if indicators are insufficient and analysts do not have enough data for judgment or confidence description, it should be clearly stated, such as: "we do not have enough information to judge who has carried out destructive network attack on xandi energy company. We suspect that the attacker used a botnet from Terra, but the attack does not coincide with bilateral tensions between xandi and known hostile forces. "

The cyber threat framework was developed by the U.S. government to consistently characterize and classify cyber threats and to identify trends or changes in cyber adversary activities. The network threat framework is suitable for anyone who is engaged in network related activities. Its main advantage is that it provides a general language for describing and communicating information about network threat activities. The framework and its related dictionaries provide a consistent way to describe network threat activities in a way that can achieve efficient information sharing and network threat analysis, which is very practical for senior policy makers and network technicians.

The idea of creating a cyber threat framework comes from the observation of the US policy community: a dozen analytical models have been used in government, academia and the private sector. Each model reflects the priorities and interests of its developers, but the differences between models make it difficult to promote effective situational analysis based on objective data. This framework will be extensible, and promote data sharing with "machine speed", reduce or eliminate the process of threat data double calculation.

The framework shows the life cycle of network target, from preparation ability and target to initial participation, temporary non-invasive interruption of target adversary, establishment and expansion of target, as well as the whole process of stealing, manipulating or manufacturing effects and consequences, as shown in the figure.

(end of the paper)

China US relations have changed qualitatively, and we are ready to face sudden changes and war

14 global experts on China US relations

[2017-2019] Gartner's top ten strategic technology trends

[UK Department of Defense] global strategic trend forecast heavyweight report (282 pages)

Rand: heavy one Research Report on "one belt, one road" (399 pages)

[Rand] China and the international order

The rocket army and China's military reform

[Rand] and China's trade war security risks

What does the United States want in a two-week report?

What is about to change the rules of the game between China and the United States is it

More than 40 academicians join hands! Information and electronics show of the year!

Welcome to the second cold war

Outlook 2019

It's illogical. Comrades still have to work hard for the world in 2019 and China's think tank 2019: salvation and nirvana 2019 global financial keywords 2019 legal events 2019 global financial keywords 2019 the pain point of the truth era after 2019 how to develop the world fighter in 2019?

Click to receive: 2018 academic pack

Come on! Join academic plus

Notice: the copyright belongs to the original author. The point of view of the article does not represent the position of the agency. The pictures are from the network or the original report.

All experts and scholars are welcome to contribute to the Journal of China Academy of Electronic Sciences! Contributor links


Tel: 010-68893411

Journal email: [email protected]